Pre-Implementation Review of the EU AI Act 2026: A Guide to General-Purpose AI, Labeling of Generated Content, and Cybersecurity Obligations
Ahead of its implementation on August 2, 2026, this article summarizes the EU AI Act’s requirements for general-purpose AI models, the labeling of AI-generated content, and cybersecurity plans for advanced AI in a checklist format. Companies outside the EU must also review documentation, copyright, risk management, and labeling requirements—as well as supervisory risks—if they provide models or services to the EU market.
- August 2, 2026, marks the point at which the transparency and labeling requirements of the EU AI Act, as well as the enforcement of regulations governing general-purpose AI, will become practically significant.
- Providers of general-purpose AI models must verify their compliance with disclosure requirements regarding technical documentation, information on downstream providers, copyright policies, and summaries of training data.
- General-purpose AI models that pose systemic risks are subject to additional requirements regarding model evaluation, risk mitigation, reporting of major incidents, and cybersecurity safeguards.
- Machine-readable labels and user notification requirements may apply to AI-generated or manipulated content.
- Companies outside the EU may also be subject to oversight by the AI Office and EU regulations if they provide general-purpose AI models or services incorporating such models to the EU market.
Overview
The EU AI Act will enter a phase that directly impacts business operations around August 2, 2026. In particular, general-purpose AI models, labeling of generative AI outputs, and cybersecurity risk management for advanced AI are coming to the forefront.
On July 7, 2026, the European Commission announced a new plan addressing the risks and opportunities that advanced AI poses to cybersecurity. This aligns with the AI Act’s provisions on the oversight of general-purpose AI, model evaluation, incident response, and cooperation with EU cybersecurity agencies such as ENISA.
This document is not an interpretation of legal provisions but rather a knowledge resource for practical review based on publicly available materials from the European Commission and the AI Act Service Desk.
1. Why August 2, 2026, Is Important
The EU AI Act is not a law that takes effect all at once; rather, its provisions are implemented sequentially. August 2, 2026, can be understood as the point at which the following obligations begin to have a full impact on business operations.
| Area | 2026 Checkpoints | Questions for Companies to Consider |
|---|---|---|
| General-Purpose AI Models | Supervision and enforcement by the AI Office; documentation, copyright, and risk management systems | Is our model made available on the EU market? Is it a general-purpose AI model? |
| Labeling of Generated Content | Labeling and disclosure of AI-generated or manipulated text, images, audio, and video | Is there a risk that the output could be mistaken by humans for real content? |
| Systemic Risk | Assessment, mitigation, incident reporting, and cybersecurity for high-performance models | Does the model have the potential for large-scale impact or misuse? |
| Cybersecurity | Access to advanced AI, model evaluation, and cooperation with ENISA | Do security testing and vulnerability responses meet regulatory expectations? |
| Non-EU Companies | Applicable to non-EU providers when offering services to the EU market | Are there EU users, customers, or distribution channels? |
It is important to note that the effective date of general-purpose AI obligations and the transition period for existing models may vary depending on the model’s launch date and legal status. Therefore, in 2026, organizations must review not only “new models” but also the documentation, policies, and labeling practices for models already in deployment.
2. Key Terms
| Term | Meaning | Practical Significance |
|---|---|---|
| General-Purpose AI Model | An AI model that can be used for various purposes and tasks and integrated into multiple systems | May include foundation models, large language models, and multimodal models |
| GPAI | Abbreviation for General-Purpose AI; a term frequently used in the EU AI Act’s regulations on general-purpose AI | Starting point for determining model provider obligations |
| Systemic Risk | Risks that could have broad social, economic, or safety implications, such as large-scale impacts, major incidents, or potential for misuse | The basis for additional assessment, mitigation, and reporting obligations |
| AI Office | An agency playing a central role in the enforcement of the EU AI Act and the oversight of general-purpose AI | The point of contact for the oversight of general-purpose AI model providers |
| Generated Content Label | A label that allows humans or machines to recognize that content has been generated or manipulated by AI | Essential when disclosing deepfakes, synthetic images, and AI-generated text |
3. Basic Obligations of General-Purpose AI Model Providers
General-purpose AI model providers are not merely application operators but entities that develop, deploy, and provide the models themselves. If they make their models available on the EU market or integrate them into services within the EU, they must review the following obligations.
| Obligation | Description | Examples of Required Outputs | Remarks |
|---|---|---|---|
| Preparation of Technical Documentation | Documentation regarding model development, training, testing, performance, and limitations | Model card, technical documentation, evaluation report | Basis for responding to requests from supervisory authorities |
| Information for Downstream Providers | Providing necessary information to businesses that integrate the model to create AI systems | Integration guide, usage restrictions, risk information | Must be reflected in B2B contracts and API documentation |
| Copyright Compliance Policy | Establishing policies to comply with EU copyright law | Data collection policy, procedures for handling requests from rights holders | Linked to training data governance |
| Publication of Training Content Summaries | Publication of sufficiently detailed summaries of content used for training | Summaries based on European Commission templates | Need to balance trade secrets with transparency |
| Record Keeping and Response | Maintaining internal records to respond to inquiries and investigations by supervisory authorities | Document management system, designation of responsible persons | The ability to provide ex post evidence is critical |
Open-source models are not entirely exempt
The AI Act may provide some leniency for free and open-source general-purpose AI models that meet certain conditions. However, being open source does not automatically exempt them from all obligations. In particular, additional obligations regarding copyright policies, summaries of training content, and models posing systemic risks must be reviewed separately.
4. Additional Requirements for General-Purpose AI Models Posing Systemic Risks
Highly advanced general-purpose AI models require stricter regulation than standard models. The EU AI Act specifically addresses “general-purpose AI models posing systemic risks.”
Factors for Determining Systemic Risk
According to publicly available EU documents, systemic risk is associated with the following factors:
- Very high performance or widespread impact
- Potential for widespread adoption across numerous users and industries
- Potential for misuse, such as cyberattacks, biological, chemical, or physical risks, manipulation, or misinformation
- Potential for significant societal harm in the event of a major incident
- Criteria established by law, such as large-scale computational capacity or designation by the Commission
Guide to Additional Obligations
| Additional Obligation | Description | Practical Checklist |
|---|---|---|
| Model Assessment | Systematically assess model performance, limitations, and risks | Are both pre-deployment and post-deployment assessments in place? |
| Adversarial Testing | Testing of exploitation scenarios, such as misuse, jailbreaking, and the ability to execute dangerous commands | Are red team tests and security tests documented? |
| Risk Assessment and Mitigation | Technical and operational measures to reduce identified system risks | Are safety filters, access restrictions, monitoring, and user policies in place? |
| Incident Tracking and Reporting | Documenting and reporting serious incidents and corrective actions | Are there incident classification criteria and reporting procedures in place? |
| Cybersecurity Protection | Protecting models, weights, APIs, and training and deployment infrastructure | Are there defenses against model hijacking, prompt attacks, and data breaches? |
5. Obligation to Label AI-Generated Content
Starting August 2, 2026, one area where companies must pay particular attention is the labeling of AI-generated or manipulated content. The transparency obligations under the AI Act focus on reducing misperceptions when users interact with AI or encounter AI-generated content.
| Subject | Required Action | Examples |
|---|---|---|
| AI-generated images, audio, and video | Enable labeling to indicate that the content was artificially generated or manipulated | Synthetic images of people, AI-generated voices, deepfake videos |
| Generative text | Transparency review required when used to provide information on matters of public interest | News summaries, automatically generated text related to elections and public policy |
| Interaction with AI | Users must be able to recognize that they are interacting with an AI system | Chatbots, automated customer service responses, voice agents |
| Disclosure of Deepfakes | Distributors or users may be required to disclose that the content has been manipulated | Synthetic videos of celebrities, fabricated content that appears to be real events |
Key Points for Practical Application
- Labeling methods must consider both human-readable disclosures and machine-readable watermarks and metadata.
- Labels must be clear without undermining the purpose of the content.
- Even in cases where exceptions or exemptions are possible, it is safer to document the basis for internal decisions.
- Content used for marketing, customer support, education, and security training may also be subject to disclosure requirements.
6. Significance of the EU’s Advanced AI Cybersecurity Plan for July 2026
On July 7, 2026, the European Commission announced a new plan addressing the risks and opportunities that advanced AI presents to cybersecurity. This plan takes an approach that goes beyond simply viewing AI as a regulatory target; instead, it aims to leverage AI as a tool to enhance cyber defense capabilities while simultaneously managing the security risks posed by advanced AI itself.
Why It Matters
| Issue | Implications | Impact on Businesses |
|---|---|---|
| Access to Advanced AI | Ensuring that security researchers and defense actors can leverage the latest AI capabilities | Requires access for security testing, research collaboration, and responsible disclosure procedures |
| Model Assessment | Assessing whether advanced AI could enhance cyberattacks | Need to evaluate potential for vulnerability exploitation, phishing automation, and malware support |
| ENISA Collaboration | Strengthening cooperation with the EU’s cybersecurity agency | Higher expectations for security standards, information sharing, and incident response |
| Balancing Risks and Opportunities | Recognizing AI as both an offensive and defensive tool | Both security product companies and AI model providers are affected |
7. Practical Risks for Non-EU Companies
The EU AI Act is not just an issue for companies within the EU. Non-EU companies that provide AI models or services to the EU market may also be subject to its provisions.
Questions Non-EU Companies Should Consider
- Can EU users access your model’s API, app, or platform?
- Do your EU corporate customers integrate your model into their own services?
- Are your model’s outputs used within the EU or do they have an impact there?
- Do you need a representative or contact mechanism within the EU?
- Can training data, copyrights, personal information, and security documentation be explained in accordance with EU standards?
- Has the indication of AI-generated content been incorporated into the product UI and API responses?
- Are there procedures in place to communicate with EU supervisory authorities in the event of a major incident?
Contractual Risks
EU clients are likely to require more information from model providers to ensure compliance with the AI Act. Therefore, the following items must be reflected in API terms of service, enterprise agreements, data processing agreements, and security addenda:
- The model’s intended uses and limitations
- Prohibited or restricted use cases
- Risk disclosures and safety features
- Whether the model supports labeling of generated content
- Security incident notification procedures
- Explanations regarding copyright and training data
- Scope of information required to support regulatory compliance by downstream providers
8. Enterprise Checklist
A. Model Classification
- We have classified our product as an AI system, a general-purpose AI model, or both.
- We have confirmed whether the model is made available on the EU market.
- We have separately reviewed whether the model is open-source and the actual possibility of exemption.
- We have assessed the potential for system risks.
B. Documentation
- We keep technical documentation up to date.
- We document the model evaluation results and limitations.
- We provide the necessary information to downstream providers.
- We prepare a template for publicly disclosing a summary of training content.
- A copyright compliance policy has been established.
C. Labeling and Transparency
- Labeling standards for AI-generated images, audio, video, and text have been established.
- An appropriate labeling method has been designed from among UI, API, metadata, and watermarks.
- Reviewed the need for separate disclosures regarding deepfakes or public interest information.
- Document the basis for any decisions to apply labeling exceptions.
D. Cybersecurity
- Reviewed protective measures for model weights, training data, and deployment infrastructure.
- We have tested for prompt injection, data leaks, model hijacking, and malicious use.
- We operate red teaming and vulnerability reporting procedures.
- We have designated procedures for reporting serious incidents and assigned responsible personnel.
- We have established policies regarding access for security researchers and responsible disclosure.
E. Governance
- We have designated a department responsible for the AI Act.
- We have defined the roles of the legal, security, product, data, and sales teams.
- We have established a resource center to respond to compliance requests from EU clients.
- We monitor updates to the AI Act Service Desk and European Commission guidelines.
9. Brief Conclusion
August 2, 2026, is the date by which the EU AI Act must be specifically reflected in corporate documentation, product user interfaces, model evaluations, security operations, and customer contracts. For providers of general-purpose AI models, simply preparing technical documentation and copyright policies is not sufficient. They must integrate output labeling, system risk assessment, major incident reporting, cybersecurity protection, and responses to EU customers into a single regulatory operations framework.
In particular, because advanced AI simultaneously enhances capabilities on both the offensive and defensive sides of cybersecurity, the EU is setting forth a policy direction that includes model access, evaluation, and cooperation with ENISA. For companies outside the EU that are connected to the EU market, now is the time to transform their internal checklists into actual operational documents.
FAQ
What will change under the EU AI Act on August 2, 2026?
At a time when obligations regarding the labeling and transparency of AI-generated content are beginning to have a significant impact on corporate operations, and the risks associated with EU-wide oversight and enforcement of general-purpose AI models are also increasing, model providers, service providers, and EU clients alike must review their documentation and labeling systems.
What is the difference between a general-purpose AI model and a general AI system?
A general-purpose AI model refers to a foundational model that can be reused for various purposes and tasks. A general AI system is more akin to a product implemented as a specific feature or service. A single company may serve as both a model provider and an AI system provider.
Do companies outside the EU have to comply with the EU AI Act?
This may apply if you provide models, APIs, apps, platforms, or AI features to the EU market, or if your operations affect EU users and customers. Therefore, companies based outside the EU—such as those in the United States, South Korea, and Japan—should also conduct a review if they have EU customers or distribution channels.
What are the basic obligations of general-purpose AI model providers?
The key areas are drafting technical documents, providing necessary information to downstream providers, implementing policies to comply with EU copyright law, and publishing summaries of educational content. Documentation and internal records must also be managed to ensure we can respond to requests from regulatory authorities.
What additional requirements are there for general-purpose AI models that pose systemic risks?
Model evaluation, adversarial testing, system risk assessment and mitigation, and the tracking and reporting of major incidents are required. The higher a model’s performance and the greater its potential impact, the more closely this category must be reviewed.
Does AI-generated content have to be labeled?
Images, audio, video, and certain text generated or manipulated by AI may be subject to disclosure or notification requirements. The specific application of these requirements depends on the type of content, the context of use, whether the information is in the public interest, and the possibility of exceptions.
What is a machine-readable mark?
This refers not only to text visible to humans but also to methods—such as metadata, watermarks, and detectable signals—that enable systems to identify whether content was generated by AI. These technical means of identification are crucial under the transparency obligations of the EU AI Act.
Don't open-source general-purpose AI models come with any obligations?
That is not the case. While certain document disclosure requirements may be relaxed if specific conditions are met, additional obligations related to copyright policy, summaries of learning content, and models posing systemic risks must still be reviewed.
Why is the EU’s Advanced AI Cybersecurity Plan for July 2026 important?
This is because advanced AI can both intensify cyberattacks and enhance defensive capabilities. The EU has outlined a strategy to manage both the risks and opportunities through model evaluation, access to security research, and cooperation with ENISA.
What should companies start preparing for right now?
First, you should clarify the legal classifications of the model and the service, and prepare technical documentation, copyright policies, summaries of training content, guidelines for labeling generated content, cybersecurity testing, and incident reporting procedures. It is also advisable to review the scope of information required for EU customer contracts.
Sources
- European Commission: New EU Plan to Address the Risks and Opportunities of Advanced AI in Cybersecurity
- European Commission Digital Strategy: Guidelines for Providers of General-Purpose AI Models
- AI Act Service Desk: Resources
- European Commission Digital Strategy: General-Purpose AI Models in the AI Act – Questions and Answers
Images

