AI Act phase two: what changes on August 2nd?

It’s been nearly a year since the EU Artificial Intelligence Act officially entered into force. While certain milestones, such as the publication of the Code of Practice for General-Purpose AI (GPAI), have experienced some delays, the next major step is now imminent.

On August 2, 2025, several key provisions of the AI Act will become legally binding. These include:

The governance rules, namely the governance at Union Level & the national competent authorities; and
Obligations for general-purpose AI models

Below, we explore what these changes mean in practice and what organizations should be doing to prepare. This includes the recently released AI Office template for the public summary of training content for GPAI models, as explained below.

For more information on the timeline, refer here to the official timeline.

On the GPAI providers' obligations

Providers of GPAI models, whether original developers or those who modify the GPAI model substantially before placing it on the market, have to comply with the Chapter V of the AI Act, starting August 2nd.

Check out in this article whether or not you are a considered to be a provider of a GPAI.

Model category	Scope & definition	Legal basis	Detailed obligations
Provider of a GPAI	Article 3(63) of the AI Act The training compute of the model is greater than 10^23 FLOP. It is capable of performing a wide range of distinct tasks like generate language (text or audio), text-to-image or text-to-video.	Article 53 of the AI Act	Develop and maintain up-to-date technical documentation for the model, covering its training and testing processes, as well as the results of performance evaluations. This documentation must be made available upon request to the AI Office and the competent authorities. Prepare comprehensive documentation and information packages for downstream providers intending to integrate the model into their own AI systems. Implement and maintain a compliance policy aligned with EU copyright law, ensuring lawful use of protected content during model development. Publish a detailed summary of the training data content, following the format provided by the EU AI Office template, to ensure transparency and accountability.
Provider of a GPAI with systemic risk	Article 3(65) of the AI Act has hight-impact capabilities, namely that "*match or exceed those recorded in the most advanced models". This is presumed* when the model’s training compute exceeds 10^25 FLOPs desginated as such ex officio by the Commission or based on alerts of its high-impact capabilities from the scientific panel. A list of models presenting systemic risk will be published and regularly updated, ensuring enhanced oversight of their deployment.	Article 55 of the AI Act	Conduct state-of-the-art model evaluations using standardized protocols and tools, including the implementation and documentation of adversarial testing to identify and mitigate potential systemic risks. Continuously assess and mitigate systemic risks, including identifying their root causes and implementing appropriate risk-reduction strategies. Monitor, document, and report any serious incidents and proposed corrective actions to the AI Office and relevant national authorities without undue delay. Maintain and enforce an appropriate level of cybersecurity to protect the integrity, availability, and confidentiality of the model and its components.

Model category

Scope & definition

Legal basis

Detailed obligations

Provider of a GPAI

Article 3(63) of the AI Act

The training compute of the model is greater than 10^23 FLOP.
It is capable of performing a wide range of distinct tasks like generate language (text or audio), text-to-image or text-to-video.

Article 53 of the AI Act

Develop and maintain up-to-date technical documentation for the model, covering its training and testing processes, as well as the results of performance evaluations. This documentation must be made available upon request to the AI Office and the competent authorities.
Prepare comprehensive documentation and information packages for downstream providers intending to integrate the model into their own AI systems.
Implement and maintain a compliance policy aligned with EU copyright law, ensuring lawful use of protected content during model development.
Publish a detailed summary of the training data content, following the format provided by the EU AI Office template, to ensure transparency and accountability.

Provider of a GPAI with systemic risk

Article 3(65) of the AI Act

has hight-impact capabilities, namely that "match or exceed those recorded in the most advanced models".
This is presumed when the model’s training compute exceeds 10^25 FLOPs
desginated as such ex officio by the Commission or based on alerts of its high-impact capabilities from the scientific panel.

A list of models presenting systemic risk will be published and regularly updated, ensuring enhanced oversight of their deployment.

Article 55 of the AI Act

Conduct state-of-the-art model evaluations using standardized protocols and tools, including the implementation and documentation of adversarial testing to identify and mitigate potential systemic risks.
Continuously assess and mitigate systemic risks, including identifying their root causes and implementing appropriate risk-reduction strategies.
Monitor, document, and report any serious incidents and proposed corrective actions to the AI Office and relevant national authorities without undue delay.
Maintain and enforce an appropriate level of cybersecurity to protect the integrity, availability, and confidentiality of the model and its components.

Outside the EU?

For non-EU providers, it is a requirement to appoint an authorised representative based in the EU (Article 54 of the AI Act).

This representative acts as the main point of contact for European authorities, reviews the technical documentation, and cooperates with the authorities to ensure compliance with regulatory obligations.

The code of practice: a voluntary pathway toward compliance

This should be read in conjunction with the European Commission's GPAI Code of Practice, which provides a key reference framework for stakeholders across the AI value chain, from large-scale model developers to start-ups and SMEs, seeking to align with upcoming obligations related to GPAI under the AI Act.

The Code is a voluntary tool intended to help GPAI model providers operating in or targeting the EU market demonstrate compliance with Articles 53 and 55 of the AI Act.

For a full overview of the Code and its practical implications, see our detailed breakdown here.

However, Code of Practice remains subject to assessment by Member States and the European Commission, which may ultimately approve it through an adequacy decision (by the AI Office and the AI Board).

Certain GPAI model providers take the prudent approach which is to await the outcome of the AI Office and AI Board’s assessment, and preferably the adoption of the Commission’s implementing act, before making a decision to adhere to the Code.

Who's in charge? The race to appoint surveillance authorities

Member States must designate market surveillance authorities. These bodies will be empowered to investigate, prohibit, or sanction use of banned AI practices.

However, in many Member States (e.g., Spain), these authorities have not yet been formally appointed. It is still the case in France.
In the interim, data protection authorities (DPAs) retain the power to act if prohibited AI systems process personal data in breach of GDPR. The AEPD recently confirmed their position.