Key takeaways (May 17, 2026)
- This article has been refreshed beyond April 2026 with mid-May 2026 enforcement status.
- The AI Office published additional GPAI guidance in Q2 2026, focused on training-data transparency.
- Enforcement bodies in member states are now publishing their AI Act competent-authority designations.
- No deadline slippage has been announced for the August 2, 2026 GPAI date as of May 17, 2026.
The EU AI Act’s first real enforcement signal landed on April 4, 2026 when Ireland’s DPC issued a formal Article 11 documentation request to a SaaS company — 117 days before the August 2, 2026 full-enforcement deadline. I’ve been tracking the EU AI Act news cycle every morning for the past three months, and this week is the first time I genuinely felt the panic shift from compliance teams to product teams. That’s the tell. When engineers start asking lawyers questions instead of the other way around, you know a deadline is real.
We’re 117 days from August 2, 2026. The European Commission dropped two significant updates in the past ten days, the AI Office quietly published new template documentation, and the first real enforcement signal came out of Ireland on Friday. If you build, deploy, or even resell AI in the EU, here’s what actually happened this week and what it means for the work sitting in your sprint board right now.
The headline: enforcement is no longer hypothetical
Until about two weeks ago, most of the EU AI Act conversation was theoretical. Lawyers wrote memos. Compliance vendors sold dashboards. Engineers ignored both.
That stopped on April 4, 2026, when Ireland’s Data Protection Commission issued the first formal request for technical documentation under Article 11 to a mid-sized SaaS company operating a candidate-screening tool. No fine, no public naming, but the request landed with a 30-day response window and a checklist that mirrored the AI Office’s internal assessment template almost word for word.
That last part is what matters. It means national regulators are now using the same playbook, and the playbook is detailed enough that vague answers will not survive it.
If you’ve been waiting for a “first mover” before investing in compliance documentation, congratulations, you have one.
What the European Commission published this week
Three things landed between April 1 and April 7. None of them got the press they deserve.
1. Updated guidance on prohibited practices (April 2, 2026). The Commission expanded the Article 5 explanatory notes to clarify how “subliminal techniques” applies to recommender systems. The short version: if your ranking algorithm uses signals the user cannot reasonably perceive (dwell time, micro-engagement, scroll velocity) to nudge behavior in ways that conflict with their stated interests, you are now in the gray zone. Not banned outright, but you need a documented user-interest test. I expect this to hit ad-tech and short-video platforms first.
2. GPAI Code of Practice version 2.1 (April 3, 2026). The General-Purpose AI Code of Practice picked up new language on training data transparency. Providers of GPAI models above the 10^25 FLOP threshold now have to publish a “sufficiently detailed summary” of training data using a standardized template. The template was released the same day. It is shorter than I expected (six pages) but more specific than I hoped. Domain breakdowns, language coverage, and a yes/no on synthetic data are all required.
If you’re shipping a foundation model in 2026, your data team has homework this weekend.
3. AI Office FAQ refresh (April 5, 2026). The AI Office updated 14 of its public FAQs. The most important change: clarifying that fine-tuning a GPAI model can, in some cases, make the fine-tuner a “provider” under the Act. The trigger is whether the modification “substantially changes” the intended purpose or risk profile. This is the question every startup building on top of Llama, Mistral, or Claude has been avoiding. The answer is now: probably yes, document it.
The GPAI rules everyone is suddenly reading
I want to spend a minute on the General-Purpose AI provisions because they are the part of the Act most people skipped. They take effect August 2, 2026, the same day as the high-risk system rules, and they apply to anyone making a foundation model available in the EU, even if you’re based in California.
Here’s what’s required:
- Technical documentation of the model, including training process and evaluation results
- Information made available to downstream providers who build on top of the model
- A copyright compliance policy
- A public summary of training data using the new template
- For “systemic risk” models above the 10^25 FLOP threshold: model evaluations, adversarial testing, incident reporting, and cybersecurity safeguards
The Code of Practice is voluntary, but signing it gets you a presumption of conformity. Not signing it means you have to prove compliance the hard way, in front of regulators who already think you should have signed it. Most major labs have signed. A few notable holdouts have not.
For a deeper breakdown of how these rules ladder up to the broader compliance regime, my earlier piece on EU AI Act 2026 enforcement updates walks through the penalty structure and conformity assessment process.
Active deadlines: the next 12 months
| Date | What kicks in | Who it affects |
|---|---|---|
| August 2, 2026 | Main provisions become fully applicable | Everyone in scope |
| August 2, 2026 | High-risk AI rules enforce | Finance, healthcare, employment, education, critical infrastructure |
| August 2, 2026 | GPAI obligations enforce | Foundation model providers |
| August 2, 2026 | National regulatory sandboxes must exist | All EU member states |
| August 2, 2026 | Penalties become collectable | Up to €35M or 7% of global turnover |
| February 2, 2027 | Possible Digital Omnibus delay window for some Article 50 transparency obligations | Pre-August 2026 systems |
| August 2, 2027 | High-risk systems already on the market must reach full compliance | Legacy deployments |
The most underrated date in that table is the legacy deployment one. If you have an AI system already in production that falls under the high-risk categories, you don’t get to grandfather it in. You get a one-year runway, and that’s it.
Recent enforcement signals worth tracking
Three things caught my attention this week beyond the Ireland action.
Spain published its second enforcement priority list. AESIA, Spain’s AI regulator, named recruitment tools, credit scoring, and biometric categorization as the top three areas it will audit in Q3 2026. If you operate in Spain and touch any of those, the audit window opens August 2 and they have already said they will move fast.
The Netherlands flagged emotion recognition. The Dutch Data Protection Authority issued a public notice on April 1 reminding employers that emotion recognition in the workplace is prohibited under Article 5 starting August 2, with no exceptions for “wellness” framings. This was a direct shot at a few HR-tech vendors that had been marketing engagement-detection tools.
Germany’s BSI updated its AI security baseline. The German Federal Office for Information Security published a revised AI security baseline on April 3. It is technically not part of the AI Act, but German regulators have been clear they will use it as the de facto standard for assessing the cybersecurity safeguards required under Article 15. If you sell into Germany, this is now your benchmark.
For broader context on how these national moves fit together with global regulation, Japan’s 2026 AI policy shift is worth reading alongside the EU updates. The two regimes are diverging in ways that will affect any company operating in both markets.
What to do this week
I’m going to skip the 40-step compliance checklist because nobody finishes those. Here’s what I’d actually do in the next seven days if I were running an AI product team in scope.
- Pull your model and system inventory. Every model you train, every model you call via API, every system that wraps either. If you can’t list them, you can’t classify them.
- Tag each one with a risk category. Prohibited, high-risk, limited-risk, or minimal-risk. The Annex III categories are the ones that bite.
- Identify your provider/deployer status for each. This is the question that determines who owes what. If you fine-tune, assume you’re a provider.
- Pick one high-risk system and write the technical documentation for it. Just one. Use the AI Office template. The first one takes three weeks. The second takes three days.
- Start the data summary if you train any GPAI models. The new template is the bare minimum. If you have not started, you are already late.
That’s the week. Don’t try to boil the ocean. Pick the most exposed system and prove to yourself the documentation is achievable.
The thing I keep thinking about
There’s a version of this story where the EU AI Act becomes the GDPR of AI: a regulation that everyone complains about, half-complies with, and that quietly becomes the global default because the alternative is locking yourself out of 450 million consumers.
I think that version is the one we’re getting. Not because the Act is perfect (it isn’t, and the Digital Omnibus debate proves it), but because the enforcement infrastructure is now real, the templates are now public, and the regulators are now talking to each other. Once that flywheel starts, it doesn’t stop.
The companies that will be fine in August 2026 are not the ones with the best lawyers. They’re the ones whose engineers started writing technical documentation in April.
That’s this week. Start there.
Frequently asked questions
Is the EU AI Act in force right now? Parts of it are. Prohibited practices (Article 5) have been enforceable since February 2, 2025. The main body of the Act, including high-risk system rules and GPAI obligations, becomes fully enforceable on August 2, 2026.
What changed in the EU AI Act in April 2026? The European Commission updated guidance on prohibited practices, released version 2.1 of the GPAI Code of Practice with a new training data summary template, and refreshed 14 AI Office FAQs. Ireland also issued the first formal Article 11 documentation request to a SaaS company.
Who has to comply with the GPAI rules? Anyone making a general-purpose AI model available in the EU, regardless of where they’re based. Models above 10^25 FLOPs face additional systemic-risk obligations including evaluations, adversarial testing, and incident reporting.
What is the maximum fine under the EU AI Act? €35 million or 7% of global annual turnover, whichever is higher. For prohibited practices. Other violations carry lower caps but can still reach €15 million or 3% of turnover.
Does the EU AI Act apply to companies outside the EU? Yes, if your AI system is placed on the EU market or its output is used in the EU. This is the same extraterritorial reach pattern the GDPR established.
When will national regulators start issuing fines? Penalties become collectable on August 2, 2026. Based on signals from Spain, Ireland, and Germany this week, expect the first formal enforcement actions within 60 to 90 days of that date.
I update this article every week with the latest EU AI Act news. If you want a deeper dive into the overall AI governance framework for 2026 or the August deadline breakdown, both are worth your time before your next compliance review.
