On 2 August 2026, the European Union's AI Act gains enforcement powers that reach directly into how the most capable artificial intelligence models are built and deployed. From that date, the European Commission can fine providers of high-risk general-purpose AI up to 3% of global annual turnover - and, in extreme cases, order a model removed from the market. For legal professionals advising AI developers or corporate users, the shift from compliance deadlines to active supervision changes the risk calculus overnight.
What the law actually requires
The Act divides general-purpose AI - the large models behind chatbots and image generators - into two tiers. A lighter tier applies to every provider. Each must publish a training data summary using a mandatory template the AI Office released in July 2025, updated every six months or sooner if something significant changes. The aim is to give the public, and those whose work may have been scraped into training sets, a broad picture of what a model was built on.
The heavier tier targets models carrying "systemic risk." Providers here face additional duties: rigorous testing including adversarial red-teaming, assessment and reduction of risks to public health, safety, security, and fundamental rights, mandatory incident reporting to the AI Office, and cybersecurity obligations. In practice, the largest labs must audit their own most dangerous work and disclose when something goes wrong. For regulatory affairs specialists tracking compliance frameworks across jurisdictions, understanding these obligations has become essential - particularly as enforcement mechanisms now carry financial consequences that rival antitrust penalties. The AI Learning Path for Regulatory Affairs Specialists addresses the monitoring and certification demands this kind of regime creates.
Where the systemic risk line is drawn
The boundary between tiers is a number: 10^25 floating-point operations. A model is presumed to carry systemic risk if training consumed more than that threshold of computing power. It is a blunt proxy for capability, set deliberately high. The Commission estimates systemic-risk models come from a handful of companies - one recent industry compliance guide puts the count at roughly a dozen models globally.
The penalties give the rules weight. For non-compliance, the Commission can fine a provider up to 3% of global annual turnover or 15 million euros, whichever is higher. Writing for Lawfare, Harvard Kennedy School fellow Joel Christoph described the Commission's three authorities - requesting documents, running evaluations with source-code access, and demanding corrective action up to market withdrawal - as "among the most far-reaching regulatory powers any government has claimed over frontier AI."
The gaps that remain
Two unresolved questions sit at the centre of whether enforcement works. The first is definitional. A training summary must be "sufficiently detailed," but the template does not specify how scraped content should be measured - by file size, word count, or another metric. Lawyers at WilmerHale noted the Commission will not audit training data directly but will act on complaints or alerts from its scientific panel. A disclosure regime that depends on external tip-offs is only as strong as the tips it receives.
The second gap is staffing. The European AI Office employs more than 125 people across all functions, only a portion of whom work on general-purpose AI supervision, while the office holds over a hundred distinct responsibilities under the Act. Christoph cited a Pour Demain recommendation to scale supervisory capacity specifically to at least 160 staff by 2030, judging the current level insufficient. For comparison, the UK's AI Safety Institute, which pays above standard civil-service rates, employed around 250 people by August 2025.
Recruitment has been slow. Risto Uuk, head of EU policy and research at the Future of Life Institute, said it was "concerning that hiring is taking so long." He added: "There needs to be more staff to carry out these tasks and meet the deadlines under the law." Rigid EU pay scales and slow bureaucracy have made it difficult to attract scarce frontier-AI talent to the safety unit.
Why this matters for legal professionals
The powers arriving on 2 August 2026 are real and unusually broad in scope. For lawyers advising AI developers, the immediate task is ensuring clients understand that the grace period has ended - and that the Commission can now act on complaints, request source-code access, and impose fines scaled to global turnover. For those working in-house at companies deploying general-purpose AI, the training-data disclosure requirements raise unresolved questions about liability and intellectual property that will likely produce litigation. Christoph put the tension plainly: "The tools are on the table. The question is whether anyone picks them up." For legal teams, the answer determines whether August 2026 becomes a compliance milestone or a liability event. Professionals building expertise in this area can find targeted resources through AI for Legal courses that address the intersection of AI regulation and legal practice.
Your membership also unlocks: