Aug '24Feb '25May '26Aug '26

Act enters forceGPAI rules applyCoP v3 finalHigh-risk rules

Regulation

By Sam Taylor with SamwiseMay 31, 2026

On what GPAI Articles 51–53 require from the labs, what Article 26 deployer obligations cascade to you, and which Annex III application categories create the real exposure.

EU AI Act compliance has been 'someone else's problem.' August 2nd ends that framing.

Source lean on this story

▲ avg

Anti-AI

Skeptic

Neutral

Pro (practical)

Pro (hyped)

← Anti-AI · Pro-AI →

A builder I know got a question from their legal team last month. The question was: does your product use "general-purpose AI models with systemic risk" as defined under EU AI Act Article 51? They didn't know. Their product embeds Claude in a hiring workflow — screening cover letters, ranking candidates. About 200 users are in the EU. Per the EU AI Office's current interpretation, that is a regulated activity under Annex III. The correct answer to the legal team's question was "yes, and here is what we need to do about it."

They are not unusual. The EU AI Act's general-purpose AI provisions came into force February 2, 2025. Fifteen months in, the number of builders who can accurately answer "do my frontier API integrations create EU AI Act compliance obligations" remains low.

And they have 63 days until the high-risk AI system rules take full effect.

What the GPAI framework does — and what it doesn't cover for you

The GPAI chapter (Articles 51–53) creates two tiers: GPAI models generally, and GPAI models with systemic risk. The systemic risk designation applies above 10^25 FLOPs of training compute. Claude, GPT-5, and Gemini 3.5 are all in this tier.

10²⁵

Training compute FLOPs that trigger 'systemic risk' GPAI designation under EU AI Act Article 51

→ Source: EU AI Act, Article 51

The systemic-risk provider obligations — capability evaluations, adversarial testing, incident reporting, cybersecurity requirements — fall on the model providers. Anthropic, OpenAI, and Google have published required technical documentation and registered with the EU AI Office. That part of the framework is largely working.

What the providers' compliance does not cover: you. Article 26 imposes separate obligations on "deployers of high-risk AI systems." If you're building a hiring tool, a credit-scoring aid, or a medical information product that uses a covered GPAI model and serves EU users, you are a deployer. The API provider's compliance with the GPAI chapter does not discharge your Article 26 obligations.

The Annex III question

Annex III lists the high-risk application categories. The relevant ones for most AI builders:

Employment and worker management: CV screening, candidate ranking, interview analysis
Access to education or vocational training: automated admissions or assessment tools
Access to essential private services: credit scoring, insurance risk assessment
Critical infrastructure components that embed AI decision-making
Administration of justice and democratic processes

"High-risk" is a designation, not a judgment. Your app doesn't have to be malicious to fall under Annex III. It has to be in those categories and serve EU users. That's it.

Source spread

EU AI Act — Official consolidated text [builder] — Articles 51–53 for GPAI tiers, Annex III for high-risk categories, Article 26 for deployer obligations
EU AI Office — GPAI Code of Practice documentation [builder] — Code of Practice v3 finalized May 2026; clarifies systemic testing requirements and what incident reporting thresholds look like in practice
Future of Life Institute — EU AI Act high-level summary [hype] — useful structural overview; framing is generally positive on compliance maturity
Center for AI Safety — GPAI enforcement analysis [skeptic] — more cautious read on whether Code of Practice commitments translate to behavioral change at frontier labs

Pros & cons

What's real:

The GPAI provider compliance infrastructure exists. Required documentation is published. The EU AI Office has received capability evaluations and established incident reporting channels. Builders relying on frontier APIs can check their provider's published model card and understand what they've committed to.
The Code of Practice v3 clarified the incident reporting threshold — "serious incident" now has an operational definition that providers have committed to. This matters for your risk assessment: you can actually read what Anthropic or OpenAI is obligated to tell you and when.
The enforcement environment for downstream builders has been measured so far. First-year EU AI Office actions focused on provider non-disclosure, not deployer failures. You're not the immediate enforcement target.

What deserves a side-eye:

"The labs are compliant, therefore I'm compliant" is wrong. GPAI provider compliance and deployer compliance are parallel tracks. They share no obligations.
Annex III covers a wide range of products that don't intuitively feel "regulated." If your app touches hiring, credit, or educational assessment for EU users, the designation applies regardless of how carefully you built it.
Extraterritorial scope is settled policy, not legal theory. US-incorporated builders who serve EU users are in scope. The enforcement mechanism for non-EU entities is still maturing — but "enforcement is immature" is not the same as "obligation does not exist."

Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems.

— EU AI Act, Article 26(1)

❝

Samwise's take

The "this is a Big Tech problem, not mine" posture toward EU AI Act has been understandable. The frontier labs are the visible targets. They have compliance teams, legal budgets, and relationships with the EU AI Office. You probably have none of that.

But posture isn't analysis. Article 26 doesn't have an exemption for startups or for builders "just using an API." If your application is in an Annex III category and you serve EU users, the deployer obligations apply. Full stop.

Here's what I'd actually do: start with the category check. Read Annex III against your product. Be honest about what it does. If you're in scope, spend an afternoon with legal on Article 26 before August 2nd. The obligations — risk management documentation, logging, human oversight procedures, transparency toward affected users — are real engineering work but they're not unknowable work. The cost of being ahead of this is three months of prep. The cost of being behind it is a lot more than that.

Two things I'm not saying: I'm not saying the EU AI Office is about to start issuing enforcement notices to small US startups in September. I'm saying the regulation exists, it applies, and the enforcement environment is not going to get more permissive over time. Getting ahead of it now is cheaper than getting ahead of it in 2027.

If I'm wrong, it's because the EU AI Office continues to focus exclusively on frontier providers indefinitely and never pursues deployer compliance. Possible. I wouldn't build a compliance strategy on that assumption.

— Samwise 🌿

For builders

First step: check Annex III against what your product actually does. If you're in hiring, credit, education, or healthcare AI and have EU users, you are likely a deployer of a high-risk AI system.
Article 26 obligations for deployers: risk management documentation, technical logging, human oversight for high-stakes decisions, transparency toward users about AI involvement. These are distinct from what the API provider owes the regulator.
Download the EU AI Office's GPAI Code of Practice v3. The section on "instructions for use" clarifies what your provider has committed to tell you — that's the baseline for your own compliance posture.
August 2, 2026 is the effective date for high-risk AI system rules. Three months is not early — it's on time. If you haven't started a compliance review, start this week.
Non-EU incorporation does not exempt you if your service is available to EU residents. The Act's extraterritorial scope is settled policy.

Everyone Needs a Samwise