AI Act: What changes on 2 August 2026 for GPAI models
The obligations for general-purpose AI model providers have applied since 2025. On 2 August 2026 the Commission's fine provision takes effect. Here is the distinction and a practical timeline.
2 August 2026 is an important date for general-purpose AI models, or GPAI models. It is worth being precise about what happens that day, however: it does not create a new set of duties for their providers. The substantive duties in the AI Act's GPAI chapter have applied since 2 August 2025. What ceases to be an exception on 2 August 2026 is Article 101, which allows the Commission to fine providers of those models.
That distinction matters for a Spanish company that develops models, places them on the EU market, or integrates them into products. It prevents a change in sanctioning capacity from being mistaken for a new duty, and it focuses compliance work on the company's actual position in the value chain.
The timetable: 2025, 2026 and 2027
Regulation (EU) 2024/1689, the AI Act, sets 2 August 2026 as its general application date. Article 113 nevertheless brought forward Chapter V, which covers GPAI models, to 2 August 2025, expressly excepting Article 101. The provider duties for GPAI models placed on the Union market therefore already apply to models placed there from that earlier date.
Article 101 applies on 2 August 2026. It allows the Commission to fine providers for infringing relevant provisions, failing to comply with certain requests for information or documents, failing to comply with requested measures, or failing to provide access for an evaluation. The ceiling is 3% of total worldwide annual turnover in the preceding financial year or EUR15 million, whichever is higher. The Commission describes this stage as full enforcement of compliance, including fines.
There is a third milestone. Providers of GPAI models placed on the market before 2 August 2025 must take the necessary steps to comply by 2 August 2027. That is not an open-ended exemption; it is a transitional deadline for models that were already available.
What a GPAI model provider must do
Article 53 sets out four core duties. A provider must draw up and keep technical documentation for the model up to date, including training, testing and evaluation information, and supply it to the AI Office or national authorities when requested. It must also give documentation and information to companies integrating the model into AI systems, so they can understand the model's capabilities and limits and meet their own duties.
It must also have a policy to comply with EU copyright and related-rights law, including identifying and respecting rights reservations. Finally, it must publish a sufficiently detailed summary of the content used to train the model, following the AI Office template. This does not mean unlimited disclosure of trade secrets: the Regulation combines those requirements with protection for intellectual property and confidential business information.
Free and open-source licences do not automatically remove every duty. Where the statutory conditions are met, a provider may be exempt from part of the documentation directed to authorities and downstream providers. The copyright policy and public training summary still apply, and the exception does not extend to models with systemic risk.
When enhanced duties apply
GPAI models with systemic risk have the additional duties in Article 55. They must be evaluated using state-of-the-art protocols and tools, including documented adversarial testing; their providers must assess and mitigate possible Union-level systemic risks, track and report serious incidents and corrective measures without undue delay, and ensure adequate cybersecurity for the model and its physical infrastructure.
The Regulation creates a presumption of high-impact capabilities where cumulative training compute exceeds 10^25 floating-point operations. That is not the only route to classification: the Commission may also designate a model based on its capabilities or impact. Where the presumption condition is met, the provider must notify the Commission without delay and no later than two weeks after it is met or becomes known that it will be met.
The Code of Practice helps, but does not replace the law
The General-Purpose AI Code of Practice, received by the Commission on 10 July 2025, is a voluntary tool. Its Transparency and Copyright chapters offer measures to demonstrate compliance with Article 53; its Safety and Security chapter is for providers subject to Article 55. Signing up can offer a practical route and greater certainty, but it does not make the legal duties optional. A provider that does not adhere must be able to show adequate alternative means where required.
A checklist for Spanish companies
First, identify the organisation's role: integrating a third-party model does not by itself make a company the provider of a GPAI model. Second, obtain and retain the supplier documentation needed to understand limits, integration conditions and the allocation of duties. Third, if the company places a GPAI model on the EU market, review its technical documentation, copyright policy and training summary now. Fourth, consider whether the model may fall into the systemic-risk category and prepare the AI Office notification and incident-reporting channels.
The August 2026 date calls neither for alarm nor a scramble to meet newly invented rules. It does mark the point at which an existing GPAI duty moves into a clearer sanctioning phase. The sound preparation is an honest classification of each company's role and compliance evidence that can be explained and kept current.