EU AI Act 2.0: New Rules for Foundation Models Are Here
On August 1, 2024, the European Union did something no other region had done before. It passed the world's first comprehensive law for artificial intelligence. Now, in 2026, the rules for foundation models — the powerful AI systems that power ChatGPT, Gemini, and Claude — are in full effect. This is what the industry calls the "AI Act 2.0" phase.
If you build, sell, or use AI in Europe, these rules matter. They come with heavy fines, strict deadlines, and new obligations that no company can ignore. Even if your headquarters are in San Francisco or Beijing, the EU AI Act still applies if your AI touches European users.
What the AI Act 2.0 Covers
The EU AI Act sorts AI systems into four risk levels. Each level carries different rules. Think of it like a traffic light system for technology.
Unacceptable risk means a red light. These AI uses are banned entirely. Examples include social scoring systems that rank citizens like credit scores for behavior, and real-time facial recognition in public spaces without a court order. These bans took effect on February 2, 2025.
High risk means a yellow light. These systems need strict checks before they go to market. They include AI used for hiring, credit scoring, student exams, medical diagnosis, and law enforcement. Companies must run conformity assessments, keep technical records, and provide human oversight.
Limited risk and minimal risk mean green lights. Chatbots and spam filters face lighter rules, mainly around transparency. Users must know they are talking to a machine.
But the biggest change in 2026 is the new layer for general-purpose AI models, also called foundation models. These are the large AI systems trained on massive datasets that can perform many tasks. GPT-4, Gemini 1.5, and Llama all fall into this group. The rules for these models became enforceable on August 2, 2025, and the full weight of high-risk obligations arrives on August 2, 2026.
New Requirements for Foundation Models
Under Chapter V of the AI Act, foundation model providers must meet specific duties. These are not suggestions. They are binding legal obligations with real penalties.
First, every provider must create and maintain technical documentation. This includes details about the model's architecture, the number of parameters, training methods, the data used, and the energy consumed during training. Companies must also publish an acceptable use policy that explains what the model should and should not be used for.
Second, providers must give clear information to downstream developers. If another company builds an AI app using your model, you must share enough documentation for them to understand risks and comply with their own obligations.
Third, and most demanding, models with systemic risk face extra duties. A model is labeled "systemic" if it passes certain compute thresholds or shows widespread impact across the EU economy. These models must undergo adversarial testing, also known as red teaming, to find weaknesses before bad actors do. Providers must also assess and reduce systemic risks, report serious incidents to regulators without delay, and maintain strong cybersecurity protections.
The EU AI Office can investigate any general-purpose AI model provider directly. No other regulator in the world has this kind of EU-wide reach over foundation models.
"The EU AI Act shifts the burden of proof to developers. Before your model reaches the market, you must show it is safe. This is a radical change from the old approach of building first and asking questions later."
— Dr. Brando Benifei, European Parliament rapporteur on AI regulation
Transparency and Bias Audit Rules
Transparency is the core theme of the AI Act. The EU believes that if citizens cannot see how AI makes decisions about them, those decisions cannot be fair.
Under Article 50, deployers must tell users when they are interacting with AI. This includes chatbots, deepfakes, and emotion recognition tools. AI-generated content must carry clear labels. Synthetic images and videos need watermarks so people know they are not real.
For foundation models, the transparency rules go deeper. Providers must document how they selected and cleaned their training data. They must describe methods used to detect bias and explain how they filtered unsuitable sources. If a model shows bias against protected groups, the provider must show what steps they took to find and fix it.
Systemic-risk models must also publish evaluation results using standardized tests. They cannot simply claim their model is safe. They must prove it with public benchmarks and internal adversarial testing. The GPAI Code of Practice, finalized under EU AI Office oversight, gives providers a structured way to meet these transparency duties.
"Transparency is not a compliance checkbox. It is a design requirement. Companies that embed transparency into their development pipelines from day one will have a massive advantage."
— Maxime Verstraeten, AI governance consultant, DILAIG
Penalties for Non-Compliance
The EU did not write this law as a gentle suggestion. The fines are among the toughest in the world for technology regulation.
| Violation | Maximum Fine |
|---|---|
| Prohibited AI practices (social scoring, biometric surveillance) | €35 million or 7% of global annual turnover |
| High-risk AI or GPAI model obligation violations | €15 million or 3% of global annual turnover |
| Providing false or misleading information to regulators | €7.5 million or 1% of global annual turnover |
Source: EU AI Act Article 99
For large tech companies, the percentage rule usually applies. A company with €50 billion in global revenue could face a €3.5 billion fine for violating prohibited practices. That is not a typo.
Beyond one-time fines, regulators can impose periodic penalty payments of up to 5% of average daily global turnover. These keep running until the company fixes the problem. For a €100 million revenue firm, that is roughly €13,700 per day until compliance is achieved.
For small and medium enterprises, the fine is the lower of the fixed amount or the percentage. The EU designed the penalty structure to avoid crushing startups while still pressuring large providers.
Impact on AI Companies
The AI Act reshapes how the world's largest AI labs operate in Europe. Here is how the major players are affected.
OpenAI
ChatGPT and GPT-4 are clearly general-purpose AI models. OpenAI must publish technical documentation, submit to EU AI Office oversight, and comply with transparency rules for AI-generated content. Because GPT-4 likely qualifies as a systemic-risk model, OpenAI must also conduct adversarial testing and report serious incidents. The company has already begun adapting its European operations, but full compliance remains a moving target as the Code of Practice evolves.
Google DeepMind
Google's Gemini models, integrated across Search, Workspace, and Cloud, face both GPAI and high-risk obligations. Because Google deploys AI across many high-risk sectors including hiring tools and credit-related services, it must manage compliance on two tracks at once. Google's global reach means the 7% turnover ceiling is a real financial threat.
Meta
Meta's Llama open-weight models create a unique challenge. Because developers can download and modify Llama freely, Meta must provide enough documentation for downstream users to comply, even though Meta does not control every use case. The EU has made clear that open model providers are not exempt from duties.
Smaller AI Startups
Startups using third-party APIs from OpenAI, Anthropic, or Google are classified as "deployers," not providers. Their obligations are lighter but not zero. They must ensure staff have AI literacy, disclose AI use to end users, and conduct basic risk checks. For bootstrapped teams, this still means new compliance costs and legal review.
"The EU AI Act forces every AI company to choose: invest in compliance now, or risk being locked out of the world's second-largest digital market. For many startups, this is a make-or-break moment."
— Adrian Watkins, founder, AI in Europe
Timeline for Implementation
The AI Act does not hit all at once. It rolls out in four phases between 2024 and 2027.
| Date | What Takes Effect |
|---|---|
| August 1, 2024 | AI Act enters into force. EU AI Office established. |
| February 2, 2025 | Prohibited AI practices become enforceable. |
| August 2, 2025 | GPAI model obligations and systemic-risk rules apply. |
| August 2, 2026 | High-risk AI obligations, transparency rules, and AI literacy mandate take full effect. |
| August 2, 2027 | Final deadline for AI embedded in regulated products like medical devices. |
Source: Alice Labs / European Commission
The August 2, 2026 deadline is the most urgent for businesses today. It activates the full enforcement framework, meaning national regulators can start investigations and issue fines. The Digital Omnibus proposal, which would have delayed some Annex III obligations to December 2027, failed in recent negotiations. For now, August 2026 remains the hard deadline.
Comparison to US and China
The EU AI Act is the world's most rigid AI law, but it is not the only game in town. The United States and China have taken very different paths.
United States: Enforcement-Led and Flexible
The US has no single AI law like the EU's. Instead, it relies on executive orders, agency enforcement, and sector-specific rules. The Federal Trade Commission and Department of Justice use existing consumer protection and antitrust laws to punish deceptive AI claims or anticompetitive behavior.
The NIST AI Risk Management Framework sets voluntary standards, but because it is tied to federal procurement, many companies adopt it to stay competitive. The US approach is flexible and innovation-friendly, but it creates legal uncertainty. Companies often do not know if they are breaking the law until an enforcement action tells them.
China: State-Controlled and Strategic
China treats AI as a strategic tool that must serve state goals. Every major AI service must file its algorithm with regulators. Models undergo testing for content moderation and "social mobilization" risks before public release. AI-generated content must carry watermarks. Data must stay within China's borders.
This model is centralized and highly controlled. It prioritizes social stability over commercial freedom. For Western companies, entering the Chinese AI market means accepting algorithmic audits and data localization that would be unthinkable in the US or EU.
| Feature | European Union | United States | China |
|---|---|---|---|
| Legal approach | Comprehensive risk-based law | Enforcement-led, sectoral | State-controlled, strategic |
| Foundation model rules | Mandatory transparency + audits | Voluntary standards via NIST | Mandatory algorithm filing |
| Max fine | 7% global turnover | Case-by-case under existing law | License revocation + penalties |
| Extraterritorial reach | Yes | Limited | Yes |
| Key priority | Fundamental rights + safety | Innovation + national security | Social stability + sovereignty |
Source: Tech Policy Law / Project AI / Cardiff University Law Review
These three systems create what analysts call an "AI iron curtain." A model trained on scraped data might pass US review, face fines in the EU, and be blocked in China. Companies are increasingly forced to build regional versions of their models, raising research and development costs and splitting the global tech market into digital blocs.
What Happens Next
The EU AI Act is no longer a future concern. It is active law with real deadlines and real penalties. For foundation model providers, the compliance clock started ticking in August 2025. For high-risk AI deployers, it ticks louder every day toward August 2026.
Experts agree that early compliance is a competitive advantage. Companies that treat the AI Act seriously gain preferred access to the EU's 450 million consumers. Those that delay risk fines, regulatory orders, and reputational damage that no PR campaign can fix.
The global AI race is no longer just about building the biggest model. It is about building the model that can survive in Brussels, Washington, and Beijing at the same time. In 2026, your compliance strategy is your competitive strategy.
"The era of a single, global internet is fading. It is being replaced by a world of digital borders. The companies that learn to navigate them will define the next decade of AI."
— Global AI Regulation Analysis, Tech Policy Law, 2026