The delay moved everything except this

On 29 June 2026 the Council of the EU signed off the Digital Omnibus on AI, and the coverage that followed carried one word, relief. The most demanding obligations for high-risk systems, the ones many firms had raced to meet by August, slid to 2 December 2027 and 2 August 2028. What almost no headline said is that a second clock was left running. The rules for general-purpose AI models, the frontier systems from OpenAI, Google, Anthropic, Mistral and their peers, kept their original timetable.

Those model rules took effect on 2 August 2025, and providers have had a year to comply while the AI Office worked with them informally. That grace ends on 2 August 2026. From that date the European Commission can enforce the obligations for general-purpose AI providers, with fines, and the Digital Omnibus confirmed that this threshold proceeds as scheduled. The delay everyone cheered and the enforcement nobody mentioned are two different tracks in the same law.

What the AI Office gains the power to do

From 2 August the AI Office can do more than send letters. It can request the technical documentation a provider is required to keep under Article 53, demand access to a model, order mitigations, require that a model be withdrawn from the market, and impose fines of up to 15 million euros or 3 percent of global annual turnover, whichever is higher. For a provider whose models carry systemic risk, trained above the ten to the twenty-fifth FLOP threshold, the duties are heavier still, incident reporting, adversarial testing and a live channel to the Office.

The point is not that fines will rain down on 2 August. Enforcement of this kind opens with information requests, not penalties, and the Office has signalled it will work through the Code of Practice first. The point is that the relationship shifts from voluntary cooperation to a supervised one with teeth, and a regulator that can compel documentation and order a withdrawal shapes how a lab behaves long before it ever issues a fine.

Why a rule aimed at labs reaches your contracts

You are almost certainly a deployer, not a provider, so no new duty lands on you this month. The mistake is to read that as no change. The models under your products now sit with suppliers who owe the EU documented proof of their training data, their copyright compliance and their systemic-risk mitigations, and that proof is exactly the assurance your own auditors and customers keep asking you for. What a provider must produce for Brussels, you can reasonably require in a contract.

Two practical moves follow. Ask your model vendors, US labs included, whether they will meet the general-purpose AI obligations, since a provider that places a model on the EU market is caught whether it sits in San Francisco or Paris, and a UK firm selling into the Union is caught too. Then treat their documentation as a supplier control, not a legal abstraction, because the leverage the AI Act hands the Commission on 2 August is leverage you can borrow.