Saturday, July 11, 2026

News

European Commission to Start Fining Makers of Most Powerful AI Models on August 2

PolicyPatryk Raba

The grace period under the EU's AI Act is ending - starting August 2, 2026, the European Commission will be able to fine developers of systemic-risk models, such as GPT or Gemini, over how they are trained and tested.

Contents
  1. Two tiers of obligations
  2. What the Commission can do
  3. Staffing levels in question
  4. What this means for Polish companies

Two years after the EU's artificial intelligence regulation took effect, the grace period during which the largest AI model developers could operate without a real threat of punishment is coming to an end. Starting August 2, 2026, the European Commission and the EU's AI Office gain full authority to inspect and penalize companies developing the most powerful models, including for how those models were trained.

The AI Act took effect in stages. In February 2025, bans on the most controversial practices, such as mass biometric surveillance, came into force. In August 2025, the first obligations for developers of general-purpose models appeared, but without a real enforcement mechanism. Only on August 2, 2026, does the Commission gain full oversight and financial tools over this group of companies.

Two tiers of obligations

The regulation splits general-purpose model developers into two categories. All providers must publish updated summaries every six months of the data used to train their models. This is a relatively light requirement, applying to every company offering a language model in the European Union, regardless of size.

The second category covers models deemed to pose systemic risk. The threshold is set by the computing power used for training - above 10^25 floating-point operations, a model automatically falls into this group. In practice, this means the newest, most advanced systems from leading labs. Companies developing such models must conduct rigorous testing, assess risk, report serious incidents related to model behavior, and maintain an adequate level of cybersecurity protection.

What the Commission can do

From August 2, the AI Office can demand documentation and technical information from providers, run its own model tests, order the implementation of risk-mitigation measures, and in extreme cases demand a model's withdrawal from the EU market. Only now are these powers backed by a real financial threat - fines of up to 15 million euros or 3 percent of a company's global turnover, and for practices explicitly banned, up to 35 million euros or 7 percent of turnover.

EU legal experts note that the first enforcement decisions will likely not reach the maximum rates. Precedents are expected to involve specific, well-documented violations rather than symbolic fines meant to demonstrate the regulator's strength. At the same time, simply having such an arsenal changes the risk calculation for companies like OpenAI, Anthropic, or Google DeepMind, which now must treat compliance with EU requirements as a fixed cost of doing business in Europe rather than an optional goodwill gesture.

Staffing levels in question

Doubts remain, however, about the AI Office's own capacity to enforce its new powers. The institution currently employs just over 125 people, only some of whom deal directly with oversight of general-purpose models. Experts tasked with assessing the regulator's readiness estimate that by 2030, more than 160 dedicated staff will be needed for oversight to be real rather than merely declarative. By comparison, the UK's AI Safety Institute, Britain's counterpart to the EU office, already employed around 250 people as of August 2025.

This disproportion raises the question of how effectively the Commission will actually be able to monitor the dozen or so most powerful models in the world, given that each requires deep technical analysis, access to training data, and systemic risk assessment. Critics point out that without significant staffing increases, the new powers could remain largely on paper during the first months of enforcement.

What this means for Polish companies

For most Polish businesses, the new rules do not pose a direct risk of fines, since these apply primarily to the developers of the largest models themselves, not to the companies that use those models. What matters in practice, however, is the growing pressure to get a handle on so-called shadow AI, meaning unauthorized use of artificial intelligence tools by employees without the knowledge of IT and compliance departments. Legal analyses indicate that this phenomenon affects most companies in Poland, and that every AI system update can, in practice, trigger new obligations stemming from risk classification.

Legal advisors recommend that companies using models covered by the new rules start mapping all the AI tools they use now, from licensed platforms such as Copilot or Gemini to informal solutions rolled out bottom-up by teams. As the Commission's full powers take effect, it also becomes more likely that model providers will start shifting some of the new documentation and reporting obligations onto their business customers in the European Union.

Sources: Europe's AI Act commission gains fining power for training practices (spacedaily.com), AI Act 2026 and 2027: what penalties apply for violating AI regulations (gazetaprawna.pl), analysis of AI Act implementation for businesses (startbrain.ai)

Share: