Pre-Implementation Review of the EU AI Act 2026: A Guide to General-Purpose AI, Labeling of Generated Content, and Cybersecurity Obligations

Ahead of its implementation on August 2, 2026, this article summarizes the EU AI Act’s requirements for general-purpose AI models, the labeling of AI-generated content, and cybersecurity plans for advanced AI in a checklist format. Companies outside the EU must also review documentation, copyright, risk management, and labeling requirements—as well as supervisory risks—if they provide models or services to the EU market.

Overview

The EU AI Act will enter a phase that directly impacts business operations around August 2, 2026. In particular, general-purpose AI models, labeling of generative AI outputs, and cybersecurity risk management for advanced AI are coming to the forefront.

On July 7, 2026, the European Commission announced a new plan addressing the risks and opportunities that advanced AI poses to cybersecurity. This aligns with the AI Act’s provisions on the oversight of general-purpose AI, model evaluation, incident response, and cooperation with EU cybersecurity agencies such as ENISA.

This document is not an interpretation of legal provisions but rather a knowledge resource for practical review based on publicly available materials from the European Commission and the AI Act Service Desk.

1. Why August 2, 2026, Is Important

The EU AI Act is not a law that takes effect all at once; rather, its provisions are implemented sequentially. August 2, 2026, can be understood as the point at which the following obligations begin to have a full impact on business operations.

Area 2026 Checkpoints Questions for Companies to Consider
General-Purpose AI Models Supervision and enforcement by the AI Office; documentation, copyright, and risk management systems Is our model made available on the EU market? Is it a general-purpose AI model?
Labeling of Generated Content Labeling and disclosure of AI-generated or manipulated text, images, audio, and video Is there a risk that the output could be mistaken by humans for real content?
Systemic Risk Assessment, mitigation, incident reporting, and cybersecurity for high-performance models Does the model have the potential for large-scale impact or misuse?
Cybersecurity Access to advanced AI, model evaluation, and cooperation with ENISA Do security testing and vulnerability responses meet regulatory expectations?
Non-EU Companies Applicable to non-EU providers when offering services to the EU market Are there EU users, customers, or distribution channels?

It is important to note that the effective date of general-purpose AI obligations and the transition period for existing models may vary depending on the model’s launch date and legal status. Therefore, in 2026, organizations must review not only “new models” but also the documentation, policies, and labeling practices for models already in deployment.

2. Key Terms

Term Meaning Practical Significance
General-Purpose AI Model An AI model that can be used for various purposes and tasks and integrated into multiple systems May include foundation models, large language models, and multimodal models
GPAI Abbreviation for General-Purpose AI; a term frequently used in the EU AI Act’s regulations on general-purpose AI Starting point for determining model provider obligations
Systemic Risk Risks that could have broad social, economic, or safety implications, such as large-scale impacts, major incidents, or potential for misuse The basis for additional assessment, mitigation, and reporting obligations
AI Office An agency playing a central role in the enforcement of the EU AI Act and the oversight of general-purpose AI The point of contact for the oversight of general-purpose AI model providers
Generated Content Label A label that allows humans or machines to recognize that content has been generated or manipulated by AI Essential when disclosing deepfakes, synthetic images, and AI-generated text

3. Basic Obligations of General-Purpose AI Model Providers

General-purpose AI model providers are not merely application operators but entities that develop, deploy, and provide the models themselves. If they make their models available on the EU market or integrate them into services within the EU, they must review the following obligations.

Obligation Description Examples of Required Outputs Remarks
Preparation of Technical Documentation Documentation regarding model development, training, testing, performance, and limitations Model card, technical documentation, evaluation report Basis for responding to requests from supervisory authorities
Information for Downstream Providers Providing necessary information to businesses that integrate the model to create AI systems Integration guide, usage restrictions, risk information Must be reflected in B2B contracts and API documentation
Copyright Compliance Policy Establishing policies to comply with EU copyright law Data collection policy, procedures for handling requests from rights holders Linked to training data governance
Publication of Training Content Summaries Publication of sufficiently detailed summaries of content used for training Summaries based on European Commission templates Need to balance trade secrets with transparency
Record Keeping and Response Maintaining internal records to respond to inquiries and investigations by supervisory authorities Document management system, designation of responsible persons The ability to provide ex post evidence is critical

Open-source models are not entirely exempt

The AI Act may provide some leniency for free and open-source general-purpose AI models that meet certain conditions. However, being open source does not automatically exempt them from all obligations. In particular, additional obligations regarding copyright policies, summaries of training content, and models posing systemic risks must be reviewed separately.

4. Additional Requirements for General-Purpose AI Models Posing Systemic Risks

Highly advanced general-purpose AI models require stricter regulation than standard models. The EU AI Act specifically addresses “general-purpose AI models posing systemic risks.”

Factors for Determining Systemic Risk

According to publicly available EU documents, systemic risk is associated with the following factors:

Guide to Additional Obligations

Additional Obligation Description Practical Checklist
Model Assessment Systematically assess model performance, limitations, and risks Are both pre-deployment and post-deployment assessments in place?
Adversarial Testing Testing of exploitation scenarios, such as misuse, jailbreaking, and the ability to execute dangerous commands Are red team tests and security tests documented?
Risk Assessment and Mitigation Technical and operational measures to reduce identified system risks Are safety filters, access restrictions, monitoring, and user policies in place?
Incident Tracking and Reporting Documenting and reporting serious incidents and corrective actions Are there incident classification criteria and reporting procedures in place?
Cybersecurity Protection Protecting models, weights, APIs, and training and deployment infrastructure Are there defenses against model hijacking, prompt attacks, and data breaches?

5. Obligation to Label AI-Generated Content

Starting August 2, 2026, one area where companies must pay particular attention is the labeling of AI-generated or manipulated content. The transparency obligations under the AI Act focus on reducing misperceptions when users interact with AI or encounter AI-generated content.

Subject Required Action Examples
AI-generated images, audio, and video Enable labeling to indicate that the content was artificially generated or manipulated Synthetic images of people, AI-generated voices, deepfake videos
Generative text Transparency review required when used to provide information on matters of public interest News summaries, automatically generated text related to elections and public policy
Interaction with AI Users must be able to recognize that they are interacting with an AI system Chatbots, automated customer service responses, voice agents
Disclosure of Deepfakes Distributors or users may be required to disclose that the content has been manipulated Synthetic videos of celebrities, fabricated content that appears to be real events

Key Points for Practical Application

6. Significance of the EU’s Advanced AI Cybersecurity Plan for July 2026

On July 7, 2026, the European Commission announced a new plan addressing the risks and opportunities that advanced AI presents to cybersecurity. This plan takes an approach that goes beyond simply viewing AI as a regulatory target; instead, it aims to leverage AI as a tool to enhance cyber defense capabilities while simultaneously managing the security risks posed by advanced AI itself.

Why It Matters

Issue Implications Impact on Businesses
Access to Advanced AI Ensuring that security researchers and defense actors can leverage the latest AI capabilities Requires access for security testing, research collaboration, and responsible disclosure procedures
Model Assessment Assessing whether advanced AI could enhance cyberattacks Need to evaluate potential for vulnerability exploitation, phishing automation, and malware support
ENISA Collaboration Strengthening cooperation with the EU’s cybersecurity agency Higher expectations for security standards, information sharing, and incident response
Balancing Risks and Opportunities Recognizing AI as both an offensive and defensive tool Both security product companies and AI model providers are affected

7. Practical Risks for Non-EU Companies

The EU AI Act is not just an issue for companies within the EU. Non-EU companies that provide AI models or services to the EU market may also be subject to its provisions.

Questions Non-EU Companies Should Consider

  1. Can EU users access your model’s API, app, or platform?
  2. Do your EU corporate customers integrate your model into their own services?
  3. Are your model’s outputs used within the EU or do they have an impact there?
  4. Do you need a representative or contact mechanism within the EU?
  5. Can training data, copyrights, personal information, and security documentation be explained in accordance with EU standards?
  6. Has the indication of AI-generated content been incorporated into the product UI and API responses?
  7. Are there procedures in place to communicate with EU supervisory authorities in the event of a major incident?

Contractual Risks

EU clients are likely to require more information from model providers to ensure compliance with the AI Act. Therefore, the following items must be reflected in API terms of service, enterprise agreements, data processing agreements, and security addenda:

8. Enterprise Checklist

A. Model Classification

B. Documentation

C. Labeling and Transparency

D. Cybersecurity

E. Governance

9. Brief Conclusion

August 2, 2026, is the date by which the EU AI Act must be specifically reflected in corporate documentation, product user interfaces, model evaluations, security operations, and customer contracts. For providers of general-purpose AI models, simply preparing technical documentation and copyright policies is not sufficient. They must integrate output labeling, system risk assessment, major incident reporting, cybersecurity protection, and responses to EU customers into a single regulatory operations framework.

In particular, because advanced AI simultaneously enhances capabilities on both the offensive and defensive sides of cybersecurity, the EU is setting forth a policy direction that includes model access, evaluation, and cooperation with ENISA. For companies outside the EU that are connected to the EU market, now is the time to transform their internal checklists into actual operational documents.

FAQ

What will change under the EU AI Act on August 2, 2026?

At a time when obligations regarding the labeling and transparency of AI-generated content are beginning to have a significant impact on corporate operations, and the risks associated with EU-wide oversight and enforcement of general-purpose AI models are also increasing, model providers, service providers, and EU clients alike must review their documentation and labeling systems.

What is the difference between a general-purpose AI model and a general AI system?

A general-purpose AI model refers to a foundational model that can be reused for various purposes and tasks. A general AI system is more akin to a product implemented as a specific feature or service. A single company may serve as both a model provider and an AI system provider.

Do companies outside the EU have to comply with the EU AI Act?

This may apply if you provide models, APIs, apps, platforms, or AI features to the EU market, or if your operations affect EU users and customers. Therefore, companies based outside the EU—such as those in the United States, South Korea, and Japan—should also conduct a review if they have EU customers or distribution channels.

What are the basic obligations of general-purpose AI model providers?

The key areas are drafting technical documents, providing necessary information to downstream providers, implementing policies to comply with EU copyright law, and publishing summaries of educational content. Documentation and internal records must also be managed to ensure we can respond to requests from regulatory authorities.

What additional requirements are there for general-purpose AI models that pose systemic risks?

Model evaluation, adversarial testing, system risk assessment and mitigation, and the tracking and reporting of major incidents are required. The higher a model’s performance and the greater its potential impact, the more closely this category must be reviewed.

Does AI-generated content have to be labeled?

Images, audio, video, and certain text generated or manipulated by AI may be subject to disclosure or notification requirements. The specific application of these requirements depends on the type of content, the context of use, whether the information is in the public interest, and the possibility of exceptions.

What is a machine-readable mark?

This refers not only to text visible to humans but also to methods—such as metadata, watermarks, and detectable signals—that enable systems to identify whether content was generated by AI. These technical means of identification are crucial under the transparency obligations of the EU AI Act.

Don't open-source general-purpose AI models come with any obligations?

That is not the case. While certain document disclosure requirements may be relaxed if specific conditions are met, additional obligations related to copyright policy, summaries of learning content, and models posing systemic risks must still be reviewed.

Why is the EU’s Advanced AI Cybersecurity Plan for July 2026 important?

This is because advanced AI can both intensify cyberattacks and enhance defensive capabilities. The EU has outlined a strategy to manage both the risks and opportunities through model evaluation, access to security research, and cooperation with ENISA.

What should companies start preparing for right now?

First, you should clarify the legal classifications of the model and the service, and prepare technical documentation, copyright policies, summaries of training content, guidelines for labeling generated content, cybersecurity testing, and incident reporting procedures. It is also advisable to review the scope of information required for EU customer contracts.

Sources

Images

AI network sphere over a map of Europe with checklists, security shield, folder, and media icons
AI network sphere over a map of Europe with checklists, security shield, folder, and media icons
AI cube passing through a secure gate toward an EU map with content labels and compliance icons
AI cube passing through a secure gate toward an EU map with content labels and compliance icons