🇪🇺⚖️
AI News · May 10, 2026
Brussels moves from Code-of-Practice dialogue to active GPAI evaluations — builders with AI in employment, credit, or healthcare have 84 days to finish conformity assessment
← All articles

EU AI Office Shifts from Guidance to Formal Scrutiny as August 2 High-Risk Deadline Closes In

AI News Published May 10, 2026 · eu ai act · gpai · eu ai office · compliance · high risk ai

The European Union's AI Office has entered an enforcement posture nine months after the EU AI Act's General-Purpose AI (GPAI) model obligations took legal effect on August 2, 2025. The transition — from the consultative Code of Practice process the Office ran through late 2024 into active compliance reviews of frontier model providers — marks the first time any multilateral AI regulator has moved past voluntary guidance into structured documentation demands and model evaluations. With the next major statutory deadline, full Annex III high-risk AI system compliance, arriving on August 2, 2026, builders deploying AI in employment screening, credit scoring, healthcare triage, and biometric access control have fewer than 90 days to complete conformity assessments.

The EU AI Office, housed within the European Commission's Directorate-General for Communications Networks, Content and Technology (DG CNECT) and granted supervisory authority over GPAI model providers under Regulation (EU) 2024/1689, is the world's first purpose-built multilateral AI regulator. Its enforcement trajectory in 2026 is being tracked closely by regulators in the UK (the ICO and CMA), Canada (ISED), Brazil (ANPD), and India (MeitY) as an operational template for post-voluntary AI oversight.

What the EU AI Office Is Doing

Regulation (EU) 2024/1689 — the EU AI Act — structures GPAI obligations across two tiers. Tier 1 applies to any provider releasing a GPAI model in or into the EU: publish technical documentation, comply with EU copyright law during training, make available a sufficiently detailed summary of training data content, and implement AI-generated content marking once the relevant delegated act specifies the technical standard. Tier 2 — systemic-risk model obligations — adds adversarial testing (red-teaming), 72-hour serious incident reporting to the EU AI Office, and cybersecurity measures proportionate to the model's capabilities. Both tiers have been active law since August 2, 2025.

The Systemic-Risk Threshold: 1025 FLOPs

The Act creates a rebuttable presumption of systemic risk for any GPAI model trained with cumulative computation exceeding 1025 floating-point operations (FLOPs). Based on disclosed parameter counts, published research, and hardware estimates, the models presumed to breach this threshold include: OpenAI's GPT-4 (March 2023), GPT-4o (May 2024), and o1 (September 2024); Anthropic's Claude 3 Opus (March 2024) and Claude 3.5 Sonnet (June 2024); Google DeepMind's Gemini 1.0 Ultra (December 2023) and Gemini 1.5 Pro (February 2024); and xAI's Grok 1 in its original 314B-parameter form (open-sourced March 2024).

Estimate, marked clearly: Training-compute figures for commercial frontier models are not publicly certified to the EU AI Office. The above classifications are inferred from disclosed parameter counts, published hardware procurement, and training duration disclosures — methodology consistent with, but not identical to, the formal evaluation the EU AI Office will conduct. Providers can rebut the systemic-risk presumption by demonstrating their actual compute or downstream risk does not meet the threshold.

Mistral AI sits in contested territory. The Paris-based company argued in Code of Practice working groups that its flagship models — Mistral Large (March 2024) and Mistral Large 2 (July 2024) — fall below the FLOPs threshold. The EU AI Office can separately designate a model as systemic risk even below the compute floor, based on capabilities, market reach, or a formal risk assessment. That designation power creates regulatory exposure for any mid-tier frontier provider whose models achieve broad deployment even without record-breaking compute.

The Open-Source Edge Case: Meta's Llama Family

Meta's release of Llama 3.1 405B on July 23, 2024 — under a commercial license restricted to entities with under 700 million monthly active users — created the Act's most complex enforcement puzzle. Article 53(2) carves out a modified regime for providers that make model weights publicly available: they retain Tier 1 documentation and copyright obligations, but receive partial relief from Tier 2 systemic-risk requirements, conditional on the EU AI Office's determination that the release is "genuinely open." The Office has not yet published a formal ruling on whether Llama 3.1 405B qualifies. That ruling, when it comes, will function as precedent for every open-weight release globally, affecting Mistral's openly released models, xAI's Grok 1, and any future frontier open-weight releases from companies including Google (Gemma) and Alibaba (Qwen).

What the Code of Practice Locked In

The GPAI Code of Practice, developed through four multi-stakeholder drafting rounds between July 2024 and early 2025, served as a transitional safe harbor: providers who participated in good faith were shielded from enforcement action while the code was being finalized. That safe harbor has since lapsed, and the code's commitments now function as the baseline against which the EU AI Office's evaluations will measure providers. Key commitments include:

What Builders Must Do Right Now

If you are building on top of a commercial API — OpenAI, Anthropic, Google, Mistral — your direct GPAI obligations are limited. You are a deployer, not a provider, and the heavy documentation and red-team testing burden falls on the model company. Your obligation is not to strip required content labels, not to modify safety systems in ways that violate your API agreement, and to cooperate with any audit the provider requires for its own compliance. This is not zero work, but it is manageable.

The August 2, 2026 deadline changes the calculus for deployers. If your product makes or substantially influences a consequential decision in any of the eight Annex III categories, you are a high-risk AI system deployer subject to the full conformity regime — regardless of which underlying model you use:

US-based builders — this applies to you: The Act's geographic scope tracks the location of users and affected individuals, not the provider's domicile. A startup incorporated in Delaware that sells an AI-powered HR screening tool to German employers is fully subject to Annex III obligations. No EU subsidiary or EU entity is required to trigger the obligations — placing the system on the EU market is sufficient.

The Conformity Assessment Sprint: Six Steps Before August 2

  1. Technical documentation per Annex IV: system architecture description, training data provenance, accuracy and robustness metrics, and a risk assessment specific to the deployment context
  2. Conformity assessment: self-assessment suffices for most Annex III categories; mandatory third-party audit by an EU-designated notified body is required for real-time biometric identification and law-enforcement use cases
  3. EU Declaration of Conformity: a signed legal declaration that the system meets all applicable Act requirements — this document must be retained for 10 years
  4. Registration in the EU's AI Act database, operated by the European Commission, before placing the system on the EU market
  5. Post-market monitoring plan: documented ongoing data collection and periodic review of real-world system performance against the original technical documentation
  6. Human oversight measures: technical and operational controls allowing a qualified human operator to override, intervene, or shut down the system — logs of override events must be retained

Penalty Structure and Scale

The EU AI Act's penalty tiers are calibrated against global annual turnover, not EU-specific revenue, which means the exposure figures for frontier AI companies are large:

Estimate, marked clearly: OpenAI's annualized revenue was reported at approximately $3.4 billion as of late 2024 per Bloomberg and The Wall Street Journal. A 3% penalty would approach $102 million. Alphabet reported 2024 full-year revenue of $350 billion; a 3% fine applied against Alphabet group revenue would theoretically reach $10.5 billion, though in practice the Act applies the percentage against the revenue of the responsible entity, not the full parent group. These figures illustrate the penalty scale, not confirmed exposure calculations.

Broader Regulatory Context: FTC and State Moves

The EU AI Office's shift toward enforcement is not happening in a vacuum. The U.S. Federal Trade Commission's September 2024 Operation AI Comply — five simultaneous enforcement actions against companies making false or unsubstantiated AI performance claims, including a $193,000 settlement with DoNotPay (styled as the "world's first robot lawyer") — established that AI-capability misrepresentation is prosecutable deception under Section 5. Colorado's SB 205, signed by Governor Jared Polis on May 17, 2024 and effective February 1, 2026, created the US's first comprehensive state-level AI deployer obligation: impact assessments, algorithmic discrimination protections, and consumer notice rights for high-stakes automated decisions. US builders facing the EU's August 2 deadline are simultaneously inside Colorado's enforcement window — the two regimes share enough structural DNA that a single conformity program can often satisfy both.

What Comes Next

The EU AI Office has signaled that Q2 2026 will bring formal documentation requests to the major systemic-risk model providers, with evaluations potentially including direct model testing by independent technical experts retained by the Office under Article 92. Builders deploying high-risk AI systems have until August 2 to complete conformity assessments; national market surveillance authorities across the 27 member states will begin active enforcement sweeps shortly after. The window for voluntary remediation without enforcement exposure is now measured in weeks.

Frequently asked

Does the EU AI Act apply to US-based AI companies with no EU office?
Yes. The Act's geographic scope is based on where users and affected individuals are located, not where the provider is incorporated. Any company offering an AI system to users in EU member states, or deploying AI that makes decisions affecting EU residents, is subject to the relevant obligations. No EU subsidiary or local representative is required to trigger compliance duties — though the Act does require non-EU providers of high-risk AI systems to appoint an EU-based authorized representative for enforcement contact purposes.
What exactly triggers the 10^25 FLOPs systemic-risk classification?
The EU AI Act establishes a rebuttable presumption of systemic risk for any GPAI model trained with cumulative compute exceeding 10^25 floating-point operations. This threshold was calibrated to capture frontier models circa 2023-2024 like GPT-4 and Claude 3 Opus. Providers can rebut the presumption by demonstrating the model's actual capabilities or downstream risk profile does not warrant systemic-risk treatment. The EU AI Office can also designate smaller models as systemic risk based on capability assessments or market reach — the compute threshold is a floor, not a ceiling.
Are open-weight models like Meta's Llama 3 exempt from GPAI obligations?
Partially. Article 53(2) of the Act provides modified obligations for providers who release model weights publicly: they still must publish technical documentation and comply with EU copyright rules regarding training data, but receive partial relief from the adversarial-testing and incident-reporting requirements that apply to Tier 2 systemic-risk models. This relief is conditional on the EU AI Office's determination that the release is "genuinely open" — a ruling that has not yet been formally issued for the Llama 3 family, leaving Meta in regulatory limbo.
If I use an API like OpenAI or Anthropic for a hiring tool, who bears the compliance burden for August 2?
Both parties bear obligations at different layers. OpenAI or Anthropic, as the GPAI model provider, is responsible for Tier 1 and Tier 2 documentation, red-teaming, and incident reporting under GPAI rules. You, as the deployer of a high-risk AI system (employment decision tools are listed in Annex III), are responsible for conducting and maintaining your own conformity assessment, technical documentation specific to your product's deployment context, consumer notice and appeal rights, and human oversight measures. The provider's GPAI compliance does not substitute for the deployer's Annex III compliance.
What is the penalty for a US company that misses the August 2, 2026 high-risk AI deadline?
Non-compliance with high-risk AI system obligations carries fines of up to €15 million or 3% of global annual turnover, whichever is higher. National market surveillance authorities — not just the EU AI Office — handle enforcement against deployers in their territory, so the enforcement risk is distributed across all 27 EU member states. Providing inaccurate or misleading documentation to regulators triggers a separate, lower tier: up to €7.5 million or 1.5% of global annual turnover.

Sources & further reading

  1. Regulation (EU) 2024/1689 — Full Text of the EU AI Act (EUR-Lex)
  2. EU AI Office — Official European Commission Overview
  3. GPAI Code of Practice — EU AI Office Drafting Process
  4. FTC Operation AI Comply — September 2024 Enforcement Actions
  5. Colorado SB 24-205 — Colorado Artificial Intelligence Act
  6. Ada Lovelace Institute — EU AI Act Explainer and Risk Classification Analysis

Last reviewed May 10, 2026. AI Pulled News is editorial; corrections welcome at /news/about.html.