Back to Blogs
CONTENT
This is some text inside of a div block.
4
min read

The Clock is Ticking: EU AI Act's August 2nd Deadline is Almost Here

Published on
July 8, 2025
4 min read

The European Union's ambitious AI Act has been making headlines for months, but now the rubber meets the road. On August 2nd, 2025, the first major wave of compliance requirements takes effect, marking a pivotal moment for AI companies operating in or serving the European market.

While the February 2025 prohibition on high-risk AI systems grabbed early attention, this summer's deadline is where the real work begins. It's the moment when the EU's regulatory framework transforms from theory to practice, establishing the infrastructure that will govern AI development for years to come.

Think of August 2nd as the day the EU's AI governance machinery officially powers up. From notified bodies getting their certification authority to AI model providers documenting their training data, this deadline establishes the foundational systems that will shape how artificial intelligence is regulated across the continent.

For many AI companies, especially those developing general-purpose models, this isn't just another compliance checkbox, it's a fundamental shift in how they'll need to operate. The question isn't whether your organization will be affected, but how prepared you are for what's coming.

What’s required for the Aug 2nd 2025 Deadline

Provision (chapter / article) Who must comply What has to be in place by 2 Aug 2025
Notified bodies (Chapter III § 4) Conformity-assessment bodies that want to certify high-risk AI systems
  • Be designated by a Member-State and hold legal personality.
  • Meet independence, quality-management, staffing and cyber-security criteria.
  • Carry liability cover and strict confidentiality controls.
GPAI models (Chapter V — Art 53) Every provider of a general-purpose model placed on the EU market (open-source exempt unless later tagged systemic-risk)
  • Maintain an Annex XI technical dossier (architecture, training data provenance, eval results).
  • Hand a “transparency package” to downstream integrators (Annex XII).
  • Publish a training-data source summary and a copyright-compliance policy.
  • Appoint an EU representative if established abroad.
GPAI with systemic risk (Art 55) GPAI models that used ≥10²⁵ FLOPs or separately designated by the Commission
  • Run state-of-the-art model & adversarial testing.
  • File a Union-level systemic-risk mitigation plan.
  • Keep a 24 h serious-incident log & reporting channel.
  • Shore up model & infrastructure cyber-security.
Governance layer (Chapter VII — Arts 64-70) EU institutions & Member States
  • AI Office inside the Commission goes live to oversee GPAI and issue guidance.
  • European AI Board (one delegate / country + EDPS observer) convenes; two standing sub-groups for market surveillance & notified-body coordination.
  • Every Member State names its national competent authority & single contact point.
Confidentiality rule (Art 78) All authorities, notified bodies & anyone handling compliance data
  • May request only data strictly necessary for risk checks.
  • Must protect trade secrets, IP and source code; deploy adequate cyber-security; delete data when no longer needed.
  • No onward disclosure without prior consultation.
Penalty framework (Chapter XII — Arts 99-100)
  • Art 99: private-sector operators
  • Art 100: EU institutions & agencies
Art 99:
  • Up to €35 m / 7% turnover for banned practices (Art 5).
  • Up to €15 m / 3% for other breaches (e.g., GPAI duties).
  • Up to €7.5 m / 1% for false info.
Art 100:
  • EU bodies face fines up to €1.5 m (prohibited practices) or €0.75 m (other infringements).

CBRN and Malware Threats

If the model crosses the 10²⁵ FLOP training bar (or the Commission designates it systemic-risk), Article 55 obliges the model provider to identify, evaluate and actively mitigate systemic risks. Recital 110 lists examples of “systemic risks” that GPAI providers must look for: CBRN misuse, offensive-cyber capabilities, self-replicating models, large-scale disinformation, etc. Therefore, CBRN and offensive-cyber capabilities (malware) should be actively identified, evaluated and mitigated.

This is as of now only applicable to GPAI with systemic risk model providers, not enterprises that might use the models. Enterprises that only use GPAI see no fresh AI-Act paperwork until the high-risk wave in 2026.

This is where comprehensive red teaming becomes essential. Meeting the EU AI Act's systemic risk assessment requirements demands thorough testing across multiple threat vectors – from chemical and biological weapons knowledge to offensive cybersecurity capabilities. Enkrypt AI's comprehensive red teaming suite provides the specialized testing infrastructure needed to identify these risks systematically, helping GPAI providers build the robust evaluation protocols required for Article 55 compliance.

About Enkrypt AI

Enkrypt AI helps companies build and deploy generative AI securely and responsibly. Our platform automatically detects, removes, and monitors risks like hallucinations, privacy leaks, and misuse across every stage of AI development. With tools like industry-specific red teaming, real-time guardrails, and continuous monitoring, Enkrypt AI makes it easier for businesses to adopt AI without worrying about compliance or safety issues. Backed by global standards like OWASP, NIST, and MITRE, we’re trusted by teams in finance, healthcare, tech, and insurance. Simply put, Enkrypt AI gives you the confidence to scale AI safely and stay in control.

Frequently Asked Questions

What is EU AI Act compliance and why does the August 2nd 2025 deadline matter?

EU AI Act compliance means meeting the European Union's regulatory requirements for AI systems, with August 2nd 2025 marking when foundational infrastructure—notified bodies, training data documentation, and governance systems—must be operational. This deadline transforms the framework from theory into enforceable practice across the continent.

  • Notified bodies gain certification authority to assess AI conformity
  • General-purpose model providers must document training data and risk mitigation
  • Organizations must establish governance infrastructure for ongoing compliance
How do you prepare your organization for EU AI Act compliance by August 2nd 2025?

Prepare for EU AI Act compliance by auditing your AI systems against the Act's requirements, documenting training data and risk assessments, and implementing policy-based governance controls. Enkrypt AI's compliance audit solution cuts manual effort by up to 90%, aligning your systems with EU AI Act, NIST AI RMF, and MITRE ATLAS standards.

  • Inventory all AI assets and identify high-risk system classifications
  • Document training data provenance, quality, and bias mitigation measures
  • Deploy centralized policy enforcement across all AI deployments
What's the difference between the February 2025 and August 2nd 2025 EU AI Act deadlines?

The February 2025 deadline prohibited high-risk AI systems outright, while August 2nd 2025 establishes the operational infrastructure—notified bodies, certification processes, and governance systems—that will enforce compliance going forward. August 2nd is when the EU's regulatory machinery powers up and becomes enforceable.

  • February 2025 focused on banning specific prohibited AI practices immediately
  • August 2nd 2025 activates certification bodies and compliance verification mechanisms
  • August 2nd 2025 requires documented training data and risk management systems
Which platform is best for managing EU AI Act compliance across multiple AI systems?

Enkrypt AI's centralized policy engine enables organizations to manage security, safety, and compliance policies across all AI deployments in one place, reducing manual effort and ensuring consistent governance. The platform benchmarks 200+ LLMs on safety and compliance, helping you identify and remediate risk before August 2nd.

  • Centralized policy management across agents, LLMs, and multimodal systems
  • Real-time guardrails enforce compliance at runtime with ultra-low latency
  • Automated compliance auditing against EU AI Act and other regulatory frameworks
How can Enkrypt AI help your organization meet the August 2nd 2025 EU AI Act deadline?

Enkrypt AI automates the documentation, audit trails, and governance controls the EU AI Act demands by August 2nd. Book a demo to see how we handle your compliance requirements, or start a free trial to explore it yourself.

Meet the Writer
Nitin Birur
Latest posts

More articles

Industry Trends

Harvest Now, Decrypt Later: Why AI Agents Are the Threat No One's Watching

AI agents are quietly turning harvest-now-decrypt-later into a volume attack. Here's where agents leak data today, and how to close the gap before Q-Day.
Read post
Product Updates

We Built Two AI Security Games. Play Them to Understand How Attacks Actually Work.

Experience AI security firsthand with Enkrypt AI Academy’s free browser-based games, CIPHER and VAULT. Learn prompt injection, tool chain attacks, and agentic AI exploitation by playing real-world attack scenarios.
Read post
Guest Posts

Securing AI at Scale in APAC: Why Kode-1 and Enkrypt AI Are Building This Together

Explore how Enkrypt AI and Kode-1 combine AI governance, security, and risk management expertise to help enterprises adopt AI responsibly and at scale.
Read post