The 30-Day Rule: What the White House's New Frontier-AI Review Actually Requires — and How It Differs From the EU
The 30-Day Rule: What the White House's New Frontier-AI Review Actually Requires — and How It Differs From the EU
The U.S. now offers AI labs a voluntary 30-day pre-release government review for the most capable "frontier" models. Here is what triggers it, what companies hand over, and why it looks nothing like the EU's rulebook.
If you build or buy advanced AI, two governance systems now sit on either side of the Atlantic — and they are built on opposite theories. On June 2, 2026, the White House signed an executive order, Promoting Advanced Artificial Intelligence Innovation and Security, that creates a voluntary 30-day window for the federal government to review the riskiest new models before public release. Two months later, on August 2, 2026, the EU's binding enforcement powers for general-purpose AI switch on. This post breaks down what the U.S. framework actually asks of companies, then puts it side by side with the EU approach so you can see where the real differences are.
What the executive order actually establishes
The order is organized around three parts: hardening federal and critical-infrastructure cybersecurity, prioritizing criminal enforcement against AI-enabled cybercrime, and — the piece everyone is watching — a framework for pre-release engagement on frontier models. The mechanics:
- Who identifies the models: The NSA and CISA are directed to build a classified benchmarking process to flag models with advanced cyber capabilities. Models that clear that bar are designated "covered frontier models," with the final designation made by the Director of the NSA.
- What the review is: Developers of a covered model are invited — on a voluntary basis — to give the government up to 30 days of pre-release access to evaluate national-security implications.
- What it is not: The order explicitly disclaims mandatory licensing. Release is not conditioned on government approval. There is no statutory penalty for declining to participate.
In other words, the leverage here is not law. It is incentive: early government feedback, defensive collaboration, and the gravitational pull of federal procurement. A lab that wants to sell to federal agencies has a strong reason to cooperate even though nothing forces it to.

## U.S. voluntary framework vs. the EU AI Act, side by side
The clearest way to understand the U.S. order is by contrast. The EU's General-Purpose AI (GPAI) obligations become enforceable on August 2, 2026 through the AI Office, backed by real penalties. Here is the direct comparison:
| Dimension | U.S. frontier framework (EO, June 2 2026) | EU AI Act (GPAI enforcement from Aug 2 2026) |
|---|---|---|
| Legal force | Voluntary; no penalty for non-participation | Binding law with statutory penalties |
| Who scopes it | NSA (classified benchmark of cyber capability) | Public, quantitative compute threshold |
| Where the line is | Kept classified | Published — GPAI regime from ~10²³ FLOPs, stricter systemic-risk tier above |
| Enforcement body | National-security institutions (NSA/CISA) | Standing regulator (the AI Office) |
| Penalty | None | Up to the greater of €15M or 3% of global annual turnover |
| Trigger for release | Not conditioned on approval | Obligations apply regardless of any U.S. review |
| Core theory | Mandatory licensing entrenches incumbents and slows a strategic race | Binding rules and a standing regulator are prerequisites for trust |
The single sharpest difference: one regime tells you where the line is; the other tells you the line exists but keeps its location classified. The EU publishes a numeric compute threshold so any developer can self-assess. The U.S. keeps the benchmark classified and lets the NSA make the call case by case.
What this means if you build or deploy AI
These two systems are not mutually exclusive — they are additive. A lab operating on both sides of the Atlantic has to manage coexistence, not choose one. A model active in the EU market is subject to the AI Act regardless of whether it also opts into the U.S. review. The U.S. framework is best understood as an optional extra track layered on top of whatever the EU already requires.
Three practical takeaways:
- Opting into the U.S. review is a business decision, not a legal one. For labs chasing federal contracts, 30 days of pre-release national-security feedback is cheap insurance. For a lab with no federal ambitions, the calculus is different.
- The classified threshold creates planning uncertainty. Because the bar for "covered" is secret, companies cannot fully self-assess whether a given model will be flagged — a stark contrast to the EU's published FLOP line.
- August 2 is the harder deadline. The EU date carries penalties reaching the greater of €15M or 3% of global turnover. The U.S. date carries none. If you have to prioritize compliance spend, the binding regime is the one that bites.

## Frequently Asked Questions
Is the 30-day review mandatory? No. It is explicitly voluntary. There is no penalty for a developer that declines, and public release is not conditioned on government approval.
Which models are affected? Only "covered frontier models" — those the NSA and CISA flag through a classified benchmark of advanced cyber capabilities. The exact threshold is not public.
Does this replace the EU AI Act for global companies? No. A model on the EU market remains subject to the AI Act regardless of the U.S. order. The two coexist; the U.S. track is optional and the EU track is not.
What can regulators actually do with 30 days of access? Evaluate the national-security implications of the model before release and give the developer defensive feedback. They cannot block the release under this framework.
When does each regime take effect? The U.S. executive order was signed June 2, 2026. The EU's GPAI enforcement powers activate August 2, 2026.
Key Takeaways
- The White House framework is a voluntary 30-day pre-release review for NSA-designated "covered frontier models," with no penalty and no approval requirement.
- The EU AI Act is the opposite: binding, with a public compute threshold and penalties up to the greater of €15M or 3% of global turnover, enforceable from August 2, 2026.
- The defining contrast is transparency of the line — public FLOP threshold (EU) vs. classified benchmark (U.S.).
- For global builders the two are additive, not alternatives; the EU deadline is the one with teeth.
How this was written AI helped research this piece, but every source, fact, and sentence was checked and finalized by hand.
References
- The White House, Promoting Advanced Artificial Intelligence Innovation and Security (presidential action): https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/
- Latham & Watkins, "President Trump Signs Executive Order Establishing AI Cybersecurity and Frontier Model Framework": https://www.lw.com/en/insights/president-trump-signs-executive-order-establishing-ai-cybersecurity-and-frontier-model-framework
- Norton Rose Fulbright, "EO sets voluntary 'early access' framework for AI models": https://www.nortonrosefulbright.com/en/knowledge/publications/900af3cf/executive-order-establishes-voluntary-early-access-framework-to-frontier-ai-models
- ComplianceHub, "Two Continents, Two Rulebooks: The U.S.–EU AI Governance Divergence": https://compliancehub.wiki/us-eu-ai-governance-divergence-frontier-eo-ai-act-2026/
- Skadden, "New AI Executive Order Calls for Frontier Model Security, Early Government Access and AI-Enabled Cyber Defense": https://www.skadden.com/insights/publications/2026/06/new-ai-executive-order
Comments ()