The EU AI Act GPAI Deadline Is Three Months Away: What UK Businesses Should Do Now

AI Trust & Governance

17 May 2026 | By Ashley Marshall

August is close enough to be operational, not theoretical. If your business uses GPT, Claude, Gemini, Mistral, Llama or another general-purpose model in a customer, staff or product workflow, the compliance work needs to start now.

Why August 2026 matters even if you are not building frontier models

The easy mistake is to treat the EU AI Act general-purpose AI deadline as a problem only for OpenAI, Google, Anthropic, Meta, Mistral and the other model labs. That is too narrow. The formal obligations in Articles 53 and 55 sit mainly with providers of general-purpose AI models, but the practical impact reaches every business building workflows, products and customer journeys on top of those models.

The European Commission says the GPAI obligations entered into application on 2 August 2025, with the Commission's enforcement powers applying from 2 August 2026 for new models. Its guidance also says providers of older GPAI models placed on the market before 2 August 2025 have until 2 August 2027 to comply. That split matters for procurement. Your supplier may be operating under different timelines depending on the model version, release date and how it is made available.

For a UK business, this means August 2026 is not just a European legal milestone. It is the point at which questions from EU customers, enterprise buyers, insurers, auditors and procurement teams become sharper. If your product uses a general-purpose model to produce advice, draft regulated communications, score prospects, support HR decisions, summarise customer complaints or generate public content, you need a defensible record of what model is being used, what it does, what data it sees and what humans review.

What this means in practice is simple: stop treating AI tools as isolated subscriptions. Treat them as a supply chain. You need a register of AI use cases, owners, model providers, data categories, output types, review controls and customer exposure. Without that inventory, you cannot know whether the EU AI Act is directly relevant, indirectly relevant through customers or commercially relevant through supplier due diligence.

Useful starting points are the European Commission's GPAI provider guidance and its AI Act timeline. They make clear that the clock is already running.

What the GPAI rules actually require

Article 53 of the EU AI Act is the core provision for general-purpose AI model providers. It requires providers to keep technical documentation about the model, including the training and testing process and the results of evaluation. It also requires them to make information available to downstream AI system providers so those providers can understand the model's capabilities and limitations and meet their own obligations.

The article also contains two requirements that will matter in commercial due diligence. Providers must put in place a policy to comply with EU copyright law, including rights reservations under Article 4(3) of the DSM Directive. They must also publish a sufficiently detailed summary of the content used to train the model, using a template provided by the AI Office. This does not mean every user of ChatGPT or Claude must publish training data summaries. It does mean serious buyers will start asking whether the model provider has done so, and whether your own product documentation reflects the provider's limitations.

Article 50 is separate but highly relevant for businesses using GPAI systems in customer-facing settings. It includes transparency duties for AI systems that interact directly with people, for synthetic content marking, for deepfake disclosure and for AI-generated or manipulated text published to inform the public on matters of public interest. The European Commission says the transparency rules come into effect in August 2026. That is the piece many normal businesses will feel first.

What this means in practice is that your AI policy cannot just say employees may use approved tools. It needs operational rules. When must users disclose that a chatbot is AI? When does human review become mandatory before publication? What AI-generated content is marked, logged or labelled? What suppliers are approved for personal data, confidential information or regulated advice? Those decisions need to be designed into workflows, not buried in a policy PDF.

The AI Act Service Desk pages for Article 50 and Article 53 are worth reading with your product, operations and legal teams together.

Systemic risk is about frontier capability, but customers still need to care

The most demanding obligations apply to general-purpose AI models with systemic risk. Article 51 says a GPAI model is presumed to have high impact capabilities when the cumulative amount of computation used for training is greater than 10^25 floating point operations. The Commission can also designate a model as systemic risk based on equivalent capabilities or impact, including following input from the scientific panel.

Article 55 then adds extra duties for those systemic risk models. Providers must perform model evaluation using standardised protocols and tools, including adversarial testing. They must assess and mitigate possible systemic risks at Union level. They must track, document and report serious incidents without undue delay to the AI Office and, where appropriate, national competent authorities. They must also ensure an adequate level of cybersecurity protection for the model and its physical infrastructure.

Most UK businesses will not be training models above the 10^25 FLOPs threshold. But many will use models that are powerful enough to be in or near the systemic risk category. That matters because the risk does not vanish when the model is accessed through an API, a productivity suite, a CRM plug-in or a workflow automation tool. If a frontier model drafts legal correspondence, screens job applications, summarises medical information or generates code that touches production systems, the organisation using it still owns the business process.

What this means in practice is that model selection must become a governance decision. You should know when a workflow uses a high-capability model and why. You should record whether a lower-risk model would be sufficient, what guardrails sit around prompts and outputs, and what incident route exists if the system produces harmful, discriminatory, insecure or misleading results.

There is a useful counterintuitive point here. The systemic risk label does not automatically make a model unsuitable. In many cases, larger providers will have stronger safety, cybersecurity and documentation regimes than small untested tools. The governance question is not whether to avoid frontier models. It is whether you can explain why that model is appropriate for that task, with that data, under those controls.

Brexit does not remove the commercial risk

The obvious pushback is fair: the UK has left the EU, so why should a UK firm spend time on the EU AI Act? The answer is that the AI Act is not a UK statute, but it can still affect UK businesses through market access, product use, customer contracts, EU users and supply chains. If your AI system is placed on the EU market, used in the EU, produces outputs consumed in the EU, or supports an EU customer's regulated process, the Act may become relevant.

Even where the legal question is nuanced, the commercial question is simpler. EU customers will increasingly ask for evidence. Larger UK customers with EU operations will also ask. Procurement teams are likely to request AI use registers, supplier due diligence, data processing evidence, transparency controls, human oversight procedures and confirmation that high-risk or prohibited use cases have been assessed. Waiting for a lawyer to decide whether you are formally in scope is a poor operational strategy.

The UK has chosen a different approach from the EU. The government's pro-innovation framework asks existing regulators to apply cross-sector principles within their remits, rather than introducing one horizontal AI Act. The DSIT response emphasised safety, transparency, fairness, accountability and contestability through regulators such as the ICO, FCA, CMA and Ofcom. The AI Opportunities Action Plan also frames AI adoption as central to productivity and growth, with the UK aiming to be both an AI maker and an AI user.

The ICO adds another layer. Its AI and data protection guidance is suitable for businesses in the public, private and third sectors and focuses on UK GDPR principles, DPIAs, fairness, transparency, lawfulness, accuracy and automated decision-making safeguards. If your AI workflow uses personal data, UK data protection law applies regardless of whether the EU AI Act does.

For UK boards, the practical answer is not to copy the EU regime blindly. It is to build one AI governance file that can satisfy three audiences: UK regulators, EU-facing customers and internal risk owners. That file should include use case classification, supplier evidence, data protection assessment, human review, transparency language and an incident process.

The penalties make this a board-level issue, not a policy tidy-up

The financial penalties are not the only reason to act, but they do help boards pay attention. Article 101 allows the Commission to fine GPAI model providers up to 3 percent of annual worldwide turnover or EUR 15 million, whichever is higher, for certain intentional or negligent failures. These include breaching relevant provisions, failing to comply with document or information requests, failing to comply with Commission measures, or failing to provide model access for evaluation.

For broader AI Act obligations, Article 99 sets a higher ceiling for prohibited practices: up to EUR 35 million or 7 percent of worldwide annual turnover, whichever is higher. Other operator and transparency failures can attract fines up to EUR 15 million or 3 percent of worldwide annual turnover, with separate penalties for incorrect, incomplete or misleading information. SMEs receive a lower-of calculation in specified cases, but that should not be read as a free pass.

Most UK SMEs using a model through Microsoft Copilot, ChatGPT Enterprise, Gemini, Claude or a vertical SaaS product are unlikely to be fined as GPAI model providers. The more immediate exposure is contractual and operational. If your customer asks whether AI generated public content is reviewed, whether a recruitment tool is high-risk, whether staff are using approved models, or whether personal data is sent to a model outside agreed terms, you need a clear answer.

This is where many organisations are weak. Their employees are already using AI. Some use approved enterprise tools. Some paste client information into consumer tools. Some use meeting transcript tools that create summaries, action logs and searchable records. Some use AI inside third-party systems without noticing it. The compliance work is not mainly legal writing. It is discovery, control and evidence.

A sensible board-level response is to set a 90-day sprint before August. Week one: inventory. Week two: risk classification. Week three: supplier evidence. Week four: policy and training. Weeks five to eight: fix high-risk workflows. Weeks nine to twelve: audit, document and prepare customer answers. That is realistic. Waiting until a procurement questionnaire lands is not.

A practical 90-day plan for UK businesses using GPAI tools

Start with a simple AI register. List every AI tool, embedded AI feature and custom workflow in use across the business. Include obvious systems such as ChatGPT Enterprise, Claude, Gemini, Copilot and Perplexity, but also the hidden AI in CRMs, call recording tools, HR platforms, marketing suites, support desk software, document review products and code assistants. For each use case, record the owner, purpose, model or supplier, data inputs, output type, user group, customer exposure and whether personal data is involved.

Next, classify the use cases. Flag customer-facing AI interactions, AI-generated public content, employment or worker management use, credit or eligibility decisions, biometric or emotion recognition, safety-related processes, regulated advice, legal decisions and any workflow where users might reasonably rely on the output without human review. This is not a full legal classification exercise yet. It is a triage pass that shows where attention is needed.

Then gather supplier evidence. Ask vendors whether their model or AI system is in scope of the EU AI Act, whether they rely on the GPAI Code of Practice, whether they publish model documentation or training content summaries, how they handle synthetic content marking, what data is retained, how personal data is processed, what sub-processors are used, and what incident notification commitments they offer. Keep the answers in one place.

After that, fix the workflows. Add disclosure where people interact with AI. Add human review where AI produces public, customer, employment, legal or regulated outputs. Prohibit sensitive data in tools that are not approved for it. Create a route for staff to report harmful or unexpected AI behaviour. Train teams on specific decisions, not abstract ethics. A salesperson needs different guidance from a developer, recruiter, support agent or finance manager.

Finally, prepare the customer-facing evidence pack. This should include your AI policy, use case register summary, supplier assessment process, data protection approach, transparency rules, human oversight controls and incident response route. It does not need to disclose trade secrets. It does need to prove that AI is being managed. By August, the businesses that can answer calmly will look more trustworthy than those still debating whether Brexit means they can ignore the question.

Frequently Asked Questions

Does the EU AI Act apply directly to every UK business using ChatGPT or Claude?

No. The strict GPAI provider duties mainly apply to model providers, not ordinary users. But UK businesses can still be affected through EU customers, EU users, EU market access, contractual due diligence, transparency duties and sector-specific obligations.

What is the key August 2026 date?

The Commission's enforcement powers for GPAI provider obligations apply from 2 August 2026. The broader AI Act also becomes more operational around this period, including transparency requirements for certain AI systems.

What should we do first if we have no AI governance in place?

Build an AI register. List every AI tool and embedded AI feature, the business owner, model or supplier, data inputs, output type, customer exposure and whether personal data is used. You cannot govern what you have not mapped.

Do we need to stop using frontier models with systemic risk?

Not necessarily. Systemic risk status means the model provider faces extra obligations, including evaluation, risk mitigation, incident reporting and cybersecurity. For users, the priority is to make sure the model is appropriate for the task and surrounded by controls.

What evidence should we ask suppliers for?

Ask whether they are in scope of the AI Act, whether they rely on the GPAI Code of Practice, what model documentation exists, whether training content summaries are published, how data is processed and retained, and how incidents are reported.

How does UK GDPR fit with the EU AI Act?

If an AI workflow uses personal data, UK GDPR and ICO guidance still apply. That means you need a lawful basis, fairness, transparency, data minimisation, accuracy controls, security and, for higher-risk processing, a DPIA.

Are AI-generated blog posts or public updates affected?

Potentially. Article 50 includes transparency duties for certain AI-generated or manipulated text published to inform the public on matters of public interest, with an exception where there is human review or editorial control and a person or organisation holds editorial responsibility.

What should a board ask for before August?

Ask for an AI use register, top ten AI risks, supplier evidence status, personal data exposure, transparency controls, human review rules, incident process and a named owner for AI governance.