Back to Blog

EU AI Act Takes Effect on August 2, 2026: What Changes for Web Scraping and Data Collection

Until August 2, 2026, there is one month left — the EU AI Act gains the authority to impose fines. Machine-readable TDM refusals and robots.txt are for the first time gaining copyright significance, AI model providers are required to disclose training sources, and fines can reach up to €15 million or 3% of turnover. Let's analyze who this really affects and how to properly collect data now.

📅June 30, 2026
EU AI Act Takes Effect on August 2, 2026: What Changes for Web Scraping and Data Collection

There is about a month left until August 2, 2026 — and on this day, the European AI Act will cease to be a "paper" regulation and will gain real enforcement powers regarding fines. For anyone collecting data online — from training large models to simple price monitoring — this is a milestone after which machine-readable prohibitions on data collection will first carry the weight of copyright, and AI model providers will be required to disclose what they were trained on. Let's break down what exactly is changing and who it affects in practice.

What Comes into Effect on August 2, 2026

The EU AI Act was introduced in phases. Prohibited practices became non-applicable back in February 2025, and obligations for general-purpose AI model providers (GPAI) formally came into effect on August 2, 2025. However, it is on August 2, 2026, that the regulation becomes fully applicable: requirements for high-risk systems are included, and importantly, the regulator gains the authority to impose fines for non-compliance with GPAI obligations.

The fines are structured as follows:

  • up to €35 million or 7% of global turnover — for prohibited practices (whichever is higher);
  • up to €15 million or 3% of global turnover — for violations related to high-risk systems and GPAI obligations;
  • up to €7.5 million or 1% of turnover — for providing false information to the regulator.

The regulation has extraterritorial effect: obligations apply to the provider regardless of their location if the model is placed on the EU market. An American or Asian AI company whose product is available to Europeans falls under the same rules.

What GPAI Providers Must Do

There are three key obligations, two of which are directly related to data collection:

  • Technical documentation — a description of the model's architecture, methodology, and training resources, available to supervisory authorities and downstream developers.
  • Public summary of training data — the provider is required to publish a "sufficiently detailed" description of the content on which the model was trained, following a template issued by the AI Office. This is the world's first attempt to compel model developers to publicly account for their data sources.
  • Copyright compliance policy — the provider must respect mechanisms for opting out of text-and-data-mining (TDM) under Article 4 of the Copyright Directive 2019/790, including machine-readable signals.

For models with systemic risk (training threshold of 10^25 FLOPs), adversarial testing and mandatory incident reporting are added. Existing models on the market will receive a grace period — they must be brought into full compliance by August 2, 2027.

robots.txt Gains Copyright Significance

The main change for the data collection industry is hidden in the copyright requirement. Previously, the robots.txt file was a gentleman's agreement: ignoring it violated the site's rules but was not considered a legal violation in itself. Now, under the umbrella of Article 4 of Directive 2019/790, machine-readable rights reservations — robots.txt, the emerging standard ai.txt, TDM signals — acquire copyright weight. A rights holder who has expressed an opt-out from data mining in a machine-readable form is effectively protected by copyright from the use of their content for training.

To standardize these signals, the European Commission has launched a consultation on rights reservation protocols: the goal is to agree on a machine-readable format that will be recognized as "industry standard" and widely accepted by rights holders. In other words, the EU is building a legally significant language for opting out of scraping for AI training.

Context: Platforms Have Already Gone on the Offensive

The regulation comes into play in an already fierce market. In July 2025, Cloudflare, which protects about 20% of the web, became the first infrastructure provider to default block AI crawlers for all new domains — website owners now need to explicitly allow specific bots. By August 2025, over 2.5 million sites had completely banned the use of their content for AI training; approximately 19% of sites block GPTBot alone. Among the most blocked crawlers are GPTBot, ClaudeBot, CCBot, Google-Extended, and Bytespider.

Meanwhile, the gap is enormous: according to Cloudflare, AI bots access about 39% of the top 1 million resources on the web, but only 2.98% of them actually block or challenge such requests. Simultaneously, Cloudflare launched a Pay Per Crawl model — the site responds to bots with a "402 Payment Required" message, and AI companies pay for access. Data collection from a free "everything is allowed" model is turning into a market with a price tag.

The legal front is not lagging behind. Reddit has filed lawsuits against Perplexity AI and associated data collectors and proxy providers (SerpApi, Oxylabs, AWMProxy), and its chief lawyer articulated the essence of the conflict harshly: "AI companies are locked in an arms race for quality human content, and this pressure has created an industrial-scale economy of data laundering." At the same time, Reddit has entered into licensing agreements with OpenAI and Google — meaning data is sold to those who pay, while those who take it for free are pursued. LinkedIn, in a separate lawsuit, accused ProAPIs of creating around a million fake accounts for scraping and reselling profiles for up to $15,000 a month.

What This Means for Data Collectors

The first and foremost thing — no panic. The EU AI Act does not prohibit web scraping as such and does not turn the collection of public data into a crime. The regulation specifically targets AI model providers and high-risk systems. If you are monitoring competitor prices, collecting data for SEO analytics, checking search results, or aggregating public reviews, you do not become a "GPAI provider" and are not directly subject to the new obligations.

Who the Act Really Affects

The ones in the crosshairs are those who train or fine-tune large models on collected data and place them on the EU market. For them, publishing a summary of training data and respecting TDM opt-outs become legal requirements with real penalties. If your scraping is a link in the pipeline for model training, you will need to document sources and comply with machine-readable prohibitions.

How to Collect Data Responsibly

The second effect — indirect, but it will affect everyone. The more legal weight machine-readable opt-outs gain and the more aggressively platforms block automated traffic, the higher the bar for any data collection. Practical takeaways:

  • Read robots.txt and TDM signals and make informed decisions based on them. Ignoring machine-readable opt-outs is now not only a risk of being banned but also a potential copyright issue, especially if the data is used for model training.
  • Separate tasks. Collecting public facts (prices, availability, ratings) and copying copyright-protected content for training are legally different activities. Structure processes to avoid mixing them.
  • Minimize load and do not disguise yourself as a real user where it is misleading. The case of a million fake LinkedIn accounts is a clear example of how "gray" methods can lead to lawsuits.
  • Use legal access infrastructure. When data collection is distributed and comes from real user IPs, it creates less load on any single node and does not appear as a barrage from one data center. Residential proxies provide traffic indistinguishable from a regular user, while for high-load tasks where maximum "humanity" is not needed, faster data center proxies will suffice.

It is also important to keep in mind the overall traffic picture: we have already discussed how bots have overtaken humans in internet traffic for the first time — this shift is precisely what is causing platforms to close off. For practical work with specific platforms, our analysis of safe scraping of X (Twitter) without bans is useful: the same principles — respecting limits, distributing requests, using trusted IPs — apply in the new regulatory reality.

Conclusion

August 2, 2026, is not the "end of scraping," but a point after which data collection will finally split into two paths. Documented, respecting machine-readable opt-outs, and working with public data — will become the norm and protection. Hidden, circumventing explicit prohibitions, and disguising as users for model training — will face risks of fines up to €15 million or 3% of turnover and lawsuits from platforms. The EU AI Act does not close the door — it shifts data collection from the "wild field" into a mode where rules finally have a price. And those who restructure their processes in advance, rather than a week before the deadline, will benefit.