Overview
The EU AI Act will enter a phase that directly impacts business operations around August 2, 2026. In particular, general-purpose AI models, labeling of generative AI outputs, and cybersecurity risk management for advanced AI are coming to the forefront.
On July 7, 2026, the European Commission announced a new plan addressing the risks and opportunities that advanced AI poses to cybersecurity. This aligns with the AI Act’s provisions on the oversight of general-purpose AI, model evaluation, incident response, and cooperation with EU cybersecurity agencies such as ENISA.
This document is not an interpretation of legal provisions but rather a knowledge resource for practical review based on publicly available materials from the European Commission and the AI Act Service Desk.
1. Why August 2, 2026, Is Important
The EU AI Act is not a law that takes effect all at once; rather, its provisions are implemented sequentially. August 2, 2026, can be understood as the point at which the following obligations begin to have a full impact on business operations.
| Area | 2026 Checkpoints | Questions for Companies to Consider |
|---|---|---|
| General-Purpose AI Models | Supervision and enforcement by the AI Office; documentation, copyright, and risk management systems | Is our model made available on the EU market? Is it a general-purpose AI model? |
| Labeling of Generated Content | Labeling and disclosure of AI-generated or manipulated text, images, audio, and video | Is there a risk that the output could be mistaken by humans for real content? |
| Systemic Risk | Assessment, mitigation, incident reporting, and cybersecurity for high-performance models | Does the model have the potential for large-scale impact or misuse? |
| Cybersecurity | Access to advanced AI, model evaluation, and cooperation with ENISA | Do security testing and vulnerability responses meet regulatory expectations? |
| Non-EU Companies | Applicable to non-EU providers when offering services to the EU market | Are there EU users, customers, or distribution channels? |
It is important to note that the effective date of general-purpose AI obligations and the transition period for existing models may vary depending on the model’s launch date and legal status. Therefore, in 2026, organizations must review not only “new models” but also the documentation, policies, and labeling practices for models already in deployment.
2. Key Terms
| Term | Meaning | Practical Significance |
|---|---|---|
| General-Purpose AI Model | An AI model that can be used for various purposes and tasks and integrated into multiple systems | May include foundation models, large language models, and multimodal models |
| GPAI | Abbreviation for General-Purpose AI; a term frequently used in the EU AI Act’s regulations on general-purpose AI | Starting point for determining model provider obligations |
| Systemic Risk | Risks that could have broad social, economic, or safety implications, such as large-scale impacts, major incidents, or potential for misuse | The basis for additional assessment, mitigation, and reporting obligations |
| AI Office | An agency playing a central role in the enforcement of the EU AI Act and the oversight of general-purpose AI | The point of contact for the oversight of general-purpose AI model providers |
| Generated Content Label | A label that allows humans or machines to recognize that content has been generated or manipulated by AI | Essential when disclosing deepfakes, synthetic images, and AI-generated text |
3. Basic Obligations of General-Purpose AI Model Providers
General-purpose AI model providers are not merely application operators but entities that develop, deploy, and provide the models themselves. If they make their models available on the EU market or integrate them into services within the EU, they must review the following obligations.
| Obligation | Description | Examples of Required Outputs | Remarks |
|---|---|---|---|
| Preparation of Technical Documentation | Documentation regarding model development, training, testing, performance, and limitations | Model card, technical documentation, evaluation report | Basis for responding to requests from supervisory authorities |
| Information for Downstream Providers | Providing necessary information to businesses that integrate the model to create AI systems | Integration guide, usage restrictions, risk information | Must be reflected in B2B contracts and API documentation |
| Copyright Compliance Policy | Establishing policies to comply with EU copyright law | Data collection policy, procedures for handling requests from rights holders | Linked to training data governance |
| Publication of Training Content Summaries | Publication of sufficiently detailed summaries of content used for training | Summaries based on European Commission templates | Need to balance trade secrets with transparency |
| Record Keeping and Response | Maintaining internal records to respond to inquiries and investigations by supervisory authorities | Document management system, designation of responsible persons | The ability to provide ex post evidence is critical |
Open-source models are not entirely exempt
The AI Act may provide some leniency for free and open-source general-purpose AI models that meet certain conditions. However, being open source does not automatically exempt them from all obligations. In particular, additional obligations regarding copyright policies, summaries of training content, and models posing systemic risks must be reviewed separately.
4. Additional Requirements for General-Purpose AI Models Posing Systemic Risks
Highly advanced general-purpose AI models require stricter regulation than standard models. The EU AI Act specifically addresses “general-purpose AI models posing systemic risks.”
Factors for Determining Systemic Risk
According to publicly available EU documents, systemic risk is associated with the following factors:
- Very high performance or widespread impact
- Potential for widespread adoption across numerous users and industries
- Potential for misuse, such as cyberattacks, biological, chemical, or physical risks, manipulation, or misinformation
- Potential for significant societal harm in the event of a major incident
- Criteria established by law, such as large-scale computational capacity or designation by the Commission
Guide to Additional Obligations
| Additional Obligation | Description | Practical Checklist |
|---|---|---|
| Model Assessment | Systematically assess model performance, limitations, and risks | Are both pre-deployment and post-deployment assessments in place? |
| Adversarial Testing | Testing of exploitation scenarios, such as misuse, jailbreaking, and the ability to execute dangerous commands | Are red team tests and security tests documented? |
| Risk Assessment and Mitigation | Technical and operational measures to reduce identified system risks | Are safety filters, access restrictions, monitoring, and user policies in place? |
| Incident Tracking and Reporting | Documenting and reporting serious incidents and corrective actions | Are there incident classification criteria and reporting procedures in place? |
| Cybersecurity Protection | Protecting models, weights, APIs, and training and deployment infrastructure | Are there defenses against model hijacking, prompt attacks, and data breaches? |
5. Obligation to Label AI-Generated Content
Starting August 2, 2026, one area where companies must pay particular attention is the labeling of AI-generated or manipulated content. The transparency obligations under the AI Act focus on reducing misperceptions when users interact with AI or encounter AI-generated content.
| Subject | Required Action | Examples |
|---|---|---|
| AI-generated images, audio, and video | Enable labeling to indicate that the content was artificially generated or manipulated | Synthetic images of people, AI-generated voices, deepfake videos |
| Generative text | Transparency review required when used to provide information on matters of public interest | News summaries, automatically generated text related to elections and public policy |
| Interaction with AI | Users must be able to recognize that they are interacting with an AI system | Chatbots, automated customer service responses, voice agents |
| Disclosure of Deepfakes | Distributors or users may be required to disclose that the content has been manipulated | Synthetic videos of celebrities, fabricated content that appears to be real events |
Key Points for Practical Application
- Labeling methods must consider both human-readable disclosures and machine-readable watermarks and metadata.
- Labels must be clear without undermining the purpose of the content.
- Even in cases where exceptions or exemptions are possible, it is safer to document the basis for internal decisions.
- Content used for marketing, customer support, education, and security training may also be subject to disclosure requirements.
6. Significance of the EU’s Advanced AI Cybersecurity Plan for July 2026
On July 7, 2026, the European Commission announced a new plan addressing the risks and opportunities that advanced AI presents to cybersecurity. This plan takes an approach that goes beyond simply viewing AI as a regulatory target; instead, it aims to leverage AI as a tool to enhance cyber defense capabilities while simultaneously managing the security risks posed by advanced AI itself.
Why It Matters
| Issue | Implications | Impact on Businesses |
|---|---|---|
| Access to Advanced AI | Ensuring that security researchers and defense actors can leverage the latest AI capabilities | Requires access for security testing, research collaboration, and responsible disclosure procedures |
| Model Assessment | Assessing whether advanced AI could enhance cyberattacks | Need to evaluate potential for vulnerability exploitation, phishing automation, and malware support |
| ENISA Collaboration | Strengthening cooperation with the EU’s cybersecurity agency | Higher expectations for security standards, information sharing, and incident response |
| Balancing Risks and Opportunities | Recognizing AI as both an offensive and defensive tool | Both security product companies and AI model providers are affected |
7. Practical Risks for Non-EU Companies
The EU AI Act is not just an issue for companies within the EU. Non-EU companies that provide AI models or services to the EU market may also be subject to its provisions.
Questions Non-EU Companies Should Consider
- Can EU users access your model’s API, app, or platform?
- Do your EU corporate customers integrate your model into their own services?
- Are your model’s outputs used within the EU or do they have an impact there?
- Do you need a representative or contact mechanism within the EU?
- Can training data, copyrights, personal information, and security documentation be explained in accordance with EU standards?
- Has the indication of AI-generated content been incorporated into the product UI and API responses?
- Are there procedures in place to communicate with EU supervisory authorities in the event of a major incident?
Contractual Risks
EU clients are likely to require more information from model providers to ensure compliance with the AI Act. Therefore, the following items must be reflected in API terms of service, enterprise agreements, data processing agreements, and security addenda:
- The model’s intended uses and limitations
- Prohibited or restricted use cases
- Risk disclosures and safety features
- Whether the model supports labeling of generated content
- Security incident notification procedures
- Explanations regarding copyright and training data
- Scope of information required to support regulatory compliance by downstream providers
8. Enterprise Checklist
A. Model Classification
- We have classified our product as an AI system, a general-purpose AI model, or both.
- We have confirmed whether the model is made available on the EU market.
- We have separately reviewed whether the model is open-source and the actual possibility of exemption.
- We have assessed the potential for system risks.
B. Documentation
- We keep technical documentation up to date.
- We document the model evaluation results and limitations.
- We provide the necessary information to downstream providers.
- We prepare a template for publicly disclosing a summary of training content.
- A copyright compliance policy has been established.
C. Labeling and Transparency
- Labeling standards for AI-generated images, audio, video, and text have been established.
- An appropriate labeling method has been designed from among UI, API, metadata, and watermarks.
- Reviewed the need for separate disclosures regarding deepfakes or public interest information.
- Document the basis for any decisions to apply labeling exceptions.
D. Cybersecurity
- Reviewed protective measures for model weights, training data, and deployment infrastructure.
- We have tested for prompt injection, data leaks, model hijacking, and malicious use.
- We operate red teaming and vulnerability reporting procedures.
- We have designated procedures for reporting serious incidents and assigned responsible personnel.
- We have established policies regarding access for security researchers and responsible disclosure.
E. Governance
- We have designated a department responsible for the AI Act.
- We have defined the roles of the legal, security, product, data, and sales teams.
- We have established a resource center to respond to compliance requests from EU clients.
- We monitor updates to the AI Act Service Desk and European Commission guidelines.
9. Brief Conclusion
August 2, 2026, is the date by which the EU AI Act must be specifically reflected in corporate documentation, product user interfaces, model evaluations, security operations, and customer contracts. For providers of general-purpose AI models, simply preparing technical documentation and copyright policies is not sufficient. They must integrate output labeling, system risk assessment, major incident reporting, cybersecurity protection, and responses to EU customers into a single regulatory operations framework.
In particular, because advanced AI simultaneously enhances capabilities on both the offensive and defensive sides of cybersecurity, the EU is setting forth a policy direction that includes model access, evaluation, and cooperation with ENISA. For companies outside the EU that are connected to the EU market, now is the time to transform their internal checklists into actual operational documents.