EU AI Act enforcement starts August 2, 2026: what changes, and what doesn't
If you sell software or advice in the EU, you have probably seen the headline: the EU AI Act's enforcement powers switch on August 2, 2026. The date is real. What it means for you depends almost entirely on whether you build AI systems or just use them, and most of the coverage blurs that line.
Quick answer: On August 2, 2026, the European Commission can start fining general-purpose AI providers (OpenAI, Anthropic, Google) up to 3% of worldwide turnover or €15 million, whichever is higher. If you only use these tools, almost nothing changes for you that day. The pressure it puts on your vendors is another matter.
What actually happens on August 2, 2026?
The AI Act entered into force on August 1, 2024 and phases in over three years. The dates that matter:
- February 2, 2025: the bans on prohibited AI practices took effect, and the AI literacy duty (Article 4) began. Anyone deploying AI is expected to make sure the people using it understand it.
- August 2, 2025: obligations for general-purpose AI (GPAI) model providers started. The voluntary GPAI Code of Practice had been finalized on July 10, 2025.
- August 2, 2026: the Commission's enforcement powers activate. Under Article 101, it can fine a GPAI provider up to 3% of annual worldwide turnover or €15 million, whichever is higher. Member States must also have their own penalty regimes running for the rest of the Act by this date.
- August 2, 2027: providers of GPAI models that were already on the market before August 2, 2025 have to be fully compliant.
So August 2, 2026 is the day the Act stops being mostly paperwork and starts being fineable. The fines land on the model makers first.
Does the EU AI Act apply to me if I just use AI tools?
The Act splits the world into providers and deployers, and the difference decides how much of it lands on you. If you are a lawyer, a consultant, a therapist, or an SME running Claude or ChatGPT to draft and summarize, you are a deployer, not a provider. Almost all the heavy machinery (technical documentation, conformity assessment, the fineable GPAI duties) sits with providers.
Deployer duties are lighter. Mainly transparency: tell people when they are interacting with AI or looking at AI-generated content. If your specific use case is high-risk under Annex III (hiring, credit scoring, access to essential services), you also owe human oversight and record-keeping. For the ordinary case of using AI to write faster, August 2, 2026 changes little that you have to do. What changes is the environment around you.
How big are the fines, really?
Article 101 covers the Commission fining GPAI providers: up to 3% of worldwide turnover or €15 million. The broader penalty regime, set by Member States under Article 99, has three tiers:
- Prohibited practices (Article 5): up to €35 million or 7% of worldwide turnover.
- Most other obligations: up to €15 million or 3%.
- Supplying incorrect or misleading information to authorities: up to €7.5 million or 1%.
SMEs and startups pay the lower of the amount or the percentage, not the higher. These are ceilings, not standard fines, and they are aimed squarely at builders of AI systems. As a deployer using off-the-shelf tools, you are far from the €35 million headline. But your vendors are not, and that reshapes the products you depend on.
Isn't GDPR already the rule for AI privacy?
On paper, yes. In practice, GDPR enforcement against generative AI has been close to nonexistent. The one final fine, Italy's Garante hitting OpenAI with €15 million in November 2024, was annulled by the Court of Rome on March 18, 2026. That annulment was procedural: once OpenAI established an Irish presence, the Italian regulator lost jurisdiction under the one-stop-shop rule. It was not a ruling that OpenAI's data handling was fine.
So the current state is a vacuum. The rules exist, enforcement doesn't, and the reason is process rather than approval. Don't read the quiet as a green light. If client data ends up in a US model's training set, "nobody has been fined yet" is not a compliance position you want to defend. It is worth knowing exactly what an AI stores about you and whether you can get it back before that data becomes someone else's problem.
What changes for the AI vendors you rely on?
This is where August 2, 2026 actually reaches you. Anthropic, OpenAI, and Google now face real Commission fines for GPAI non-compliance, so expect more documentation, clearer training data and copyright disclosures, and in some cases more cautious defaults.
The Act also pushes providers to separate consumer data handling from commercial. That split is already visible: under Anthropic's August 2025 consumer terms, Free, Pro, and Max chats can be used to train Claude depending on a data-use setting, while commercial tiers are excluded outright. Which plan you are on decides what happens to your data, and that gap will widen as vendors harden their compliance posture. Which tier you pick is a data governance decision, not just a billing one.
What can you actually do before August 2?
You can't make regulators move faster, and you can't rewrite a vendor's terms. You can control where your data goes.
- Know your role. You are almost certainly a deployer, not a provider. Scope your obligations to that and stop worrying about the parts that don't apply to you.
- Map your data flows. Which AI tools see client or personal data, on which plan, under which terms?
- Prefer setups that keep data out of training. Commercial tiers, bring-your-own-key, or a local model.
- Self-host the sensitive material. If client-matter data can't leave your infrastructure, put it somewhere it doesn't have to.
Calmara covers the last two: self-host your data and run a local LLM with zero cloud egress, keep an auditable memory store your DPO can actually read, and strip personal data before anything reaches a cloud model. It won't make you compliant with the AI Act by itself, since compliance is about your processes rather than any one tool, but it removes the "my client's data is in someone else's training set and I can't prove otherwise" problem.
FAQ
When does the EU AI Act start being enforced?
The Act entered into force on August 1, 2024 and phases in through 2027. The headline enforcement date is August 2, 2026, when the European Commission can begin fining general-purpose AI model providers. Bans on prohibited practices and the AI literacy duty have applied since February 2, 2025.
How big are the EU AI Act fines?
The Commission can fine general-purpose AI providers up to 3% of annual worldwide turnover or €15 million, whichever is higher (Article 101). Under Article 99, Member State penalties reach up to €35 million or 7% for prohibited practices, €15 million or 3% for most other violations, and €7.5 million or 1% for misleading information to authorities. SMEs pay the lower figure.
Does the EU AI Act apply to me if I only use ChatGPT or Claude?
Mostly indirectly. As a deployer you owe transparency (disclose AI use) and, from February 2025, AI literacy for your staff. The fineable obligations fall on the providers who build the models, not on professionals using them to draft and summarize. High-risk uses under Annex III, such as hiring or credit decisions, carry extra deployer duties.
Is GDPR enough to cover AI data privacy?
GDPR applies, but enforcement against generative AI has been minimal. The only final fine, Italy's €15 million against OpenAI, was annulled in March 2026 on procedural grounds, not on the merits. The rules exist; active enforcement so far does not. Treating that gap as permission is a risk, not a strategy.
What's the difference between a provider and a deployer under the AI Act?
A provider develops an AI system or model and puts it on the market, which is where most obligations and the largest fines sit. A deployer uses an AI system in the course of its work. Most professionals and SMEs are deployers, with a lighter set of transparency and oversight duties.
How can I keep client data out of an AI vendor's training pipeline?
Use commercial or enterprise tiers that exclude your data from training, bring your own API key, or run a local model with no cloud egress. For the most sensitive material, self-host your knowledge and AI memory so client data never leaves infrastructure you control.
Do I need to do anything before August 2, 2026?
If you are a deployer, there is no filing deadline for you on that date. It is a good prompt to map which tools touch client or personal data, confirm which plan tiers keep that data out of training, and move anything genuinely sensitive to a self-hosted or local setup.
Written by Daniel Pettersson