EU AI Act GPAI Provider Obligations: General-Purpose AI Models
If you train or provide a general-purpose AI model — a foundation model or large language model that can be adapted to many tasks — you're a GPAI provider with a dedicated obligation set under Articles 53–55. Models above a compute threshold are presumed to carry systemic risk and face stricter duties. These were the first obligations to bite, from 2 August 2025.
Are you a gpai model provider?
You are a GPAI provider if you place on the market a general-purpose AI model — one trained on broad data at scale that displays significant generality and can competently perform a wide range of tasks (e.g. an LLM or multimodal foundation model) — whether standalone or as part of a system. A model is presumed to have systemic risk if its training used more than 10²⁵ floating-point operations, triggering the tougher Art. 55 duties.
The mistake teams make
Downstream builders assume the model provider's paperwork covers them. It doesn't. GPAI duties (Art. 53–55) sit on the model provider; if you then build a high-risk system on top of that model, you're a separate provider or deployer with your own obligations. The two layers stack — they don't substitute.
GPAI model provider obligations, article by article
- Art. 53(1)(a)Model technical documentation
Draw up and keep technical documentation of the model, including training and testing.
- Art. 53(1)(b)Information to downstream providers
Give downstream system builders the information they need to comply with the Act.
- Art. 53(1)(c)Copyright policy
Put in place a policy to respect EU copyright law, including text-and-data-mining opt-outs.
- Art. 53(1)(d)Training-data summary
Publish a sufficiently detailed summary of the content used to train the model.
- Art. 54EU authorised representative
Non-EU GPAI providers must appoint an authorised representative in the Union.
- Art. 55(1)(a)Model evaluation (systemic risk)
Evaluate the model with standardised protocols, including adversarial testing.
- Art. 55(1)(b)Systemic-risk assessment & mitigation
Assess and mitigate systemic risks that could arise at Union level.
- Art. 55(1)(c)Serious-incident tracking
Track, document and report serious incidents and possible corrective measures.
- Art. 55(1)(d)Cybersecurity
Ensure an adequate level of cybersecurity protection for the model and infrastructure.
Key deadlines
- 2 Aug 2025 — GPAI-model provider obligations (Art. 53–55) apply
- 2 Aug 2027 — models placed on the market before Aug 2025 must be brought into compliance
FAQ
What counts as a general-purpose AI model?
A model trained on broad data at scale, showing significant generality, able to competently perform a wide range of distinct tasks and be integrated into many downstream systems — large language models and multimodal foundation models are the clearest examples.
What triggers 'systemic risk' obligations?
A GPAI model is presumed to have systemic risk when the cumulative compute used for training exceeds 10²⁵ FLOPs, or when the Commission designates it. That presumption adds the stricter Art. 55 duties: model evaluation, systemic-risk mitigation, incident reporting and cybersecurity.
Do open-source model providers have obligations?
Open-source GPAI models get some relief (e.g. from parts of Art. 53) where the model is released under a free and open licence and its parameters are public — but the copyright policy and training-data summary duties still apply, and open-source relief does not extend to models with systemic risk.
Not sure? You might also be a…
Run the free 2-minute checker — deterministic, no sign-up.