EU AI Act Triggers Global Compliance Overhaul for General‐Purpose AI

What happened

As of 2 August 2025, the EU’s obligations under the AI Act for providers of General‐Purpose AI (GPAI) models have entered into application. New guidance, a public training‐data summary template (published July 2025), and a voluntary Code of Practice (finalized 10 July 2025) accompany rules on transparency, copyright, and safety/security; models already on the market must comply by 2 August 2027. Higher systemic‐risk models (linked to compute/capability thresholds such as >10^23 FLOPs and multimodal ability) face extra notifications and controls. Enforcement powers — including fines up to 7% of global turnover — come into force for GPAI obligations on 2 August 2026.

Why this matters

Policy shift — binding, operational rules for foundation models.

• Market and compliance: companies releasing or modifying GPAI models now face immediate legal obligations on documentation, transparency, copyright clearance, and safety measures; legacy models have a two‐year compliance window.
• Technical gating: compute/capability thresholds turn engineering metrics (training FLOPs, multimodality) into regulatory triggers, affecting how organisations design, train, release, or classify models.
• Financial and market risk: non‐compliance can bring delistings or fines up to 7% of global turnover, incentivising audits, documentation (the public summary template), and possible adoption of the voluntary Code of Practice to reduce regulatory exposure.
• Global ripple effects: EU enforcement will push multinational providers to build cross‐border compliance into contracts, data pipelines and product strategies; other jurisdictions may move to harmonise rules.

Open questions flagged in the guidance and commentary include the precise meaning of terms like “placing on the market,” “significant modifications,” and the scope of exemptions for open‐source or smaller providers — areas the sources note remain subject to interpretation and debate.

Sources

• EU Commission news: EU rules for general‐purpose AI models start to apply (2 Aug 2025): https://digital-strategy.ec.europa.eu/en/news/eu-rules-general-purpose-ai-models-start-apply-bringing-more-transparency-safety-and-accountability
• EU Guidelines on GPAI providers (scope and obligations): https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers
• Skadden insight on the GPAI obligations and training‐data summary template (Aug 2025): https://www.skadden.com/insights/publications/2025/08/eus-general-purpose-ai-obligations
• Latham & Watkins note on the GPAI Code of Practice (Jul 2025): https://www.lw.com/en/insights/eu-ai-act-gpai-model-obligations-in-force-and-final-gpai-code-of-practice-in-place
• Analysis on provider qualification and remaining ambiguities: https://artificialintelligenceact.eu/providers-of-general-purpose-ai-models-what-we-know-about-who-will-qualify/

• GPAI obligations application date — 2 Aug 2025 date (EU AI Act; new GPAI models placed on the EU market)
• Compliance deadline for GPAI models already on the market — 2 Aug 2027 date (legacy models placed before 2 Aug 2025; EU AI Act)
• Maximum penalty for GPAI non-compliance — 7% of global annual turnover (from 2 Aug 2026; EU AI Act GPAI obligations)
• GPAI model compute threshold (definition) — >10^23 FLOPs (effective 2 Aug 2025; per EU AI Act guidelines)

• Bold High-penalty compliance exposure from GPAI obligations: Obligations applied on 2 Aug 2025, with enforcement powers (including fines up to 7% of global turnover) starting 2 Aug 2026; noncompliant post‐2025 models risk penalties or delisting, and systemic-risk models crossing compute thresholds face extra safety/security and notification duties. Opportunity: classify models early (incl. compute/capability), join the voluntary Code of Practice for legal certainty, and stand up audits/documentation—benefiting EU‐market and global model providers.

• Bold Mandatory training‐data transparency and copyright risk: The July 2025 public‐summary template requires disclosure of dataset sources, data‐type proportions, license/copyright status, and illegal‐content removal, increasing operational/legal workload; (est.) it can surface IP/licensing gaps in current pipelines, prompting remediation and contract rework (rationale: public disclosures reveal provenance and licensing inconsistencies). Opportunity: strengthen data governance and licensing clauses aligned to EU standards, improving trust and reducing future liability—benefiting providers, legal/licensing teams, and compliant open‐source projects.

• Bold Known unknown: scope, thresholds, and uneven enforcement: Ambiguity remains around “placing on the market,” “significant modifications,” and “systemic risk” (incl. compute/capability criteria such as >10^23 FLOPs), while enforcement readiness may vary until 2 Aug 2026; legacy models must choose retrofit paths by 2 Aug 2027 and open‐source exemptions are still being clarified. Mitigation: adopt conservative interpretations, document changes, engage early with national authorities, and align to the CoP to de‐risk interpretations—benefiting providers and regulators seeking harmonization.

Supporters hail the EU’s GPAI obligations as the long-awaited turning point: binding rules on transparency, copyright, and safety now apply to models placed on the market after 2 August 2025, with real teeth arriving via penalties up to 7% of global turnover starting 2 August 2026. Skeptics counter that the guidance still leaves interpretive gaps—what counts as “placing on the market,” “significant modifications,” or “systemic risk”—and that enforcement capacity may lag across national authorities. Compute thresholds are now compliance drivers, but providers already disagree on where lines are drawn; open-source carve-outs exist, yet their contours remain nascent; legacy models face a 2027 reckoning. If transparency is mandatory but comprehension remains optional, have we regulated disclosure or merely paperwork? The article’s own uncertainties—ambiguous definitions, uneven enforcement readiness, and resource burdens for smaller players—are credible reasons to resist triumphalism.

Here’s the twist: the soft lever may steer the hardest outcomes. The voluntary Code of Practice, finalized 10 July 2025, offers “legal certainty” and reduced burden—so even before enforcement begins in 2026, market pressure and procurement norms can make the CoP the de facto rulebook. Pair that with the July 2025 template forcing granular training-data summaries, and the near-term competitive edge shifts from bigger models to better documentation—contracts, licenses, and safety protocols that travel across borders. Expect fine-tuners to rethink whether they’ve become “providers,” open-source projects to recalibrate licenses, and global vendors to rebuild pipelines around compute and capability thresholds well ahead of the 2027 legacy deadline. Watch for who adopts the CoP first, how systemic-risk notifications are operationalized, and whether other jurisdictions harmonize to avoid fragmentation. In an industry obsessed with scale, the next advantage is credibility you can show.