AInsight : Into the AI Light – What Changes on 2 August 2025

Artificial intelligence is advancing at lightning speed, and the regulatory landscape is quickly catching up. In our first AInsight article, we introduced the core principles of the EU AI Act and explained why AI literacy has become a regulatory requirement rather than a nice-to-have.

Since 2 February 2025, Article 4 of the AI Act requires all providers and deployers to ensure that everyone working with AI systems - whether employees or contractors - has a sufficient level of AI literacy. To support this, The Ministry of Compliance has developed a hands-on e-learning that equips professionals with the skills and knowledge they need to use AI safely, effectively and responsibly.

And now, another major milestone is approaching. On 2 August 2025, the second implementation phase of the EU AI Act comes into effect. This marks a turning point: governance structures, transparency requirements for general-purpose AI (GPAI) and enforcement mechanisms will all become fully operational. The regulation is moving from paper to practice. The Act is no longer a future framework, it’s an active obligation.

What Does This Mean For Your Organisation?

Obligations for General-Purpose AI Providers

What is GPAI again?
General-Purpose AI (GPAI) refers to AI systems that can be used for a wide range of purposes - for example, a GPT model applied in customer service, document summarisation, and data analysis. One system, multiple use cases.

Who needs to comply?
Any organisation that develops, fine-tunes, rebrands, distributes -or even simply deploys- such systems within the EU falls under the GPAI requirements. That means both providers and deployers have work to do.

What about smaller financial firms?
Are you an SME or a small investment manager using off-the-shelf tools like commercial chatbots or AI-powered summarisation tools? Then you’ll likely be considered a deployer rather than a provider.
However, the moment you modify a model internally, apply your own branding, or monetise it, you may also become subject to the obligations for providers.
And even if you are only a deployer: once you integrate GPAI tools across multiple business functions, key transparency and oversight requirements apply. Think user notifications, usage logs, and demonstrating that your data practices comply with EU standards.

Why this matters
These rules help ensure that clients can trust AI solutions backed by clear documentation, copyright protections, and transparent data usage. That reduces risk, and builds trust.

What do you need to do?
As of 2 August 2025, all GPAI providers must comply with four core obligations to ensure their technology is safe, transparent, and legally sound within the EU. These four obligations include:

On 10 July 2025, the European Commission also published a voluntary Code of Practice for GPAI, offering practical templates and guidance on transparency, copyright, and systemic risk (Articles 53–55 of the AI Act). Formal approval is expected by the end of 2025, but the code already serves as a useful guide to help organisations prepare smoothly.

Penalties: What's At Stake?

Based on Article 99 of the EU AI Act, penalties must be applied in a fair and proportionate way-tailored to each organization’s size, nature, and circumstances. In our view, these fall into three distinct tiers of fines:

Tier 1 - Forbidden AI Practices

Prohibited systems, such as social scoring or invasive biometric surveillance, have been banned under Article 5 since 2 February 2025. Using these systems in the EU is now illegal. Fines of up to €35 million or 7% of global turnover may be imposed. Enforcement begins 2 August 2025

Tier 2 - Major Compliance Failures

This includes violations such as lack of documentation, failure to meet transparency obligations, or non-compliance with governance rules. Fines can reach €15 million or 3% of global turnover. Enforceable from 2 August 2025

Tier 3 - Misleading or False Information 

Providing incorrect or incomplete information to authorities (e.g. technical documentation or incident reports) may lead to fines of up to €7.5 million or 1% of global turnover. Also enforceable from 2 August 2025.

GPAI-specific penalties fall under Tier 2. Providers of GPAI models face up to €15 million or 3% of global turnover for failing transparency obligations or for non-cooperation under Article 101.

Member States: Governance & Enforcement Readiness

By 2 August 2025, every EU Member State must demonstrate its ability to enforce the AI Act. This includes:

1. Appointing national competent authorities
   • At least one notifying authority (for conformity bodies) and one market surveillance authority.
   • These entities must be reported to the Commission and publicly listed.
2. Establishing penalty frameworks
   • National rules for administrative fines and enforcement aligned with the AI Act's levels can now be implemented and must be communicated to the Commission.
3. Submitting resource-status reports
   • A mandatory report on financial and human resources dedicated to AI governance authorities must be submitted-demonstrating readiness to enforce the new regime .

 Why This Date Matters

2 August 2025 marks more than just a deadline, it represents a fundamental shift in how AI is governed across the EU. From this point on, the entire governance infrastructure becomes operational: national supervisory authorities are in place, the EU AI Office and European AI Board are active, and enforcement mechanisms are ready to be applied.

For GPAI providers, compliance is no longer optional or theoretical. From now on, they must be able to demonstrate how their systems meet transparency and safety requirements and be prepared for regulatory scrutiny if they don’t. Although certain tools will continue to develop, the foundation for a fully functioning AI regulatory ecosystem is now in place.

Looking Ahead

The EU AI Act continues to roll out in phases, each with new obligations for providers and deployers.

On 2 February 2026, the European Commission will publish guidelines on how to apply Article 6 (High-Risk AI classification), including a standard template for post-market monitoring. This will help providers assess whether their system qualifies as high-risk and how to monitor it after deployment.

From 2 August 2026, Annex III high-risk AI systems (such as biometric identification, law enforcement tools, or recruitment algorithms) must meet full compliance. This includes pre-market conformity checks, risk and quality management, and post-market monitoring. Regulatory sandboxes may also apply.

On the same date, penalties for GPAI providers become enforceable, up to €15 million or 3% of global turnover, especially for failing transparency or cooperation duties under Article 101.

Finally, 2 August 2027 marks the full enforcement of the EU AI Act. By then:

• All pre-August 2025 GPAI models must meet Chapter V transparency rules.
• All high-risk systems under Annex I (Union Harmonisation Legislation) must complete conformity assessments, obtain CE marking, and begin post-market surveillance.

Note: Annex I and Annex III refer to different categories of high-risk AI systems.

For a full overview, visit the EU AI Act Implementation Timeline.

Bottom Line

2 August 2025 marks a crucial inflection point: the EU AI Act’s governance and GPAI provisions move from planning to practice. Providers must actively comply today, and Member States must maintain enforcement readiness. As confirmed earlier this month by the  Commission spokesperson of the European Commission, it has been  affirmed that the AI Act will proceed on schedule, despite industry requests for delay. Therefore now is the time to prepare proactively, not catch up reactively!