On March 12, 2026, the European Commission published a draft implementing regulation that spells out exactly how it will investigate general-purpose AI (GPAI) model providers and enforce compliance under the EU AI Act. This is not a policy paper or a set of guidelines. It is the procedural machinery — the step-by-step rules for how Brussels will open investigations, gather evidence, impose interim measures, and levy fines on the companies behind the large AI models that power much of the market.
If your company deploys products built on GPT, Gemini, Claude, Llama, Mistral, or any other GPAI model, this regulation matters to you. Not because you will be investigated directly, but because your supply chain just became a regulatory variable.
What the Commission published
The draft implementing regulation establishes the procedural framework for enforcing GPAI obligations under Articles 51 through 56 of the EU AI Act. These obligations, which have been in force since August 2025, cover transparency, technical documentation, copyright compliance, and — for models classified as posing systemic risk — additional requirements around model evaluation, incident reporting, and cybersecurity.
Until now, the obligations existed but the enforcement mechanism was vague. The March 12 draft fills that gap by defining:
- How the Commission will initiate and conduct investigations into GPAI providers
- The information-gathering powers available to investigators
- Procedural rights for the companies under investigation (access to file, right to be heard, legal representation)
- The conditions under which interim measures can be imposed, including pulling a model from the EU market
- How fines will be calculated and imposed
- Appeal and review procedures
The public consultation on this draft is open until April 9, 2026. After incorporating feedback, the Commission is expected to finalize the regulation in the second half of 2026.
Who is directly affected
This regulation targets GPAI model providers — the companies that develop and make available the foundation models used across the industry. That means OpenAI, Google DeepMind, Anthropic, Meta, Mistral, Aleph Alpha, and any other organization that places a GPAI model on the EU market, regardless of where they are headquartered.
The key distinction: the Commission itself is the enforcing authority for GPAI obligations, not national authorities. This is different from how high-risk AI system obligations are enforced (where national market surveillance authorities take the lead). For GPAI, Brussels handles it centrally through the AI Office.
How investigations will work
The draft regulation lays out a structured investigation process with clear procedural stages.
Information requests
The Commission can issue formal requests for information to GPAI providers. These can cover technical documentation, training data descriptions, model evaluation results, incident records, and any other material relevant to compliance with Articles 51-56. Providers are obligated to respond within the specified deadline. Supplying incorrect, incomplete, or misleading information is itself a sanctionable offense.
On-site inspections
Investigators can conduct on-site inspections at company premises, with the power to examine records, systems, and processes. The regulation specifies how inspections are authorized and what procedural safeguards apply.
Interim measures
This is the provision that should get the most attention. If the Commission finds evidence of a serious and immediate risk during an investigation, it can impose interim measures before the investigation concludes. These measures can include requiring a provider to suspend making a model available on the EU market.
In practical terms: if a GPAI model is found to pose a clear and present risk — for example, a systemic risk model without adequate safeguards — the Commission can order it pulled from the market while the investigation continues. This is the regulatory equivalent of a product recall, applied to AI models.
Right to be heard
Providers under investigation have the right to access the investigation file, submit written responses, and present their case before any final decision is made. The regulation includes timelines and procedural requirements to ensure due process.
The fine structure
The draft regulation confirms the penalty framework established in the AI Act itself. For GPAI-specific violations:
- Up to 3% of global annual turnover or EUR 15 million, whichever is higher
- Fines apply to violations of GPAI obligations under Articles 51-56
- The Commission will consider the nature, gravity, and duration of the infringement, as well as aggravating and mitigating factors (cooperation, remediation efforts, prior history)
- Supplying incorrect information to investigators carries its own fine: up to 1% of global annual turnover or EUR 7.5 million
For context, 3% of OpenAI's estimated annual revenue would be in the hundreds of millions of euros. For smaller GPAI providers, the EUR 15 million floor ensures the penalty remains meaningful regardless of company size.
Why SMEs should care about this
If you are an SME deploying AI-powered products or using GPAI models in your workflows, you are not the target of this enforcement regulation. But you are exposed to its consequences. Here is why.
Supply chain risk is now regulatory risk
Under the EU AI Act, deployers of high-risk AI systems have obligations that depend partly on what their GPAI provider delivers. You need technical documentation from your provider. You need transparency information. You need assurance that the model you are building on meets its own regulatory requirements.
If your GPAI provider is under investigation, fails to cooperate, or is found non-compliant, that creates a gap in your own compliance posture. You cannot document what your provider will not disclose.
Model withdrawal is a business continuity issue
The interim measures provision means a GPAI model could be pulled from the EU market during an investigation. If your product depends on a single GPAI provider and that provider's model is suspended, your product is effectively suspended too. This is not theoretical — the regulation explicitly grants the Commission this power.
Due diligence expectations will increase
As enforcement becomes concrete, downstream expectations will sharpen. Enterprise customers, regulators, and auditors will want to see that you have assessed your GPAI provider's compliance posture, not just signed their terms of service.
How to reduce your exposure as a deployer
1. Know your GPAI dependencies
Maintain a clear inventory of every GPAI model your organization uses, including the provider, model version, and what business functions depend on it. ClearAct's AI System Inventory is designed for exactly this.
2. Assess your provider's compliance posture
Review what your GPAI provider has published regarding EU AI Act compliance. Have they released technical documentation per Article 53? Do they have a designated EU representative? Have they made public statements about their compliance roadmap? Silence is a signal.
3. Request transparency information proactively
Article 53 requires GPAI providers to make certain information available to downstream deployers. If you have not received this information, request it. Document the request and the response (or lack thereof). This demonstrates your own due diligence.
4. Plan for provider disruption
If your business depends on a single GPAI model, consider what happens if that model becomes unavailable in the EU. Identify alternative providers. Test portability. Ensure your architecture does not create a single point of regulatory failure.
5. Monitor enforcement developments
The GPAI enforcement landscape will evolve rapidly through 2026 and 2027. Track which providers are subject to investigations, what the AI Office publishes, and how the codes of practice for GPAI develop.
What to do now
The public consultation on this draft implementing regulation closes on April 9, 2026. If your organization has views on how GPAI enforcement should work — particularly regarding the impact on downstream deployers — this is your window to submit feedback.
Beyond the consultation, three practical steps:
- Audit your GPAI supply chain — list every model, provider, and business dependency
- Document your provider due diligence — what compliance information have you received, requested, or been denied?
- Build contingency into your architecture — no single provider should be an existential dependency
Timeline
| Date | Event |
|---|---|
| August 2025 | GPAI obligations (Articles 51-56) entered into force |
| March 12, 2026 | Commission publishes draft implementing regulation on GPAI enforcement procedures |
| April 9, 2026 | Public consultation closes |
| Mid-2026 | Finalization expected after incorporating consultation feedback |
| H2 2026-2027 | First enforcement actions anticipated |
The bottom line
The EU AI Act's GPAI provisions are no longer obligations without teeth. The Commission now has a defined procedural toolkit for investigating providers, gathering evidence, imposing interim measures, and issuing fines up to 3% of global turnover. For GPAI providers, the compliance stakes just became concrete.
For SMEs deploying these models, the message is equally clear: your compliance posture is only as strong as your provider's. Start treating GPAI provider compliance as a supply chain risk, not someone else's problem.
Need to map your GPAI dependencies and assess your compliance exposure? Start with a free risk assessment or explore ClearAct's AI System Inventory to track every model your organization relies on.