A compliance officer at a mid-size SaaS company opens the EU AI Office’s notification portal in September 2025. The company integrated GPT-4 into its customer support platform six months ago. The portal asks a question she cannot answer: is her organization a GPAI provider, a deployer, or both? The answer determines whether she faces four new regulatory obligations, fifteen million euros in potential fines, or a quiet exemption she did not know existed.
That question is not academic. Multiple major AI providers signed the GPAI Code of Practice by August 2025 [EU AI Office, August 2025]. Meta refused. xAI, according to industry reporting, signed one chapter out of four. Compliance obligations for general-purpose AI models are fragmenting in real time, and most organizations have not determined where they fall.
The EU AI Act created a distinct regulatory category for general-purpose AI models. The obligations differ from high-risk AI system requirements, the timelines differ from the broader AI Act rollout, and the enforcement mechanisms are already active. Four obligations apply to every GPAI provider. Five additional obligations apply to models with systemic risk. The open-source exemption covers some requirements but not others.
EU AI Act GPAI provider obligations require all general-purpose AI model providers to maintain technical documentation, supply downstream information, establish a copyright compliance policy, and publish a training data summary. Models exceeding 10^25 FLOPs face five additional systemic risk obligations. Chapter V (GPAI rules) entered application August 2, 2025; full enforcement with Commission fining authority begins August 2, 2026 [EU AI Act, Articles 53, 55, 101].
What Makes a Model “General-Purpose” Under the EU AI Act?
Classification drives every downstream compliance decision. A GPAI model is any AI model trained on broad data at scale that can serve a wide range of tasks, no matter how it reaches the market [EU AI Act, Article 3(63)]. Foundation models, large language models, multimodal systems: all qualify. Deployment context, including high-risk classification, is irrelevant. The model itself triggers the obligations, not its downstream application.
Organizations that integrate third-party models into their products sometimes ask whether they become GPAI providers themselves. Article 53 of the EU AI Act does not define a compute-based fine-tuning threshold that answers this question. The Act’s definitions in Article 3 and the provider obligations in Article 53 address what GPAI providers must do; they do not specify a general rule for when a downstream fine-tuner crosses into provider status. Organizations making substantial modifications to third-party GPAI models should obtain qualified legal counsel on their specific situation rather than relying on informal thresholds that do not appear in the enacted regulation text.
The audit fix. Map every AI model in your technology stack to its provider. For each model, determine: (1) who is the GPAI provider under the Act, (2) whether your organization’s modifications are substantial enough to warrant a provider-status legal analysis, and (3) whether the model qualifies for the open-source exemption. Document this classification in your AI system inventory. The classification drives every subsequent compliance decision. If there is genuine uncertainty about provider status, document the analysis and engage legal counsel before August 2, 2026.
What Are the Four Core GPAI Provider Obligations?
Article 53 imposes four obligations on every GPAI provider. Model size, capability, and deployment context do not affect these requirements [EU AI Act, Article 53]. No exemption exists except the partial open-source carve-out discussed below.
Obligation 1: Technical documentation. Providers must maintain documentation describing the model’s training process, testing methodology, and evaluation results. The European Commission published formal guidelines on July 18, 2025, specifying what “sufficient” documentation includes: training data sources, preprocessing decisions, hyperparameter choices, evaluation benchmarks, known limitations, and mitigation measures [European Commission, Guidelines for Providers of GPAI Models, July 2025]. Note: Article 53 does not specify a retention period for GPAI technical documentation. The 10-year retention requirement under Article 18 applies to high-risk AI system providers, not GPAI providers. Providers must keep GPAI documentation up to date and available for submission to the AI Office on request.
Obligation 2: Downstream provider information. When a deployer integrates your model into an AI system, they inherit their own AI Act obligations. They cannot meet those obligations without your help. The GPAI Code of Practice commits signatories to respond to downstream information requests within 14 days [EU AI Office, GPAI Code of Practice, July 2025]; this SLA is a Code of Practice commitment, not an Article 53 statutory deadline. The information must cover model capabilities, limitations, intended and foreseeable use cases, and integration guidance sufficient for deployers to conduct their own risk assessments.
Obligation 3: Copyright compliance policy. This is the obligation that split the industry. Providers must honor text and data mining opt-outs under Article 4(3) of the Copyright Directive (EU 2019/790), meaning they cannot train on content where the rights holder has posted machine-readable opt-out instructions, such as robots.txt or other machine-readable rights reservations. The regulation does not designate any specific mechanism as the definitive standard. According to industry reporting, xAI signed only the Safety and Security chapter of the Code of Practice, declining the copyright chapter.
Obligation 4: Training data summary. Article 53(1)(d) requires providers to create and publicly release “a sufficiently detailed summary about the content used for training” using a template provided by the AI Office [EU AI Act, Article 53(1)(d)]. Summaries must be updated whenever material changes to training occur. Data sources, data types, collection methodology, and filtering or curation decisions all require disclosure.
The audit fix. Create a GPAI compliance checklist with four deliverables: (1) technical documentation package per Commission guidelines (no statutory retention period specified for GPAI; keep current and available), (2) downstream provider information response process (14-day SLA per Code of Practice commitment), (3) copyright compliance policy with text and data mining opt-out verification process, (4) training data summary using the mandatory template. Assign ownership for each deliverable.
How Does the Open-Source Exemption Work for GPAI Models?
Article 53(2) provides a partial exemption for open-source GPAI models, but the boundaries are narrower than most organizations assume [EU AI Act, Article 53(2)]. The exemption applies only to models released under free and open-source licenses with publicly available parameters, weights, model architecture, and usage information.
Models meeting those criteria are exempt from two of the four obligations: technical documentation (Obligation 1) and downstream provider information (Obligation 2). They must still comply with copyright policy (Obligation 3) and publish a training data summary (Obligation 4).
The exemption disappears entirely for models classified as systemic risk under Article 51. A model released under an open-source license loses the exemption if it exceeds the 10^25 FLOP threshold or is designated as systemically risky by the Commission based on capabilities. Industry observers estimate that several frontier models from leading providers exceed this threshold, though exact compute figures for individual models are often undisclosed or disputed.
For enterprise compliance teams evaluating open-source model adoption, the decision tree is specific. First: does the model meet the open-source definition (publicly available weights, architecture, and parameters)? Second: does the model exceed 10^25 FLOPs or present systemic risk? If yes to the first and no to the second, the partial exemption applies. If the model crosses the systemic risk threshold, treat it identically to any proprietary GPAI model.
The audit fix. For each open-source model in your AI inventory, verify three conditions: (1) the license meets the AI Act’s open-source definition, (2) parameters, weights, and architecture are publicly available, (3) the model does not exceed 10^25 FLOPs or carry a systemic risk designation. Document this analysis. The exemption is partial (copyright and training summary obligations remain) and conditional (it revokes for systemic risk models).
What Additional Obligations Apply to Systemic Risk GPAI Models?
Models trained using 10^25 or more floating point operations trigger a rebuttable presumption of systemic risk under Article 51(2) [EU AI Act, Article 51]. The Commission can also designate models below the threshold based on user numbers, scalability, tool access, or equivalent market impact. Industry observers estimate that frontier models from several major providers exceed this threshold, though compute figures are often contested.
Article 55 adds five obligations beyond the four core requirements [EU AI Act, Article 55]:
Model evaluations. Providers must conduct evaluations using standardized protocols, including red teaming, benchmark testing, and human uplift studies. The evaluations must assess the model’s potential for misuse, generation of harmful content, and capability for autonomous action beyond intended parameters.
Systemic risk assessment and mitigation. Providers must identify, assess, and mitigate systemic risks throughout the model’s lifecycle, following the AI Act’s risk management framework. This goes beyond initial deployment to cover model updates, capability extensions, and downstream integration patterns that could amplify risk.
Serious incident reporting. Providers must track and report serious incidents. The specific timelines for GPAI systemic risk incident reporting derive from the Article 73 framework as cross-referenced by Article 55(1)(c): within 15 days in standard cases, 10 days if a death may have been caused, and 2 days for widespread infringements or certain critical infrastructure incidents [EU AI Act Art. 73(2), 73(3), 73(4) as cross-referenced by Art. 55(1)(c)].
Cybersecurity protections. Adequate safeguards must cover the model and its infrastructure. This includes model weight security, API access controls, inference infrastructure hardening, and supply chain security for model artifacts.
Safety and Security Framework. Providers must establish this framework upon receiving systemic risk notification from the Commission [EU AI Act, Article 55]. Article 55 sets no statutory timeline for framework establishment beyond “without undue delay” for incident reporting; the GPAI Code of Practice Safety and Security Chapter commits signatories to a 4-week implementation window, which is a Code of Practice commitment, not a statutory deadline. The framework must document governance structures, risk management processes, incident response procedures, and ongoing monitoring commitments.
The audit fix. If your organization develops or fine-tunes models approaching the 10^25 FLOP threshold, establish a monitoring process for compute accumulation. Providers must notify the Commission within 2 weeks of meeting or reasonably foreseeing the threshold under EU AI Act Article 52(1), the notification clause; Article 51 sets the threshold itself. Build the Safety and Security Framework template before you need it.
How Does the GPAI Code of Practice Affect Compliance?
The Code of Practice, published July 10, 2025, provides a voluntary compliance pathway that multiple major providers adopted by August 2025 [EU AI Office, August 2025]. Signing is not legally required, but the Commission formally endorsed the Code as “an adequate tool for demonstrating compliance” with GPAI obligations. Non-signatories face a different regulatory posture.
The practical difference: Code of Practice signatories receive a supervised compliance ramp-up during the first year (August 2025 to August 2026). The AI Office has signaled a phased supervision approach for signatories during this period; the extent to which this limits enforcement for signatories versus non-signatories is a matter of regulatory practice, not a categorical immunity. Non-signatories face “a larger number of requests for information and requests for access,” which translates to more frequent regulatory engagement and faster escalation paths.
Meta’s decision to refuse the Code illustrates the stakes. Meta’s Code of Practice refusal removes its primary demonstration-of-compliance pathway. Whether the AI Office has opened formal investigations and under what designation cannot be verified against primary sources as of May 2026; the “EU AI Office ecosystem investigation, January 2026” and “European Commission enforcement order, January 2026” labels that appear in some industry coverage are not corroborated by official AI Office communications and should not be cited without a verifiable primary source.
Readiness surveys indicate a majority of organizations remain underprepared for AI Act compliance, with only a minority having started concrete compliance activities. The Code of Practice provides a structured compliance framework for organizations that want to demonstrate good faith before full enforcement begins in August 2026.
The audit fix. Review the Code of Practice text at code-of-practice.ai and assess alignment with your current AI governance program. For downstream deployers (not model providers), the Code’s transparency and information-sharing provisions define what you should demand from your GPAI providers. Build these requirements into vendor contracts and procurement checklists before full enforcement begins August 2, 2026.
The twelve months between August 2025 and August 2026 will separate organizations that built GPAI governance proactively from those that built it under regulatory pressure. The grace period is a supervision window for Code of Practice signatories and a heightened-scrutiny window for non-signatories. Classify your GPAI exposure now. Map your four obligations. Determine whether you are a provider, a deployer, or both. The regulatory environment will not wait for your compliance program to catch up.
Frequently Asked Questions
What are GPAI provider obligations under the EU AI Act?
Article 53 requires all GPAI providers to maintain technical documentation (no statutory retention period specified for GPAI; keep current and available), supply information to downstream providers (14-day SLA per Code of Practice), establish a copyright compliance policy respecting text and data mining opt-outs, and publish a training data summary using the EU AI Office’s mandatory template [EU AI Act, Article 53]. These four obligations apply regardless of model size. Models exceeding 10^25 FLOPs face five additional obligations under Article 55, including model evaluations, incident reporting (per Article 73 timelines by cross-reference: 15 days standard, 10 days for fatalities, 2 days for widespread infringement), and establishing a Safety and Security Framework.
When did GPAI obligations take effect?
Chapter V (GPAI rules) entered application August 2, 2025. Models placed on the market from that date are subject to GPAI obligations. Models placed on the market before August 2, 2025, have until August 2, 2027, to comply with the full set of requirements per Article 111(3). Full enforcement with Commission fining authority under Article 101 begins August 2, 2026 [EU AI Act, Article 113].
How is a GPAI model classified as having systemic risk?
Under Article 51(2), any model trained using 10^25 or more floating point operations is presumed to have high-impact capabilities that create systemic risk [EU AI Act, Article 51]. The Commission can also designate models below the FLOP threshold based on user numbers, scalability, tool access, or equivalent market impact. Providers may rebut the presumption by submitting evidence that their model does not present systemic risk despite exceeding the compute threshold.
Are open-source GPAI models exempt from EU AI Act obligations?
Open-source models with publicly available weights, architecture, and parameters are exempt from two of four obligations: technical documentation and downstream provider information [EU AI Act, Article 53(2)]. They must still comply with copyright policy and training data summary requirements. The exemption does not apply to models classified as systemic risk, regardless of their license type.
What is the GPAI Code of Practice and is it mandatory?
The Code of Practice, published July 10, 2025, is a voluntary compliance framework covering transparency, copyright, and safety obligations [EU AI Office, GPAI Code of Practice, July 2025]. While not legally binding, the Commission endorsed it as an adequate tool for demonstrating compliance, and signatories receive a supervised ramp-up period through August 2026.
What do downstream deployers need from GPAI providers?
Deployers integrating GPAI models into AI systems need technical documentation on model capabilities and limitations, integration guidance, and sufficient information to meet their own AI Act deployer obligations [EU AI Act, Article 53]. The Code of Practice establishes a 14-day response window for provider information requests. Procurement teams should build these requirements into vendor contracts before full enforcement begins.
What are the fines for GPAI non-compliance?
GPAI-specific fines under Article 101 are administered by the Commission and reach up to EUR 15 million or 3% of global annual turnover, whichever is higher [EU AI Act, Article 101]. Article 5 prohibited-practice violations carry the higher cap of EUR 35 million or 7% of worldwide annual turnover under Article 99(3). Other provider and deployer obligation violations carry EUR 15 million or 3% under Article 99(4). Signing the Code of Practice is a mitigating factor during enforcement but does not provide immunity from penalties.
Subscribe to The Authority Brief for next week’s analysis.
