The EU AI Act Newsletter #103: The August Countdown
Enforcement powers, transparency rules, and national implementation as the 2 August deadline approaches.
Welcome to the EU AI Act Newsletter, a brief biweekly newsletter by the Future of Life Institute providing you with up-to-date developments and analyses of the EU artificial intelligence law.
Legislative Process
Targeted consultation on the draft guidelines for the classification of high-risk artificial intelligence systems: The European Commission has opened a targeted consultation, running until 23 June 2026, to gather feedback on the clarity of its draft guidelines and the usefulness of the accompanying examples for classifying high-risk AI systems under the AI Act. The guidelines are designed to assist providers, deployers and other relevant actors in determining whether a given AI system falls within the high-risk category, offering clarifications on the relevant provisions of the AI Act alongside practical examples that illustrate how classification should be approached across different areas and use cases. The Commission is welcoming input from AI providers and developers, organisations using AI systems, public authorities, researchers, civil society organisations, supervisory bodies and members of the public.
FAQ on general-purpose AI models: The European Commission’s AI Office has published a frequently asked questions page on general-purpose AI (GPAI) models, compiled from queries received during the AI Pact webinars and stakeholder submissions. The FAQ covers a broad range of topics, including how GPAI models and systems are defined, when systemic risk applies, and how the compute threshold interacts with systemic risk classification. It also addresses questions on provider identity, including what happens when a model is modified by a different actor, as well as obligations for open-source models, energy consumption documentation, serious incident reporting, and the GPAI Code of Practice. For example, it clarifies that technical compliance dialogues have been the AI Office's primary tool since last year and will continue and, if anything, intensify after August. Formal powers will be used where such dialogues prove insufficient.
Poland adopts draft AI regulatory bill in move to comply with EU rules: Eric Kliszcz, journalist at TVP World, reports that the Polish parliament’s Committee on Digitalization, Innovation and Modern Technologies has adopted a draft AI bill designed to align national rules with the AI Act. At the heart of the proposal is the establishment of a national oversight body, the Commission for the Development and Security of Artificial Intelligence (KRiBSI), which would be empowered to inspect companies, verify compliance, impose penalties and order non-compliant systems to be withdrawn from the market. In addition, the commission would issue permits for high-risk AI systems in areas such as education, critical infrastructure, employment and migration management, and would set up regulatory sandboxes for controlled testing. Regarding governance, the body would be led by a chairperson appointed by parliament with the Senate’s consent, supported by two deputies and representatives of several existing regulators, and would cooperate with national authorities.
Analyses
How much power does the EU AI Office actually have? Joel Christoph, fellow at the Harvard Kennedy School, writes in Lawfare that on 2 August the European Commission’s AI Office will gain three significant enforcement powers over providers of general-purpose AI models. Under Article 91, the Office can demand technical documentation, training data summaries and model reports, while Article 92 allows it to commission independent evaluations, for instance, through the Scientific Panel, including access to the model via APIs or other technical means. Building on these, Article 93 enables the Office to require providers to take specific actions, such as mitigation measures or, in extreme cases, the restriction, withdrawal or recall of a model from the market. Backing these powers, Article 101 authorises fines of up to 3 percent of global annual turnover for failures to comply with information or evaluation requests. Christoph highlights that early sequencing choices, the differential treatment of Code of Practice signatories, and use of the structured dialogue mechanism will shape how seriously providers and other jurisdictions take the EU’s approach.
A practical guide to Article 50 on transparency: Future of Life Institute's guide on the EU AI Act website explains that Article 50 of the AI Act introduces transparency obligations on providers and deployers of certain AI systems, applying not only to high-risk systems but to any AI system used in four specific situations, with open-source systems not exempt. More precisely, the obligations cover AI that interacts directly with people, AI that generates synthetic content, AI used for emotion recognition or biometric categorisation, and AI that creates deepfakes or text published on matters of public interest. On the provider side, chatbots and virtual assistants must be designed so that users know they are interacting with AI, while outputs of generative systems must be marked in a machine-readable format and detectable as artificially generated, with a standardised EU label under development. As for deployers, those using emotion recognition or biometric categorisation must inform exposed individuals, and deepfakes or AI-generated text on matters of public interest must be disclosed unless subject to human editorial review.
Will AI regulatory sandboxes work? Sriya Gukal, writing in The Regulatory Review, examines the EU’s attempt to let companies test AI systems on real people under regulatory supervision before market release. As Gukal explains, the AI Act introduced regulatory sandboxes when it entered into force in August 2024, allowing prospective providers to develop, train, validate and test innovative AI systems for a limited period under supervision. Their documentation is usable to demonstrate compliance and protect them from administrative fines if they follow national authority guidance in good faith. In December 2025, the Commission launched a stakeholder consultation on a draft implementing law setting out common rules for sandboxes. Sandbox proponents point to one major study which found that participants raised significantly more capital than comparable non-participants, and they argue that sandboxes generate valuable regulatory knowledge through annual reports to the AI Office. Critics, however, question the empirical record, warn that SMEs may struggle despite free access, and note that participants remain fully liable for third-party damages. Reflecting these tensions, the Digital Omnibus provisional agreement of May 2026 pushed the establishment deadline from August 2026 to August 2027.
Under Article 93, the Office can force the restriction, withdrawal, or complete market recall of an AI model. Under Article 101, failure to comply with evaluations carries a fine of up to 3% of global annual turnover.
Let that sink in.
If you are a hyperscaler deploying autonomous agents into critical infrastructure, how do you prove to the AI Office that your system is safe? If your defense relies on software policy engines, API wrappers, or Trusted Execution Environment (TEE) logs, you are handing regulators a probabilistic guess. Software cannot reliably constrain hallucinating software.
When a model hallucinates a catastrophic financial or operational command, a software dashboard provides zero court-admissible defense.
To survive the August 2nd mandate, governance must move below the operating system.
At Veritas Core, we architected the physical root of trust for the EU AI Act. We move execution governance entirely off the OS and down to the bare-metal PCIe switch layer. By integrating out-of-band TPM 2.0 hardware circuit breakers, our hardware generates an immutable, non-repudiable compliance receipt at exactly T=0.
If an AI agent attempts to violate its legal or ethical boundaries, our hardware mechanically severs the execution bus. We don't make catastrophic execution tedious; we make it physically impossible.
The hyperscaler that licenses this bare-metal architecture won't just achieve EU compliance—they will hold a physical monopoly over the execution layer of Sovereign AI globally.
The theoretical phase of AI safety ends in August. The era of hardware-anchored physics has begun.
Why limit the transparency to 4 use cases. Why not just say that if you train an AI model you need to share what data is in it. It is so hard to prove that your data has been trained on that it should just be mandatory for all AI models to have documentation of what data has been trained on.
On top of that the data used should be under stricter rules than data used for anything else. I saw that there was a ruling that Meta won because part of the training of data, there is a transformation. Because of this it was ok for Meta to train on copyrighted data without consent. I think it should be the other way and actually put stricter rules when using data for training.