17MAY

AI Office gains enforcement powers in August

3 min read

14:28UTC

The EU AI Act's fine authority activates on 2 August 2026, giving Brussels a new instrument against general-purpose AI providers with penalties reaching 3% of global turnover.

← Back to Brussels' 27 May package, two days before G7 Jump to analysis ↓

TechnologyDeveloping

Key takeaway

EU AI Act enforcement activates in August 2026 with fines up to 3% of global turnover for AI providers.

The EU AI Act's AI Office gains full enforcement powers over General-purpose AI model providers on 2 August 2026, now 3.5 months away. The fine ceiling is €15m or 3% of global annual turnover, whichever is higher ¹. For OpenAI, a single enforcement action could exceed €500m.

Companies that placed General-purpose AI models on the EU market after August 2025 must already comply with the GPAI Code of Practice. Models placed before that date have until August 2027. The AI Office has stated it will adopt a "collaborative, risk-based" approach initially, which likely means formal enforcement actions will not land before 2027. But the legal authority will exist from August, and the fine ceilings are large enough to change corporate behaviour even without an action being filed.

The enforcement framework creates an asymmetry that benefits European AI companies. Mistral and Aleph Alpha have been engaging with the AI Office since the regulation was drafted and have shaped their models around its requirements. US providers face a compliance burden designed around European values and regulatory traditions that do not map neatly onto their existing governance structures. The practical question is whether the AI Office has the technical capacity to assess general-purpose model compliance at the level of detail the regulation demands. The office is still hiring specialist staff.

Deep Analysis

In plain English

The EU AI Act is Europe's comprehensive law regulating artificial intelligence. Different types of AI systems face different rules, from a total ban on the most dangerous applications to light-touch rules for low-risk tools. On 2 August 2026, the AI Act gives the EU's new AI Office the power to fine companies that make or distribute general-purpose AI models; the foundational technology behind systems like ChatGPT, Gemini, and Claude. These are called GPAI (General-Purpose AI) models. The fines can be up to €15 million or 3% of a company's global annual revenue, whichever is higher. For OpenAI, which earned roughly $3.5 billion in revenue in 2024, that could mean a fine exceeding €100 million for a single violation. Companies that started offering GPAI models after August 2025 already have to comply with a Code of Practice; companies whose models existed before that date have until August 2027. The AI Office has said it will start carefully and collaboratively rather than immediately issuing large fines; but the powers will exist from August 2026.

Deep Analysis

Root Causes

The August 2026 enforcement date for GPAI model providers is the result of a deliberate sequencing in the AI Act's rollout: prohibited practices (February 2025), GPAI obligations (August 2025), high-risk system conformity (August 2026), and high-risk systems in regulated products (August 2027). The 12-month staging between GPAI obligations and full enforcement powers was intended to give providers time to implement the GPAI Code of Practice.

The €500m+ potential enforcement exposure for OpenAI reflects the 3% of global annual turnover fine ceiling applied to OpenAI's approximately $3.5bn annual revenue estimate. At this scale, an AI Act fine would be larger than any GDPR fine issued to date, and would be directly comparable to DMA-scale enforcement; a signal that the Commission intends AI Act enforcement to have equivalent deterrent effect.

What could happen next?

Consequence
GPAI providers that have not completed AI Office documentation and GPAI Code of Practice compliance by August 2026 face injunction risk that is more immediately disruptive to EU business than financial fines.
Immediate · 0.7
Risk
AI Office resource constraints (approximately 100 officials covering 50+ GPAI providers) may produce selective enforcement that favours large US providers over smaller European providers less equipped to manage regulatory engagement.
Short term · 0.6
Precedent
The first AI Act enforcement action against a major GPAI provider will set the interpretive baseline for systemic risk obligations, with implications for the entire global AI industry's EU compliance posture.
Medium term · 0.8

Source Landscape

This story draws on mixed-leaning sources from United States

United States

Primary parallel: GDPR came into full force in May 2018 with significant uncertainty about enforcement intensity. The Irish Data Protection Commission (lead supervisory authority for most US tech companies) issued its first major fine; against WhatsApp (€225m); only in September 2021, 39 months after GDPR applicability.

The AI Act's enforcement architecture differs (centralised AI Office rather than member state DPAs) but the resource constraint and technical complexity are comparable. The GDPR precedent suggests the August 2026 cliff will produce cautious, selective enforcement rather than immediate large-scale action.

Counter-parallel: The DMA's enforcement trajectory has been faster than GDPR's: first DMA fines were issued within 18 months of gatekeeper designation, reflecting the Commission's investment in DG COMP enforcement capacity. The AI Office sits in DG CNECT rather than DG COMP, with a different enforcement culture. Whether DG CNECT will adopt DMA-style enforcement speed or GDPR-style caution is the central uncertainty.

Consensus view: The Future of Life Institute and the Ada Lovelace Institute both assess August 2026 as a meaningful enforcement cliff; not because the AI Office will immediately initiate large-scale prosecutions, but because GPAI model providers without compliant documentation will face injunctions (requiring them to stop offering models in the EU) as an interim measure before fines are assessed.

An injunction against OpenAI's EU model offering would be more disruptive to its business than any fine.

Counter-view: Professor Thomas Wischmeyer at Bielefeld University argues that the AI Act's 'collaborative, risk-based approach' framing indicates the AI Office will not use its August 2026 powers aggressively for at least 12-18 months.

The Office is understaffed (approximately 100 officials for a GPAI market with 50+ relevant providers) and faces a technical capability deficit: assessing compliance with systemic risk requirements for frontier models requires expertise the Office is still recruiting. The enforcement cliff exists on paper; in practice, it is a 2028 concern.

Key tension: Whether the AI Office will use its August 2026 powers as a credible deterrent through selective high-profile enforcement actions (the approach that made GDPR credible via early Google/WhatsApp fines) or whether resource constraints will delay meaningful enforcement to 2027-28, giving providers a de facto two-year grace period.

Sources:CNBC·European Central Bank

Mentions:EU AI Act →OpenAI →Anthropic →Google →Aleph Alpha →Prima →ChatGPT →Mistral AI →AI Office →

First Reported In

Update #1 · Europe's chip ambitions meet reality

CNBC· 13 Apr 2026

Read original →

Causes and effects

This Event

AI Office gains enforcement powers in August

The AI Office's enforcement powers create a compliance deadline that could reshape how US AI companies operate in Europe, with potential fines exceeding €500m for a single action against OpenAI.

Led to

DMA orders Google to open search data

The 27 July DMA Google binding decision deadline sits five days before the 2 August AI Act full-enforcement date, creating a regulatory collision point.

Occurred 16 Apr 2026

Read story →

Meta faces DMA order on WhatsApp AI

The Meta interim measures are timed to land before the 2 August AI Act GPAI enforcement deadline, stacking two DMA interventions on the pre-AI-Act window.

Occurred 15 Apr 2026

Read story →

Three EU-US deadlines collide in 9 days

The nine-day July collision confirmed in this update encompasses the AI Act GPAI enforcement activation on 2 August, the date set when the AI Act entered enforcement in 2026.

Occurred 7 May 2026

Read story →

Different Perspectives

OpenForum Europe / open-source community

The EUR 350m Sovereign Tech Fund has no Commission host, no budget line, and no commissioner's name attached six weeks after the April conference, while Germany is already paying maintainers to staff international standards bodies. The CRA open-source guidance resolves contributor liability but leaves the financial-donations grey area open with the 11 September reporting clock running.

ASML / Christophe Fouquet

ASML's Q2 guidance miss of roughly EUR 300m below consensus reflects DUV revenue compression set by US export controls, not European policy. Fouquet said 2026 guidance accommodates potential outcomes of ongoing US-China trade discussions; a bipartisan US bill to tighten DUV sales further would accelerate the cross-subsidy thinning Chips Act II's equity authority is designed to address.

Anne Le Henanff / French G7 Presidency

Le Henanff chairs the 29 May Bercy ministerial two days after Brussels adopts the Tech Sovereignty Package, making the G7 communique the first international read of the Omnibus enforcement split and CAIDA's scope. France's Cloud au Centre doctrine is already operational via the Scaleway Health Data Hub contract.

German federal government

Berlin operationalises sovereignty through procurement mandates (the ODF requirement and the Sovereign Tech Standards programme) rather than waiting for Commission legislation. The Bundeskartellamt has still not received the Cohere-Aleph Alpha merger filing, leaving Germany's flagship AI champion in structural limbo six weeks after the deal resolved.

US Trade Representative

The USTR Section 301 investigation into EU digital rules closes with a 24 July 2026 final determination. CAIDA's public-sector cloud restriction sits within the criteria that triggered the 2020 Section 301 action against France's digital services tax, and the US has not signalled whether the Thales-Google S3NS arrangement resolves CLOUD Act jurisdiction concerns.

CISPE / Valentina Mingorance

CISPE shipped its own pass-fail sovereignty badge in April to establish an industry-auditable floor the Commission could adopt. Whether CAIDA inherits the CISPE binary or the multi-tier SEAL approach will determine whether certification is enforceable by public contracting authorities or requires Commission discretion.