Skip to main content
Agentic Universityv1.18.0
|

All articles

GPAI Obligations from 2 August 2026: What Mittelstand Deployers Must Know Before the Commission Starts Enforcing

On 2 August 2026 the EU Commission's enforcement powers against GPAI providers come into force. What that means for Mittelstand deployers — and 4 provider obligations you must check.

Sebastian LangMay 5, 20266 min read

Key numbers at a glance

  • Deadline 2 August 2026: from this day the European Commission's full enforcement power applies to GPAI providers whose models were placed on the market after 2 August 2025 (eur-lex Art. 113). Important: GPAI models placed on the market before 2 August 2025 ("legacy" models) have a transitional period under Art. 111(3) running until 2 August 2027 — the obligations described here apply in full only from that later date for those models.
  • The obligations have existed since 2 August 2025 (Art. 53/55) for newly placed-on-market models. Enforcement against those providers comes one year later.
  • GPAI Code of Practice published 10 July 2025 — the voluntary compliance pathway. Signatories may rely on the Code as a way to demonstrate compliance until harmonised standards are available. A statutory presumption of conformity under Art. 53(4) flows from harmonised standards under Art. 40, not from signing the Code alone (code-of-practice.ai).
  • You are not the GPAI provider (that's OpenAI, Anthropic, Google, Mistral). But you are the deployer, and you need to know whether your provider is compliant — otherwise your use case takes the hit.

Why this post is relevant now

Most German CTOs read "AI Act August 2026" and think of high-risk AI under Annex III. That is correct — but it misses a second wave that hits at the same time: the enforcement of GPAI provider obligations by the Commission.

You are not the provider yourself. You use GPT-4, Claude, Gemini, Mistral or Llama via API. But if your use case falls into high-risk (Annex III), Art. 26(1) requires you to use the system in accordance with the provider's instructions for use. If you are also a downstream provider integrating a GPAI model into your own AI system, additional information duties under Art. 53(1)(b) bind the GPAI provider to supply you with Annex-XII info — without that, you lack your compliance basis.

So: in 2026 you need to know whether your LLM providers have done their homework — and which ones have not.

The four GPAI provider obligations under Art. 53

1. Technical documentation (Art. 53(1)(a), Annex XI)

Every GPAI provider must maintain detailed model documentation: technical properties, training details, energy consumption, intended use. This Annex-XI documentation goes on request to the Commission and national supervisory authorities — not directly to you as deployer. What you see as deployer is the separate Annex-XII information for downstream integrators (see obligation 2).

What you check as deployer: does a "Model Documentation Form" from your provider exist? With OpenAI / Anthropic / Google / Mistral typically available in the trust centre or compliance portal. If not: that is an early warning signal.

2. Information for downstream providers (Art. 53(1)(b), Annex XII)

The GPAI provider must inform you as downstream integrator about capabilities and limitations — so you can fulfil your own obligations (e.g. under Art. 16 for high-risk AI systems).

What you check: do you have a "GPAI Provider Information Pack" or comparable document? If the provider only says "Use our API responsibly", that is not an Annex-XII-conformant information pack. Demand it in writing.

The provider must have a written policy describing how they comply with EU copyright law (Directive (EU) 2019/790) — particularly the text and data mining opt-out mechanism under Art. 4(3).

What you check: does the provider have a published copyright policy? If not, you face indirect copyright risk because the output may include works trained under unclear licence.

4. Training content summary (Art. 53(1)(d))

The provider must publish a publicly available summary of training content — based on a template provided by the AI Office.

What you check: on the provider's website or trust centre this summary should be findable. If only "We trained on a diverse dataset" is there, that is not Art. 53(1)(d) conformant.

Plus: Art. 55 for GPAI with systemic risk

If your provider supplies a GPAISR (General-Purpose AI Systemic Risk) model — these are the largest models, currently on a list maintained by the Commission —, four additional obligations apply:

  • Model evaluation under standardised protocols, including adversarial testing
  • Risk assessment and mitigation at EU level
  • Incident reporting to the AI Office for "serious incidents" without undue delay
  • Cybersecurity for the model and its infrastructure

Practical impact: if you deploy a GPT-4-class or Claude-Opus-class model, that is highly likely a GPAISR. Demand from your provider that they disclose the eval reports and incident-response procedures — or provide a statement that they fulfil Art. 55.

The GPAI Code of Practice — the compliance shortcut

On 10 July 2025 the final GPAI Code of Practice was published. It is voluntary. Signatories may rely on the Code as a way to demonstrate compliance until harmonised standards under Art. 40 are available — a statutory presumption of conformity in the strict sense of Art. 53(4) flows from those harmonised standards, not from signing the Code alone.

As of May 2026: several major providers (OpenAI, Anthropic, Google, Microsoft, Mistral, IBM and others) have signed the Code. Some signed with reservations (especially around copyright clauses). xAI so far has signed only the Safety and Security chapter of the Code — meaning xAI must demonstrate transparency and copyright compliance through other means.

What you check: is your provider on the Code of Practice signatory list (code-of-practice.ai)? If yes, your compliance risk is significantly reduced. If not, you must check the Art. 53 obligations individually — more effort but doable.

The five deployer steps for May-July 2026

What you should concretely do in the next 90 days:

  1. Inventory of your GPAI usage — which models, from which providers, in which use cases. Output: table with provider, model, use case, falls-in-Annex-III (yes/no).

  2. Provider compliance check per supplier: Code-of-Practice signatory? If no, Art. 53 compliance statement available? Annex XI documentation? Annex XII information pack? Copyright policy? Training summary?

  3. Gap list sent to provider: what is missing, what you need. Before August. Polite, but in writing.

  4. Your own deployer obligations under Art. 26 for Annex-III use cases — see our AI Act 90-day plan.

  5. Backup plan in case a provider does not get compliance done: which alternative supplier? This switch is non-trivial in a high-risk setup — a concept for it should be ready in 2026.

Two common disputes

"We just use the OpenAI API. Do we really need all this?"

If your use case falls into Annex III (HR/employment, education, critical infrastructure, law enforcement etc.), yes. You are then deployer of a high-risk AI system, and Art. 26(1) requires you to use the system in accordance with the provider's instructions. If you are also a downstream provider (integrating the GPAI into your own AI system), Art. 53(1)(b) Annex-XII information from the GPAI provider applies on top. Whichever side is missing, that is not your "protection", it is your compliance defect at audit time.

"What about open-source models like Llama?"

Art. 53(2) contains an open-source exception for free, non-systemic-risk models: obligations (1)(a) tech-doc and (1)(b) downstream-info fall away. But: copyright policy (1)(c) and training summary (1)(d) remain. And: individual Llama versions can be classified as systemic risk under Art. 51 once they cross the compute threshold or the Commission designates them — at that point the open-source exception does not apply and the additional Art. 55 obligations kick in.

Bottom line

2 August 2026 is not "the AI Act enters into force" — the Act has been in force since 2024. It is the day the Commission can enforce. Providers have had a one-year grace period; Mittelstand deployers have 90 days to check whether their providers delivered. This check is doable — but not in a week if you push it to July.

Which of your GPAI providers has signed the Code of Practice already — and for which do you still need to follow up before August arrives?

About the author

Sebastian Lang

Co-Founder · Business & Content Lead

Co-Founder von Sentient Dynamics. 15+ Jahre Business-Strategie (u.a. SAP), MBA. Schreibt über AI-Act-Compliance, ROI-Messung und wie Mittelstand-CTOs agentische KI tatsächlich einführen.

Once a month. Only substance.

No motivational fluff. No tool lists. Only what CTOs, COOs and MDs in DACH really need to know about AI adoption.