EU AI Act Enforcement Begins Today: What Every Developer and Business Must Know

What the EU AI Act GPAI Provisions Actually Say

The EU AI Act was adopted in March 2024 and has been rolling out in phases ever since. Today's enforcement date covers Title III — General-Purpose AI Models, the section that applies to foundation models like LLMs, image generators, and multimodal systems. The rules apply to any GPAI model trained with more than 10²⁵ floating-point operations — a threshold that captures every major commercial AI model currently available.

The core obligations fall into three categories: transparency (what the model is, how it was trained, what data it used), copyright compliance (a summary of training data sources that allows rights holders to assess potential infringement), and safety testing (for models deemed to pose "systemic risk" — generally the most powerful models in each generation).

Who Is Actually Affected

🏢

API Providers (OpenAI, Anthropic, Google)

They carry full GPAI obligations. Their EU-region endpoints are presumed compliant. If you use their APIs, you inherit their compliance — you do not need to separately register as a GPAI provider.

🦙

Open-Weight Self-Hosters

If you self-host Llama 4.2 Ultra, Mistral, or any other open-weight model above the compute threshold and serve EU users, you are the GPAI provider. Documentation obligations fall entirely on you.

💻

Application Builders (SaaS on top of APIs)

You are a "downstream deployer," not a GPAI provider. Your obligation is accurate risk classification of your system — not documentation of the underlying model. Most SaaS companies are in this bucket.

🔬

Research & Non-Commercial Use

Academic research, open-source development without commercial deployment, and scientific publication are explicitly exempt from GPAI provider obligations under Article 2(6).

The Systemic Risk Tier — Extra Obligations for Frontier Models

Models trained above 10²⁵ FLOPs are presumed to present "systemic risk" under Article 51 and face an additional layer of obligations. This tier currently captures GPT-5.5, Claude Opus 4.7 and Sonnet 4.8, Gemini 3.2 Ultra, and Llama 4.2 Ultra (405B). Additional requirements for systemic-risk models include:

Mandatory adversarial testing (red-teaming) conducted before deployment and after significant updates
Incident reporting to the EU AI Office within 72 hours of detecting a serious incident
Cybersecurity measures proportionate to the model's risk level
Energy efficiency reporting — the model's estimated training and inference energy consumption

⚠️ Important for Open-Weight Deployers

Open-weight model releases below the systemic risk compute threshold (e.g., smaller Llama or Mistral variants) carry reduced GPAI obligations. But the 405B tier of Llama 4.2 Ultra crosses the systemic risk threshold. If you are self-hosting and serving this model to EU users commercially, you must comply with the full systemic risk tier — including adversarial testing and incident reporting — from today.

What You Need to Do Right Now

✅ Compliance Checklist — May 19, 2026

1️⃣

Identify which models you use. List every AI model your product calls — including third-party APIs, embedded models, and any open-weight models you self-host. Note whether each crosses the 10²⁵ FLOP threshold.

2️⃣

Determine if you are a provider or deployer. If you use OpenAI, Anthropic, Google, or Mistral APIs via their official endpoints, you are a deployer. If you self-host open weights, you are a provider for that model.

3️⃣

Classify your system's risk level. Deployers must accurately classify whether their application is unacceptable risk (banned), high risk (strict obligations), limited risk (transparency requirements), or minimal risk (no specific obligations).

4️⃣

Self-hosters: register with the EU AI Office. The EU model registry is live at artificialintelligenceact.eu. Providers of GPAI models above the compute threshold must submit a technical summary within 30 days of today.

5️⃣

Review your terms of service and privacy policy. The Act introduces new transparency requirements for end users — they must be informed when they are interacting with an AI system in most circumstances.

Penalties — and Why They Are Not Theoretical

Fines under the EU AI Act are up to €35 million or 7% of global annual turnover, whichever is higher, for the most serious violations. For GPAI-specific violations, the ceiling is €15 million or 3% of global turnover. The EU AI Office has already opened investigations into three foundation model providers in Q1 2026 for non-compliance with transitional transparency requirements — a signal that enforcement is not waiting for guidance documents to accumulate.

The more immediate practical risk for most companies is not a large fine — it is the requirement to stop serving EU users until compliance is established. For startups that have grown quickly on EU revenue, this operational risk is arguably more serious than the financial penalty.

📄 Where to Get the Official Guidance

The EU AI Office published a 47-page GPAI compliance guide today, available at artificialintelligenceact.eu/gpai-guidance. It covers provider vs. deployer distinctions, the model registry submission process, and the systemic risk self-assessment framework in plain language. If you have EU revenue from AI products, read it today — not next week.

The Bigger Picture — What This Signals for Global AI Regulation

The EU AI Act is the first comprehensive AI regulation to reach enforcement anywhere in the world. The UK has chosen a sector-by-sector approach rather than a horizontal law. The US has executive orders but no federal AI statute. China has specific regulations for generative AI and recommendation systems but nothing as broad as the EU Act. By being first, the EU is establishing the de facto global standard — the same dynamic that played out with GDPR for data privacy, where companies worldwide built GDPR-compliant systems and applied them globally because the cost of maintaining separate compliance stacks was too high.

Expect US and UK AI companies to move toward GPAI-aligned documentation and testing practices over the next 12–18 months — not because their home regulators require it, but because their European revenue does.

💬 Analysis — Prabhu Kumar Dasari, Senior AI Developer (13+ Years)

The most underappreciated aspect of today's enforcement is the self-hosting clause. The open-source AI community has treated "open weights" as equivalent to "outside regulation" — and that assumption is now wrong in Europe. If you downloaded Llama 4.2 Ultra, pointed it at EU users, and have not read Article 53, you are potentially non-compliant from today. The practical advice for most startups: if you are serving fewer than 10,000 EU users, use the APIs and let the big providers carry the compliance obligations. Self-hosting for EU production workloads requires legal review that most early-stage teams cannot afford to skip.