Audit our EU AI Act deployer obligations before Aug 2?
On August 2, 2026 the EU AI Office's enforcement powers against GPAI providers activate. Article 50 transparency rules and high-risk-system obligations also apply. ~70 days out.
The question
If we deploy any general-purpose AI model in the EU, what specifically do we owe by August 2, 2026 — inventory, documentation, contact path to provider, conformity assessment? Start the audit now, or wait for enforcement signals?
The premise
- Team
- ~50 engineers, ~10 actively building AI features, single MLOps engineer. AI work pulls from feature-shipping capacity — any new commitment has to trade against the roadmap. No dedicated compliance engineer; Legal counsel is fractional.
- Compliance
- SOC2 Type II achieved last year. Now in scope: EU AI Act enforcement begins August 2, 2026 — Article 50 transparency + GPAI-deployer obligations apply if we ship any AI feature to EU users. GDPR already in production. France-resident DPO. CNIL is the proximate regulator.
- Stack
- We deploy GPT-5.4, GPT-4o-mini, Claude 3.5 Sonnet (for one feature), and OpenAI Embeddings in production. ~6 user-facing AI features, all of which appear to qualify as GPAI deployment. No model cards documented today.
- Budget
- Monthly AI spend ~$30K with quarterly board visibility. Approvals required for sustained jumps >20%. Cost-per-outcome metrics in place; finance asks for unit economics by use case. No dedicated compliance line item — has to come from existing engineering capacity.
What's the minimum we owe before Aug 2 if we do nothing else?
An AI inventory (which models we deploy, in which features, for which user segments), a contact path to each model provider, basic transparency notices for end-users where AI is in the loop, and a documented risk-tier assessment. High-risk classification triggers a much heavier conformity load — most of our use cases are not high-risk, but we need the assessment on record to defend that.
How real is the August 2 deadline — is enforcement actually going to start?
Enforcement powers activate Aug 2 but realistic regulator action timelines are quarters not days. The risk isn't an Aug 3 fine — it's discovery during a future incident (data breach, AI hallucination harm, contract audit) showing we had nothing documented. The cost of preparing is small; the cost of being caught without documentation is reputational + contractual.
What concretely happens if we wait for enforcement signals before acting?
Enterprise EU prospects start asking AI-Act questionnaires in RFPs (already happening at our peers). Without a documented inventory + risk-tier assessment we either lie, stall, or lose the deal. Our €500K+ EU pipeline is the binding downside, not the regulator.
Counsel's position
Start your EU AI Act audit this quarter by categorizing your six production features by risk level; do not wait for enforcement signals, as building the required documentation and incident-reporting pipelines will directly tax your feature-shipping capacity.
Verdict
The verdict: Build a standardized GPAI documentation pipeline ahead of EU enforcement.
Build a standardized GPAI documentation pipeline ahead of EU enforcement
Given your lack of a dedicated compliance engineer, build a reusable documentation pipeline now that satisfies the EU AI Act's interlocking obligations without requiring bespoke reports later.
Read another verdict
- Kill every AI pilot that can't show ROI in 90 days?
- Use AI to flatten middle management this year?
- Stand up a FinOps practice for tokens and GPUs now?
- Replace customer support with AI — or avoid the Klarna outcome?
- Adopt MCP as our default agent-integration standard?
- Crack down on shadow AI, or sanction it with guardrails?
- Red-team our own AI agents before shipping them?
- Give every AI agent its own scoped identity before scaling?