The AI Act grows teeth

The story everyone repeated this month was a reprieve. On 6 May, after a failed first round, the Council presidency and Parliament negotiators reached a provisional deal on the so-called Digital Omnibus, and the headlines wrote themselves: Brussels blinks, the AI Act gets softened, the deadlines slide. There is some truth in it. The most operationally demanding parts of the Act — the obligations on high-risk systems that were due to bite on 2 August 2026 — are being pushed back, in some cases to December 2027 and beyond. If you read only the press release, you would conclude that the regulator had lost its nerve.

Read the text in the original and a different document appears. The Omnibus moves the high-risk timeline. It does not move the part of the Act that already binds the handful of companies that build the models everything else is built on. Those obligations — the rules for providers of general-purpose AI — came into application on 2 August 2025, quietly, while the argument was about something else. They are in force now. The only question left open is the one that always matters: not whether a rule exists, but when it bites.

Who is actually in scope

The Act calls them "providers of general-purpose AI models," and the Commission's July 2025 guidelines did the unglamorous work of saying what that phrase means in practice. A model is general-purpose, the guidelines say, when the compute used to train it exceeds roughly 10^23 floating-point operations and it can generate language, text-to-image or text-to-video output. That is a deliberately low fence. It was 10^22 in the draft; the final number is higher, but it still captures essentially every frontier and near-frontier model on the market, and a long tail of smaller ones besides.

Two clarifications in those guidelines matter more than the headline threshold. The first concerns open models: providers that release a model under a genuinely free and open licence, with weights and architecture public, are exempt from some — not all — of the obligations, an exemption that evaporates the moment a model carries systemic risk. The second concerns the long supply chain of fine-tuners. You do not become a "provider" by making minor changes to someone else's model. You become one when you make a significant change — and the guidelines put a number on "significant": a modification using more than one-third of the original model's training compute. Where the original figure is unknown, the default is one-third of the relevant threshold. Fine-tune at the margins and the obligation stays with the lab upstream. Fine-tune seriously and it becomes yours.

None of this turns on where the company sits. The Act binds anyone who places a general-purpose model on the EU market, whoever they are and wherever they trained it. This is the familiar shape of European digital law: extraterritorial by design, because no serious provider builds a separate model for one jurisdiction. The terms written for the EU market become the terms everywhere.

What the operative clauses require

Strip away the framework language and the baseline duties on every in-scope provider reduce to two things they must produce and one they must respect. They must keep technical documentation of the model — its capabilities, its limitations, the compute and data behind it — and make it available to the AI Office and to the downstream developers who build on it. They must adopt a policy to comply with EU copyright law, which in practice means honouring machine-readable reservations of rights, the robots.txt and equivalent signals that say do not train on this. And they must publish a summary of the content used to train the model.

That last obligation is the one to watch, because the Commission turned an abstract duty into a form. The training-data summary template, finalised alongside the guidelines, is not a vibe. It asks providers to sort their training data into named buckets — publicly available datasets, data licensed from third parties, data crawled or scraped from the open web, user data, synthetic data — and, for scraped material, to disclose the most relevant internet domains by volume: the top 10 per cent for a large provider, the top 5 per cent for an SME. It asks them to describe the measures they took to respect rightsholders' reserved rights and to keep illegal content out. For an industry that has treated its training corpus as a trade secret and, occasionally, as a question best not answered, a mandatory disclosure form is a structural change, not a paperwork one.

The useful question is never whether a rule is in force. It usually is, quietly. The question is who it binds, what the operative clause requires, and on what date the regulator can fine you for ignoring it.

The systemic-risk tier, and the number that defines it

Above the baseline sits a second, far smaller category: general-purpose models with systemic risk. The line is drawn with another number. A model is presumed to carry systemic risk when the cumulative compute used to train it exceeds 10^25 floating-point operations — a hundred times the threshold that makes a model general-purpose in the first place. The Commission can also designate a model as systemic on the advice of its scientific panel, and a provider can argue back that its model, despite crossing the line, does not in fact pose such a risk. But the presumption does the work, and the population it captures is tiny: on any honest count, somewhere between five and fifteen models worldwide.

Crossing that line triggers a duty most people miss. A provider that trains a model expected to meet the threshold must notify the AI Office — the obligation attaches at the point the model is expected to qualify, not after the fact. From there the additional duties stack up: state-of-the-art model evaluation including adversarial testing, identification and mitigation of systemic risks across the lifecycle, cybersecurity protection of the model and its weights, and an obligation to track and report serious incidents to the AI Office and national authorities without undue delay. These are the obligations the Omnibus debate did not touch. The reprieve was for the companies deploying high-risk systems downstream. For the labs at the top of the stack, nothing was postponed.

The Code of Practice, and what signing buys

To make the abstract obligations operable, the AI Office published a voluntary Code of Practice on 10 July 2025, written by independent experts across three chapters: Transparency, Copyright, and — for the systemic tier only — Safety and Security. The Code is not the law. It is a route to demonstrating you comply with it. Signatories get what the Commission calls a presumption of conformity, a lighter administrative touch, and the assurance that enforcement attention will focus on adherence to the Code rather than on open-ended demands for information.

The signatures themselves are a map of the industry's calculation. OpenAI, Google, Anthropic, Microsoft and Mistral signed. Meta, conspicuously, did not — a refusal that is itself a position. Signing does not buy immunity: the text is explicit that adherence to the Code does not foreclose a fine. What it buys is the difference between a regulator who treats you as cooperating and one who treats you as a target. For a company that has chosen the second posture, the first year of enforcement will be a more expensive place to stand.

When it bites

Here is the date that is actually load-bearing. The obligations have applied since 2 August 2025, but the Commission's power to enforce them — to compel information, to order changes, to fine — switches on a year later, on 2 August 2026. From that date a provider of a general-purpose model that ignores its duties faces penalties of up to 15 million euros or 3 per cent of total worldwide annual turnover, whichever is higher. (The seven-per-cent, 35-million-euro ceiling people quote belongs to the prohibited-practices regime; it is not the GPAI number.) Models already on the market before August 2025 get until 2 August 2027 to fall into line. Everything launched since is expected to comply now, with the regulator's teeth arriving in August.

So the reported version and the binding version diverge, as they usually do. The reported version, this spring, was retreat — deadlines slipping, Brussels softening under pressure. The binding version is narrower and more durable: the high-risk timeline moved, the foundation-model obligations did not. The transparency duty, the copyright policy, the training-data form and the systemic-risk regime are in force, the Code that operationalises them is signed by most of the companies that matter, and the enforcement window opens in roughly ten weeks.

What happens after that is the part Brussels rarely says out loud but always intends. No lab will publish one training-data summary for Europe and refuse one everywhere else; no provider will run adversarial evaluations for the EU market alone. The form drafted in a Commission office becomes the disclosure the whole industry files. The threshold set at 10^25 becomes the line the whole world watches. The Act did not need a crackdown to change the default. It only needed to come into force, name the obligations precisely, and wait for the calendar to do the rest. The calendar is nearly done waiting.