EU AI Office enforcement stops being mostly theoretical on August 2, 2026, when the European Commission’s formal powers under the EU AI Act switch on. Roughly 10 weeks from now, providers of general-purpose AI models move from informal engagement to a regime that can demand information, order independent evaluations, and impose corrective measures backed by fines of 3% of global turnover or €15 million, whichever is higher.
August 2 is the real start date
Aug. 2, 2026
formal powers activate
Section 5 of Chapter IX
3% or €15M
primary violation fine
Whichever is higher
€9B+
Alphabet example
3% would exceed 9 billion euros
160 staff
recommended scale by 2030
Per Pour Demain report cited by Lawfare
The immediate news is simple: August 2, 2026 is the activation date for the European Commission’s formal enforcement powers under Section 5 of Chapter IX of the EU AI Act. Until then, the AI Office can engage informally with providers, but it cannot yet use the full enforcement toolkit described in Articles 91 through 93. That makes the next stretch unusually important for model providers that have treated the Act as a slow-moving compliance project rather than an operational deadline.
For companies building or distributing general-purpose AI models, EU AI Office enforcement now has a fixed cliff edge. The legal text is already in force, but the practical question for providers is what changes when the clock hits August 2. The answer is not a vague increase in scrutiny. It is a shift from dialogue to powers that can compel documentation, open the door to outside technical review, and ultimately force mitigation steps or market restrictions.
That timing matters because there have been zero formal enforcement actions as of May 2026. The absence of cases does not mean the regime is dormant. It means the formal powers have not yet activated. Once they do, providers will not be dealing with a regulator that needs to invent a process from scratch; they will be dealing with powers already written into the regulation.
Formal enforcement powers activate on August 2, 2026. Until then, the AI Office can only engage informally with providers.
What Articles 91 to 93 actually let the Commission do
The most useful way to read the coming regime is as a three-step ladder. Article 91 covers information requests. Article 92 covers independent evaluations. Article 93 covers corrective measures. In plain terms, the Commission can first ask for records, then bring in outside experts to test or assess a model, and then order changes if it finds noncompliance or unacceptable risk.
Article 91 is the first pressure point. It allows the Commission to demand documentation, training data summaries, and model reports. For providers that have relied on broad public statements instead of regulator-ready records, this is where EU AI Office enforcement becomes concrete. The issue is not only whether a company has done the work; it is whether it can produce the work in a form the Commission can review.
Article 92 goes further. It allows independent evaluations by experts commissioned by the regulator, including access to source code. That is a striking power in the frontier-model context because it moves beyond policy commitments and into technical inspection. Providers should read this as a signal that the Commission is not limited to paper compliance if it believes a model warrants deeper scrutiny.
Article 93 is where the legal risk becomes business risk. The Commission can require compliance actions, mitigation measures, or market restrictions. That means the end state is not just a warning letter. It can be an order to change practices, reduce risk, or alter how a model is made available in the market.
Article 91: information requests. Article 92: independent evaluations, including source code access. Article 93: corrective measures, mitigation, or market restrictions.
“The AI Office has among the most far-reaching regulatory powers any government has claimed over frontier AI.”
Joel Christoph, Lawfare
| Article | Power | What providers should expect |
|---|---|---|
| 91 | Information requests | Documentation, training data summaries, and model reports can be demanded |
| 92 | Independent evaluations | Commissioned experts can assess models, including source code access |
| 93 | Corrective measures | Compliance actions, mitigation measures, or market restrictions |
The fine structure is lower than GDPR, but still enormous
The headline penalty for a primary violation is exact in the Act and worth quoting precisely: 3% of the provider’s total worldwide annual turnover in the preceding financial year, or 15 million euros, whichever is higher. Separate penalties apply if a provider denies information or access. In that case, the ceiling is 1% of turnover or 7.5 million euros.
Those percentages are lower than the best-known EU digital penalties. GDPR can reach 4% of global annual turnover. The Digital Services Act can reach 6%. That lower ceiling may tempt some executives to treat EU AI Office enforcement as less threatening than older Brussels regimes. That would be a mistake. A lower percentage applied to trillion-dollar-class or near-trillion-dollar companies is still a very large number, and the AI Act’s process is built for direct Commission action.
Lawfare’s worked example makes the scale clear: for Alphabet, 3% would exceed 9 billion euros. Even if the largest providers never approach the maximum, the existence of that ceiling changes the bargaining position. It gives the Commission leverage before any final sanction is imposed, because providers know the downside is not symbolic.
The smaller but still meaningful second tier matters too. A company that stonewalls an information request or limits access during an evaluation is not merely being uncooperative. It is stepping into a separate fining track. That design gives the regulator a way to punish obstruction even before it proves the underlying substantive violation.
| Violation type | Maximum fine | Notes |
|---|---|---|
| Primary violation | 3% of worldwide annual turnover or €15 million | Whichever is higher |
| Information or access denial | 1% of turnover or €7.5 million | Whichever is higher |
| GDPR comparison | 4% | Higher ceiling than AI Act |
| DSA comparison | 6% | Higher ceiling than AI Act |
Why this is not GDPR all over again
The architectural difference from GDPR is the point many providers still underappreciate. Under the AI Act, fines are imposed centrally by the European Commission rather than fragmented across 27 national regulators. Lawfare argues that this avoids “the fragmentation that has slowed GDPR enforcement,” and that line gets to the heart of why the coming regime may move faster than some companies expect.
For providers, centralization cuts both ways. The AI Act’s maximum fines are lower than GDPR’s, but the enforcement path is cleaner. A single Commission-led process can be more coherent than a cross-border maze of national authorities, lead regulators, and procedural disputes. In practice, that means EU AI Office enforcement may prove more predictable and more operationally demanding even if the top-line percentage looks smaller on paper.
This is also why August 2 matters more than a routine compliance milestone. Once the Commission can use Articles 91 to 93 directly, the question is not which national authority will move first or whether a one-stop-shop mechanism will bog down the case. The institutional design is meant to reduce that delay.
The AI Act’s fine ceiling is lower than GDPR’s, but enforcement is centralized at the Commission level rather than split across national regulators.
“The AI Act avoids the fragmentation that has slowed GDPR enforcement.”
Lawfare, quoting the enforcement design
The Code of Practice creates a visible split, and Meta is the outlier
The soft-law layer sits on top of the hard-law powers. The General-Purpose AI Code of Practice is not the same thing as the Act’s formal enforcement machinery, but it shapes how the Commission is likely to interact with providers. According to the Commission’s GPAI materials, signatories get “increased trust from the commission,” while nonsignatories should expect “a larger number of information requests.”
That turns the sign-or-don’t-sign choice into a practical decision tree ahead of August. Amazon, Anthropic, Google, Mistral AI, and OpenAI have signed. Meta has not. In the context of EU AI Office enforcement, that makes Meta the most consequential outlier because it is choosing to face the regime without the trust signal the Commission has explicitly attached to the code.
There are reasons a company might resist a voluntary code. It may object to the drafting, worry about precedent, or prefer to litigate the boundaries of the Act rather than normalize them. Still, the cost of staying outside is not abstract. The Commission has already said nonsignatories face a larger number of information requests. Once formal powers activate, more requests can mean more opportunities for friction, escalation, and eventually formal measures.
That does not mean signatories are safe from scrutiny. It means they begin from a different posture. The code is best understood as a channel for reducing suspicion, not a shield against enforcement.
| Provider posture | Commission signal | Likely practical effect |
|---|---|---|
| Code signatory | “Increased trust from the commission” | Potentially smoother engagement |
| Nonsignatory | “A larger number of information requests” | More frequent scrutiny and more chances for escalation |
The real bottleneck is staffing, not legal authority
The strongest argument against overreading the August deadline is not that the powers are weak. It is that the institution using them is still small relative to the task. Lawfare describes the AI Office as significantly underresourced relative to enforcement demands, and cites a Pour Demain recommendation that it scale to at least 160 staff by 2030.
That number is revealing. Even 160 staff is not a large enforcement body for oversight of a market led by some of the world’s biggest technology companies and a technically complex model ecosystem. The gap between legal ambition and administrative capacity is likely to define the first phase of EU AI Office enforcement more than any single headline fine.
This resource constraint cuts in two directions. It may slow the number of formal cases the Commission can pursue at once. It also increases the value of triage tools such as the Code of Practice, targeted information requests, and selective use of independent evaluations. A regulator with limited staff tends to look for leverage, and the AI Act gives it several forms of leverage even before it reaches the maximum penalty stage.
The AI Office’s powers are broad, but staffing remains the likely bottleneck. Lawfare cites a recommendation to reach at least 160 staff by 2030.
What providers should do before August 2
Bottom line: August 2 changes the risk calculus
The practical checklist is narrower than many legal alerts make it sound. First, providers should determine whether they are inside the general-purpose AI regime and whether they are signatories to the Code of Practice. Second, they should assume that regulator-ready documentation will matter immediately once EU AI Office enforcement begins in full. That includes the ability to produce training data summaries, model reports, and internal records that match what Article 91 allows the Commission to request.
Third, providers should prepare for the possibility of technical inspection rather than only policy review. Article 92’s reference to independent evaluations, including source code access, means engineering, security, and legal teams need a common response plan. A company that has never rehearsed how it would handle a regulator-backed technical evaluation is already behind.
Fourth, companies should think carefully before treating the Code of Practice as optional theater. The Commission has drawn a clear distinction between signatories and nonsignatories. In a regime where information requests can lead to separate penalties for denial or obstruction, a posture that invites more requests is not costless.
The near-term takeaway is straightforward. There are still no formal actions today. There is also no ambiguity about when that changes. On August 2, the AI Office moves from informal engagement to a centralized enforcement regime with meaningful fining power, direct information rights, and the ability to order corrective action. Providers that have not mapped their exposure by then will be learning the regime under pressure.
{
"before_august_2": [
"Confirm whether your model falls under the GPAI regime",
"Check whether your company signed the GPAI Code of Practice",
"Prepare Article 91 documentation: training data summaries, model reports, internal records",
"Create a response plan for Article 92 independent evaluations, including source code access",
"Define escalation paths for Article 93 corrective measures or market restrictions"
]
}Frequently asked questions
The activation date is August 2, 2026, under the EU AI Act. Until then, the AI Office can engage informally with providers, but the formal powers described in Chapter IX, Section 5 do not yet apply. See the EU AI Act text on EUR-Lex and the European Commission AI Office page.
Articles 91 to 93 allow the Commission to request documentation and model records, commission independent evaluations including source code access, and require corrective measures, mitigation steps, or market restrictions. The legal text is available on EUR-Lex, and Lawfare’s analysis offers a useful overview at Lawfare.
For a primary violation, the maximum is 3% of total worldwide annual turnover in the preceding financial year or €15 million, whichever is higher. For denying information or access, the ceiling is 1% of turnover or €7.5 million. The official wording is in the EU AI Act.
The Commission says signatories receive “increased trust from the commission,” while nonsignatories face “a larger number of information requests.” That makes the code a practical signal about scrutiny levels even though the hard enforcement powers come from the Act itself. See the Commission’s GPAI Code of Practice page.
Primary sources
- How Much Power Does the EU AI Office Actually Have? — Lawfare
- Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence — EUR-Lex
- AI Office — European Commission
- Code of Practice for General-Purpose AI — European Commission
- European Commission Releases Draft Guidelines on High-Risk AI Under the EU AI Act — Hunton
- Sweet and Sour: Changes to the EU AI Act Almost Finalized — Reed Smith
Last updated: May 23, 2026. Related: Governance.
