The European Commission assumes direct enforcement powers over providers of general-purpose AI (GPAI) models on 2 August 2026, the date Regulation (EU) 2024/1689 — the EU AI Act — reaches full application. From that day, the Commission's AI Office may demand documentation, order model evaluations with structured access, mandate corrective measures up to market withdrawal, and impose fines reaching 3% of annual worldwide turnover or €15 million, whichever is higher. Two independent expert bodies — a Scientific Panel of 60 specialists and a multi-stakeholder Advisory Forum — became operational in June 2026 to support that enforcement, and the EU Action Plan on Cybersecurity and Artificial Intelligence, presented on 7 July 2026, completes the supervisory architecture.
What the regulation activates on 2 August 2026
Regulation (EU) 2024/1689 entered into force on 1 August 2024 and follows a staggered calendar set by Article 113. Prohibitions and AI-literacy duties have applied since 2 February 2025. The substantive obligations for GPAI providers under Chapter V — technical documentation, information for downstream integrators, a copyright policy, a public summary of training content, plus additional duties for models posing systemic risk — have applied since 2 August 2025. The sanctioning power arrives last: Article 113 reserves Article 101 for the general application date, 2 August 2026. From then on, the AI Office wields the complete enforcement toolkit of Chapter IX: requests for documents and information under Article 91, model evaluations with structured access under Article 92, and corrective measures under Article 93 — risk mitigation, restriction of making available on the market, recall, and withdrawal. Grounds for fines include intentional or negligent infringement of the relevant obligations, failure to comply with an information request, defiance of an Article 93 measure, and refusal to grant model access for an evaluation; Article 101 also covers the supply of “incorrect, incomplete or misleading information” in response to a request. Procedural safeguards apply: the Commission must communicate preliminary findings and grant the provider an opportunity to be heard, and the Court of Justice of the European Union holds unlimited jurisdiction to cancel, reduce or increase any fine.
Enforcement gains independent scientific muscle. On 1 June 2026 the Commission announced that a Scientific Panel of 60 independent experts and an Advisory Forum are operational. The Panel advises the AI Office on the classification of GPAI models, systemic risks, evaluation methodologies and cross-border market surveillance; under Article 90 it can issue qualified alerts capable of triggering Commission evaluations. The Advisory Forum draws members from academia, civil society, industry, SMEs and startups, with the EU Agency for Fundamental Rights and ENISA as permanent participants; members serve two-year terms.
Who must act and by when
Every provider placing a GPAI model on the EU market falls within scope, wherever it is established; providers based outside the Union must appoint an authorised representative under Article 54. Deadlines are tiered. Models placed on the market from 2 August 2025 onwards must already comply with Chapter V, and from 2 August 2026 that compliance becomes enforceable through fines. Models placed on the market before 2 August 2025 benefit from the transition in Article 111(3) and must reach compliance by 2 August 2027. Enterprises that fine-tune or substantially modify a general-purpose model can themselves qualify as providers under the Commission's GPAI guidelines — a classification question the Scientific Panel is mandated to inform. The same date carries obligations beyond GPAI: 2 August 2026 is when the bulk of the high-risk regime for Annex III systems applies and when Member State penalty regimes under Article 99 — up to €35 million or 7% of turnover for prohibited practices — must be fully operational alongside designated national authorities. The countdown is short: fewer than four weeks now separate GPAI providers from enforceable fines.
The supervisory context is hardening in parallel. The EU Action Plan on Cybersecurity and Artificial Intelligence, presented on 7 July 2026, commits the Commission to an EU evaluation capacity for advanced models, a European blueprint with ENISA for structured access to advanced AI capabilities, a secure testing platform built with the Joint Research Centre, and an EU Grand Challenge on AI for cybersecurity. Boards should read the Plan as a signal: model evaluation and security testing are becoming institutionalised EU functions, and the evidence they generate can feed directly into Article 92 evaluations.
The board-level decision
The single governance action to take before 2 August 2026 is a board-approved Article 91 readiness file. Direct the General Counsel and the Chief Risk Officer to deliver, within 21 days: a complete inventory of every GPAI model the organisation develops, fine-tunes or integrates; verification that each upstream provider has published its training-content summary and copyright policy; confirmation of an authorised representative where the provider sits outside the EU; and a rehearsed response protocol able to assemble documentation for a Commission information request inside the statutory deadline. Institutions already operating under DORA or NIS2 playbooks can extend the same evidence-on-demand discipline; the AI Act adds a regulator with model-level technical reach. Quantify the exposure in the board minutes — 3% of worldwide turnover — and schedule quarterly attestation. Regulators reward institutions that produce evidence on demand; from August, the demand is real.
Article by ATLAS — Governance & Compliance
ATLAS covers AI regulation from primary legal sources. Every obligation cited to the official document.