Black Box Notes

On opacity, auditability, and the limits of trust in modern AI systems.

Regulation Watch 2026-05-23 12 min read

EU AI Act — August 2, 2026 Enforcement

On August 2, 2026, the Commission's supervision and enforcement powers against general-purpose AI providers take legal effect. The penalties are sized to matter. The compliance posture of the largest US AI labs, in public, has not been. A working note on the deadline US AI companies have been pretending does not exist, the actual statutory text, and what the Commission has said it will do.

By Black Box Notes Editorial · Regulation Watch

EU AI ActregulationGPAIenforcement
X LinkedIn Mastodon Print

The European Union’s AI Act has been substantively in force for almost two years. The obligations on general-purpose AI providers — the rules in Chapter V of Regulation (EU) 2024/1689 — have been on the books since August 2, 2025. The penalty ceilings are written into the statute. The Commission’s AI Office has been publishing guidance, code-of-practice work, and standardisation activity. The labs covered by Chapter V are the largest US-headquartered AI labs, and a small number of others.

What changes on August 2, 2026, is the Commission’s actual enforcement power. The supervision and enforcement provisions in Chapter V come into legal effect on that date. From that date the Commission can — formally, with binding statutory authority — open proceedings, demand information, issue findings, and impose penalties. The penalty ceiling is, in the highest-tier case, the larger of €35 million or 7% of global annual turnover.

This is the regulatory deadline that, in our reading of the corporate communications coming from the largest US AI labs in 2026, the largest US AI labs have been pretending does not exist. The reading is not flattering and we want to be precise about what we mean by it. Some labs have been candid. Some have been engaged. Some have been publishing serious technical documentation against the published code-of-practice. Some have hired competent EU regulatory counsel. The “pretending” we mean is the part of the corporate posture that, in public, treats the deadline as a deadline the US system will inoculate the company against, or as a deadline the Commission will not in fact enforce. Both of those readings of the situation are, on the published material we have read, wrong.

This piece sets out what the deadline actually is, what the statute actually says, what the Commission has actually committed to, and what the operational position of a covered lab is on the day enforcement begins.

What August 2, 2026 actually triggers

The phasing of the AI Act has been one of the more carefully designed parts of the regulation. The Commission’s intent, on the published record, has been to bring the regulation into force in steps that allow the regulated entities time to comply. The phasing is laid out plainly on the Chapter V enforcement page and tracked across jurisdictions on the DLA Piper AI Laws of the World — EU page.

The relevant dates for Chapter V are these:

  • August 2, 2024 — the Act enters into force.
  • February 2, 2025 — prohibitions on prohibited AI practices apply.
  • August 2, 2025 — obligations on general-purpose AI model providers apply. From this date, GPAI providers — that is, the providers of frontier-scale models that can perform a wide range of distinct tasks — are required to comply with Chapter V’s substantive provisions, including the technical documentation obligations, the policy on copyright and training data, and the published summary of training content.
  • August 2, 2026 — the Commission’s supervision and enforcement powers against GPAI providers take effect. From this date, the Commission has the formal authority to enforce the Chapter V obligations against the providers.

The enforcement-powers date is the one that has been least discussed in the US trade press. Its operational significance is that the obligations have been substantive since 2025, and the obligations remain unchanged, but the Commission could not — strictly speaking, under the statute — open formal proceedings under its enforcement authority before August 2, 2026. From that date it can. The interim period was, in effect, a year for the providers to come into compliance before the supervisory machinery turned on.

The EU has, in the months since, considered changes to the Act and to the phasing. Latham & Watkins has tracked the proposed rule and deadline changes. The publication’s reading, at the time of writing, is that some deadlines for high-risk system obligations may be extended; the August 2, 2026 GPAI enforcement date has not, on the public record, been moved. The published material from the Commission has been consistent: the enforcement date for GPAI providers is the date in the statute.

The penalty structure

The penalties in the AI Act are written in the standard EU regulatory form — a percentage of global turnover or a fixed cap, whichever is higher — calibrated to a tiered system of severity. The decodethefuture explainer is the cleanest summary we have read of the tier structure.

The three tiers are:

  • Prohibited AI practices (Article 5). The most severe tier. Up to €35 million or 7% of global annual turnover, whichever is higher.
  • High-risk AI systems and most other obligations. Up to €15 million or 3% of global annual turnover.
  • General-purpose AI model providers (Chapter V). Up to €15 million or 3% of global annual turnover, per the Chapter V enforcement page.

Two things are worth being precise about. The first is that the GPAI penalty ceiling is 3% of global turnover, not 7%. The 7% figure that has circulated widely in the trade press applies to the prohibited-practices tier, not to the GPAI tier. The 7% number is real and the tier it applies to is real; it is not the tier the GPAI providers are most exposed to. The publication takes care to keep the distinction clear because the labs themselves, in their internal disclosure, are doing the same.

The second is that the 3% figure, applied to the global annual turnover of a major US AI lab in 2026, produces a maximum-penalty exposure that is, in absolute terms, in the hundreds of millions to low billions of dollars. The exposure is not theoretical. It is calibrated to be material to the regulated entity. The drafters of the AI Act, on the published record, intended the penalty ceiling to be a number that the most-exposed entities could not afford to ignore. The figure is sized to that intent.

The procedural posture of penalty imposition is, on the published material we have read, more measured than the headline figures suggest. The Commission has indicated that its enforcement approach will, at least initially, prioritise engagement over penalty — a pattern consistent with the early enforcement of the GDPR. The early DPDPA-style cases — the cases that establish precedent rather than punish — are unlikely to be the maximum-penalty cases. The maximum-penalty cases will arrive when the precedent is set and the engagement approach has been exhausted. The publication’s reading of the GDPR enforcement history is that this is the pattern to expect over a five-to-eight-year window.

What the largest US labs are actually doing

The publication’s view is that the most informative material on the actual compliance posture of the largest US AI labs is the published material they themselves have placed on the record. We are not in a position to make claims about internal positions we have not seen. We are in a position to characterise the public posture, which is the posture the Commission will, in the first instance, evaluate against the statute.

The pattern we see, on the published material we have read across the major US labs, is uneven.

Some labs have published substantive technical documentation against the Chapter V obligations. The documentation includes — in some cases — material on the training-data policy, on the published summary of training content, on the model evaluation methodology, on the testing for systemic risk in the largest models, and on the post-market monitoring posture. The substantive documentation has, in the labs that have produced it, been incrementally more detailed across the 2025–2026 publishing window. This is the cohort the Commission is most likely to engage productively with after August 2.

Some labs have published policy statements that gesture at Chapter V compliance without producing the substantive documentation Chapter V actually requires. The pattern in these statements is a high-level commitment to the values the AI Act embodies, paired with a procedural assertion that the lab’s existing internal practices satisfy the obligations. This posture is, in the publication’s reading, the one most exposed when the Commission’s supervision powers turn on. The procedural assertion is not a substitute for the documentation, and the Commission’s formal supervision procedure is the venue in which the gap becomes visible.

Some labs have, in their public statements, taken a posture that is closer to challenge than to compliance. The language has been some variant of the proposition that the Act is unworkable as written, that EU regulation cannot be applied extraterritorially to a US-headquartered firm, or that the firm’s commercial position justifies a non-compliance posture pending some unspecified future engagement. The publication’s reading of this posture is that it is high-risk. The AI Act is in force, the Commission’s enforcement powers are scheduled, and the question of extraterritorial application has, in the published material from the Commission, been answered in the affirmative for any GPAI provider whose models are placed on the EU market. The lab does not need to be EU-headquartered to be subject to the Act. It needs to be placing its models on the EU market, which the largest US labs all are.

The Tredence compliance guide for US companies and the Legal Nodes 2026 compliance update are the cleanest public-facing summaries we have read of the compliance position for US firms. Both treat the August 2, 2026 enforcement date as the operative deadline. Both note that the compliance posture of the largest US labs is the question their downstream customers are now asking.

The Commission’s posture, on the record

The Commission’s public posture on enforcement has been, on the published material we have read, careful. The published Commission statements — in the EU AI Act Chapter V enforcement materials, in the Commission’s working notes on the General-Purpose AI Code of Practice, and in the procedural communications from the AI Office — have not been triumphalist. They have not threatened immediate enforcement. They have not named specific firms.

The pattern of the Commission’s communications has been, in our reading, the pattern of a regulator with a long enforcement horizon. The Commission has signalled that it will, in the first instance, work with providers to bring them into compliance. The Commission has signalled that the documentation obligations are real and that providers should be producing the documentation now rather than waiting for the enforcement window. The Commission has signalled that the Code of Practice is the route most likely to produce a stable working relationship between the Commission and the regulated entities.

What the Commission has not, on the published material we have read, signalled is a willingness to defer the enforcement date or to apply the obligations leniently to large US firms whose corporate posture treats the obligations as optional. The Commission’s communications are consistent with a regulator that has the authority, the staffing, and the procedural runway to enforce when it wishes to.

The publication’s reading is that the Commission’s posture is the posture of a regulator preparing to be patient about the form of the engagement and not patient about the fact of it. A lab that engages substantively with the Code of Practice and the documentation requirements is unlikely to find itself in formal enforcement in the first eighteen months. A lab that does not engage is likely to be one of the first formal cases.

What this means operationally

For a covered lab in mid-2026, the operational position the publication reads as defensible is this. The Chapter V obligations are in force. The penalty exposure on the documentation and disclosure provisions is material. The Commission’s enforcement powers are scheduled to take effect on August 2, 2026, and have not, on the published record, been deferred. The Commission’s posture suggests early engagement over early penalty.

The defensible posture for a lab that has not yet produced substantive Chapter V documentation is to produce it. Produce the technical documentation. Produce the policy on training-data acquisition. Produce the summary of training content. Produce the testing-and-evaluation methodology for systemic-risk models. Engage with the Code of Practice. Place a senior compliance officer in front of the AI Office’s procedural staff. Be candid about the gaps in the lab’s posture and produce a credible plan to close them.

The undefensible posture is the one we read most often in the US trade press in mid-2026: the assertion that the regulation will not be enforced, that the lab will be exempted on grounds of US-headquartering, that the documentation obligations are unworkable, or that the political environment in either Brussels or Washington will dissolve the regulation before it is enforced. The first three positions are not supported by the published statutory text. The fourth is speculative, and even if it were correct it does not relieve the lab’s exposure between now and the dissolution that would not, in any case, be retrospective.

The downstream effect on procurement

A separate effect, worth recording briefly, is the procurement effect inside the EU. The deployer obligations under the AI Act — the obligations on the customers of the GPAI providers, when they deploy AI systems classified as high-risk — are also in implementation. An EU-based deployer of a US-built model has to satisfy itself that the model provider is compliant with Chapter V. That obligation is a contractual obligation the deployer will impose on the model provider, in writing, in the procurement contract. The publication has seen the early drafts of those contracts on the EU buyer side. They are detailed. They require representations and warranties from the provider that, on the published material from many of the largest US providers, are not currently supported.

This is the mechanism by which the August 2, 2026 deadline becomes operationally binding for the providers regardless of whether the Commission opens a formal proceeding. The deployer’s procurement team will, before that date and after, be asking for Chapter V compliance documentation in writing. A provider that does not produce it loses the deal. The deals on the line are large.

The publication’s view is that the procurement effect, more than the formal Commission enforcement, is the channel through which the AI Act will, in 2026 and 2027, actually shape provider behaviour. The Commission’s formal enforcement is the backstop. The procurement contracts are the engine. They are running in parallel and they are running now.

A note on candour

We have called the corporate posture of some US labs a posture of pretending. We want to be clear that the publication is not accusing those firms of bad faith. We are characterising what is published. A firm whose published statements treat the August 2, 2026 deadline as inapplicable is, on the record, taking that position. We are reporting that they have taken it and noting our skepticism of the position.

A firm that prefers to engage with us privately — with substantive documentation, with the EU regulatory team’s working position, with the procedural plan for the Code of Practice — is welcome to do so. The publication does not run leaked material; we will read whatever is shared on the record and we will, where the shared material is substantive, revise our published characterisation accordingly. We have read every public statement we have been able to find from the major US labs on the Chapter V posture. The reading is the one above.

The deadline is the deadline. The penalty ceiling is the penalty ceiling. The Commission has the authority and is on schedule to use it. The corporate posture of the largest US AI labs, on the published material, is not yet uniformly the posture of regulated entities preparing for the enforcement window. That is the situation as of late spring 2026. We will track it through August.

Editorial note. This piece is written from the published statutory text, the Commission’s published guidance and tracking material, and the third-party analyses linked above. We have not cited or characterised positions any lab has not put on the record. Where we have inferred a posture from the absence of public statements, we have said so. The publication will revise this piece as the August 2, 2026 enforcement window opens and as the Commission’s first procedural communications under its supervisory authority are placed on the record.

Black Box Notes Editorial · Regulation Watch

Departments

Filed in Regulation Watch. See the full archive index for every department and a dated list of every piece the publication has run.

More from Regulation Watch

Black Box Notes publishes critical-analytical writing on AI opacity, auditability, and the limits of trust in modern AI systems. See our operating disclosure for the publication's editorial framework.

EU AI Act — August 2, 2026 Enforcement — by Black Box Notes Editorial. Black Box Notes.

Permalink: https://blackboxnotes.com/articles/15-eu-ai-act-august-2-2026-enforcement/

Retrieved .

Copied