The EU AI Act’s obligations on general-purpose AI providers became enforceable on August 2, 2025. Nine months later, the European AI Office has published initial enforcement signals, the GPAI Code of Practice has been operational for most major providers, and the marketing and analytics community has had time to see how the regulation actually constrains day-to-day vendor selection. The reality differs in instructive ways from the pre-enforcement debate.
The Code of Practice Did the Heavy Lifting
The European Commission finalized the GPAI Code of Practice in mid-2025. The Code is a voluntary compliance tool submitted by independent experts that companies could sign to demonstrate alignment with their GPAI obligations under the Act. Companies that signed gained a presumption of conformity with the Phase 2 obligations; companies that declined faced obligation-by-obligation scrutiny from the AI Office.
Nine months in, signatories report a stable compliance posture. Documentation submission, training-data summaries, and incident-reporting mechanisms have become operational routine. The expected enforcement wave never materialized, but the procedural cost of staying outside the Code has become visible in legal-team headcount.
What Actually Trips Compliance Audits
The first nine months of enforcement focused on documentation completeness, not novel interpretation. Three issues have generated the most formal correspondence between the AI Office and providers:
- Training-data summary specificity — providers initially submitted high-level summaries; the AI Office has pushed for specific dataset names and licensing positions
- Systemic-risk evaluation scope — disagreement over which evaluations qualify as systemic-risk testing under the Code
- Downstream-deployer information access — practical implementation of the right to receive technical documentation remained ambiguous through Q4 2025
What This Means for Marketing Teams Today
Most marketing and analytics teams use GPAI through vendor APIs rather than building on raw foundation models. The compliance burden flows up the supply chain to model providers—but procurement contracts signed before August 2025 needed updating to reflect Phase 2 realities.
Three contractual elements that have become standard in 2026 vendor agreements:
- Documentation pass-through clauses — right to receive Phase 2 technical documentation needed for downstream risk assessment
- Cascading incident notification — 24-hour notification from vendor to enterprise customer for incidents the vendor reports to the AI Office
- Training-data provenance warranties — vendor confirmation that training respected EU text-and-data-mining opt-outs
Enterprise customers without these clauses face a refresh cycle now, not at contract renewal. Some legal teams have driven addendum negotiations rather than waiting for the next procurement cycle.
The High-Risk Deployer Question
Organizations classified as deployers of high-risk AI systems—AI used in HR, credit decisioning, education, or law enforcement—face heavier obligations than generic deployers. Fundamental-rights impact assessments and EU AI Database registration are required before deployment. Through Q1 2026, registration has been slower than the Commission expected, suggesting many high-risk deployments are operating in a compliance grey zone.
Looking Ahead to 2027 and 2028
The next major Phase under the Act lands in December 2027—the date when obligations apply to high-risk systems in areas including biometrics, critical infrastructure, education, employment, migration, and border control. A further deadline of August 2, 2028 covers AI systems integrated into regulated products such as lifts and toys.
The 18-24 months between now and those deadlines are the window for HR, fintech, edtech, and regulated-product vendors to align. Vendors that watched the GPAI deadline pass without action are at risk of repeating the same mistake on a tighter timeline. For broader regulatory context, see how other digital-policy regimes have been moving on parallel timelines.