3JUN

AI Office gains enforcement powers in August

3 min read

10:43UTC

The EU AI Act's fine authority activates on 2 August 2026, giving Brussels a new instrument against general-purpose AI providers with penalties reaching 3% of global turnover.

← Back to Sovereignty arrives, minus Brussels Jump to analysis ↓

TechnologyDeveloping

Key takeaway

EU AI Act enforcement activates in August 2026 with fines up to 3% of global turnover for AI providers.

The EU AI Act's AI Office gains full enforcement powers over general-purpose AI model providers on 2 August 2026, now 3.5 months away. The fine ceiling is €15m or 3% of global annual turnover, whichever is higher ¹. For OpenAI, a single enforcement action could exceed €500m.

Companies that placed general-purpose AI models on the EU market after August 2025 must already comply with the GPAI Code of Practice. Models placed before that date have until August 2027. The AI Office has stated it will adopt a "collaborative, risk-based" approach initially, which likely means formal enforcement actions will not land before 2027. But the legal authority will exist from August, and the fine ceilings are large enough to change corporate behaviour even without an action being filed.

The enforcement framework creates an asymmetry that benefits European AI companies. Mistral and Aleph Alpha have been engaging with the AI Office since the regulation was drafted and have shaped their models around its requirements. US providers face a compliance burden designed around European values and regulatory traditions that do not map neatly onto their existing governance structures. The practical question is whether the AI Office has the technical capacity to assess general-purpose model compliance at the level of detail the regulation demands. The office is still hiring specialist staff.

Deep Analysis

In plain English

The EU AI Act is Europe's comprehensive law regulating artificial intelligence. Different types of AI systems face different rules, from a total ban on the most dangerous applications to light-touch rules for low-risk tools. On 2 August 2026, the AI Act gives the EU's new AI Office the power to fine companies that make or distribute general-purpose AI models; the foundational technology behind systems like ChatGPT, Gemini, and Claude. These are called GPAI (General-Purpose AI) models. The fines can be up to €15 million or 3% of a company's global annual revenue, whichever is higher. For OpenAI, which earned roughly $3.5 billion in revenue in 2024, that could mean a fine exceeding €100 million for a single violation. Companies that started offering GPAI models after August 2025 already have to comply with a Code of Practice; companies whose models existed before that date have until August 2027. The AI Office has said it will start carefully and collaboratively rather than immediately issuing large fines; but the powers will exist from August 2026.

Deep Analysis

Root Causes

The August 2026 enforcement date for GPAI model providers is the result of a deliberate sequencing in the AI Act's rollout: prohibited practices (February 2025), GPAI obligations (August 2025), high-risk system conformity (August 2026), and high-risk systems in regulated products (August 2027). The 12-month staging between GPAI obligations and full enforcement powers was intended to give providers time to implement the GPAI Code of Practice.

The €500m+ potential enforcement exposure for OpenAI reflects the 3% of global annual turnover fine ceiling applied to OpenAI's approximately $3.5bn annual revenue estimate. At this scale, an AI Act fine would be larger than any GDPR fine issued to date, and would be directly comparable to DMA-scale enforcement; a signal that the Commission intends AI Act enforcement to have equivalent deterrent effect.

What could happen next?

Consequence
GPAI providers that have not completed AI Office documentation and GPAI Code of Practice compliance by August 2026 face injunction risk that is more immediately disruptive to EU business than financial fines.
Immediate · 0.7
Risk
AI Office resource constraints (approximately 100 officials covering 50+ GPAI providers) may produce selective enforcement that favours large US providers over smaller European providers less equipped to manage regulatory engagement.
Short term · 0.6
Precedent
The first AI Act enforcement action against a major GPAI provider will set the interpretive baseline for systemic risk obligations, with implications for the entire global AI industry's EU compliance posture.
Medium term · 0.8

Source Landscape

This story draws on mixed-leaning sources from United States

United States

Primary parallel: GDPR came into full force in May 2018 with significant uncertainty about enforcement intensity. The Irish Data Protection Commission (lead supervisory authority for most US tech companies) issued its first major fine; against WhatsApp (€225m); only in September 2021, 39 months after GDPR applicability.

The AI Act's enforcement architecture differs (centralised AI Office rather than member state DPAs) but the resource constraint and technical complexity are comparable. The GDPR precedent suggests the August 2026 cliff will produce cautious, selective enforcement rather than immediate large-scale action.

Counter-parallel: The DMA's enforcement trajectory has been faster than GDPR's: first DMA fines were issued within 18 months of gatekeeper designation, reflecting the Commission's investment in DG COMP enforcement capacity. The AI Office sits in DG CNECT rather than DG COMP, with a different enforcement culture. Whether DG CNECT will adopt DMA-style enforcement speed or GDPR-style caution is the central uncertainty.

Consensus view: The Future of Life Institute and the Ada Lovelace Institute both assess August 2026 as a meaningful enforcement cliff; not because the AI Office will immediately initiate large-scale prosecutions, but because GPAI model providers without compliant documentation will face injunctions (requiring them to stop offering models in the EU) as an interim measure before fines are assessed.

An injunction against OpenAI's EU model offering would be more disruptive to its business than any fine.

Counter-view: Professor Thomas Wischmeyer at Bielefeld University argues that the AI Act's 'collaborative, risk-based approach' framing indicates the AI Office will not use its August 2026 powers aggressively for at least 12-18 months.

The Office is understaffed (approximately 100 officials for a GPAI market with 50+ relevant providers) and faces a technical capability deficit: assessing compliance with systemic risk requirements for frontier models requires expertise the Office is still recruiting. The enforcement cliff exists on paper; in practice, it is a 2028 concern.

Key tension: Whether the AI Office will use its August 2026 powers as a credible deterrent through selective high-profile enforcement actions (the approach that made GDPR credible via early Google/WhatsApp fines) or whether resource constraints will delay meaningful enforcement to 2027-28, giving providers a de facto two-year grace period.

Sources:CNBC·European Central Bank

Mentions:EU AI Act →OpenAI →Anthropic →Google →Aleph Alpha →Prima →ChatGPT →Mistral AI →AI Office →

First Reported In

Update #1 · Europe's chip ambitions meet reality

CNBC· 13 Apr 2026

Read original →

Causes and effects

This Event

AI Office gains enforcement powers in August

The AI Office's enforcement powers create a compliance deadline that could reshape how US AI companies operate in Europe, with potential fines exceeding €500m for a single action against OpenAI.

Led to

DMA orders Google to open search data

The 27 July DMA Google binding decision deadline sits five days before the 2 August AI Act full-enforcement date, creating a regulatory collision point.

Occurred 16 Apr 2026

Read story →

Meta faces DMA order on WhatsApp AI

The Meta interim measures are timed to land before the 2 August AI Act GPAI enforcement deadline, stacking two DMA interventions on the pre-AI-Act window.

Occurred 15 Apr 2026

Read story →

Three EU-US deadlines collide in 9 days

The nine-day July collision confirmed in this update encompasses the AI Act GPAI enforcement activation on 2 August, the date set when the AI Act entered enforcement in 2026.

Occurred 7 May 2026

Read story →

Brussels readies record Google DMA fine

AI Act GPAI enforcement on 2 August (ID:2335) is the third instrument stacked in the six-week enforcement window.

Occurred 25 May 2026

Read story →

Different Perspectives

European Central Bank

The ECB's digital euro pilot drew more than 50 PSP applications and is naming 10 to 30 participants in July, advancing on its own monetary mandate without requiring a Commission act. Its trajectory this week is the inverse of CAIDA's: the sovereignty instrument that restricts no US firm is the only one keeping its published calendar.

United States (Ambassador Andrew Puzder / Steptoe LLP)

Puzder named CAIDA a red line inconsistent with the EU-US trade framework on 25 May; Steptoe warns US firms spend up to USD 50bn a year on DMA and DSA compliance and that CAIDA's Buy European tilt threatens the Turnberry truce. The Google fine delay is read in Washington as evidence that Commission enforcement bends to diplomatic pressure.

France (G7 chair and Mistral AI)

France chaired the 29 May G7 Bercy ministerial and produced a communique that omitted cloud sovereignty entirely, while its national AI champion Mistral won five-year Airbus and BMW engineering contracts commercially the day before. Paris is advancing sovereignty through the market and retreating on it at every multilateral table.

Germany (federal government)

Berlin maintained College silence that forced CAIDA's scope to public-sector tenders, protecting the automotive sector from a US Section 301 claim while simultaneously allowing BMW to contract Mistral for safety-critical crash-simulation work. German corporate procurement and German trade policy are running in opposite directions.

Netherlands (minister Willemijn Aerdts)

Aerdts blocked Kyndryl's EUR 100m Solvinity acquisition on 26 May, the first US deal ever stopped under Dutch screening, on the specific ground that the US CLOUD Act could compel disclosure of DigiD and MijnOverheid data. The decision is a direct demonstration that national screening achieves CAIDA's public-sector objective without waiting for EU law.

European Commission

The Commission is presenting CAIDA adoption on its fourth scheduled date as a sovereignty milestone, with Henna Virkkunen due to brief the Telecom Council on 9 June. The narrowed public-sector-only scope is the concession written in to secure adoption; whether the Commission presents it as a floor or a ceiling for future revision is the open question.