Obligations

GPAI Obligations Under the EU AI Act: Provider Duties

Updated 14 July 2026 9 min read

General-purpose AI (GPAI) models sit at the base of much of today's AI stack, and the EU AI Act places a distinct set of duties on the organisations that build them. Since 2 August 2025, providers of GPAI models have had to keep technical documentation current, share information downstream, put a copyright-compliance policy in place and publish a summary of their training content. The most capable models carry heavier duties still. This guide explains what a GPAI model is, who counts as a provider, and exactly what each obligation requires.

What counts as a general-purpose AI model

Under the EU AI Act (Regulation (EU) 2024/1689), a general-purpose AI model is one that is trained on a broad range of data at scale, displays significant generality, and is capable of competently performing a wide range of distinct tasks — regardless of how it is placed on the market. Large language models and multimodal foundation models are the obvious examples.

The key distinction is between the model and any AI system built on top of it. GPAI obligations attach to the model itself and its provider. When that model is integrated into a product with an intended purpose, the resulting system may separately fall under other parts of the Act — for instance the high-risk rules or the Article 50 transparency obligations. The two layers are assessed independently.

Since when the obligations apply

The GPAI model obligations, together with the Act's governance and penalties provisions, have applied since 2 August 2025. This is one of the staggered milestones set out in Article 113 — see the full EU AI Act deadlines for the surrounding timeline.

Providers that had already placed GPAI models on the EU market before that date are still brought within scope; the Act does not exempt existing models indefinitely. If you are unsure whether your model or the systems built on it are in scope, the free risk checker is a quick first pass.

Core provider obligations

Every provider of a GPAI model must:

  • Keep up-to-date technical documentation of the model — covering its training and testing process and evaluation results — and make it available to the AI Office and competent authorities on request.
  • Provide information to downstream providers who integrate the model into their own AI systems, so those providers can understand the model's capabilities and limitations and meet their own obligations.
  • Put in place a policy to comply with EU copyright law, including a means to respect rights reservations (opt-outs) expressed by rightsholders.
  • Publish a sufficiently detailed summary of the content used to train the model, following the template provided by the AI Office.

A Code of Practice developed with the AI Office and industry supports compliance and is the primary means for providers to demonstrate they meet these duties until harmonised standards are available.

Extra duties for GPAI with systemic risk

A subset of the most capable models — GPAI with systemic risk, meaning very high-capability models whose reach could have significant effects across the EU market — carry additional obligations on top of the core four:

  • Model evaluations, including standardised adversarial testing (red-teaming) to identify and mitigate systemic risks.
  • Systemic-risk assessment and mitigation across the model lifecycle.
  • Tracking, documenting and reporting serious incidents and possible corrective measures to the AI Office and relevant authorities.
  • An adequate level of cybersecurity for the model and its physical infrastructure.

These duties reflect the greater potential impact of frontier-scale models and apply in addition to — not instead of — the baseline provider obligations.

Who is a downstream provider

A downstream provider is an organisation that integrates a GPAI model into its own AI system or service and places that system on the market or puts it into service under its own name. Downstream providers are not subject to the GPAI model obligations, but they rely on the information the upstream model provider is required to share in order to meet their own duties.

Two practical points matter here:

  • If a downstream provider substantially modifies a GPAI model, it can itself become the provider of a GPAI model and inherit those obligations.
  • The system a downstream provider builds is assessed on its own merits — it may be low-risk, subject to transparency duties, or high-risk depending on its intended purpose.

Penalties for non-compliance

Failure to meet GPAI obligations can be enforced against providers directly. The Act's penalties regime sets fines of up to €15M or 3% of worldwide annual turnover (whichever is higher) for breaches of obligations other than the prohibited-practice rules, and up to €7.5M or 1% for supplying incorrect, incomplete or misleading information.

Because the core obligations centre on documentation and disclosure, the most effective compliance posture is to build the technical documentation, copyright policy and training-data summary as living artefacts from the outset rather than reconstructing them under an authority's deadline.

Frequently asked questions

When did GPAI obligations start applying?

The general-purpose AI model obligations, along with the Act's governance and penalties provisions, have applied since 2 August 2025 under Article 113.

What is the difference between a GPAI model and GPAI with systemic risk?

All GPAI models carry the core provider obligations. GPAI with systemic risk refers to very high-capability models that carry extra duties: model evaluations and adversarial testing, systemic-risk assessment and mitigation, incident reporting, and cybersecurity.

Do I have to publish my training data?

Not the raw data. Providers must publish a sufficiently detailed summary of the content used to train the model, following the template provided by the AI Office, and put in place a policy to comply with EU copyright law.

Am I a downstream provider or a model provider?

If you integrate someone else's GPAI model into your own system you are a downstream provider and rely on the model provider's disclosures. If you substantially modify the model, you can become a GPAI model provider yourself and inherit those obligations.

Find your risk class in 2 minutes

Free, no sign-up. Deterministic — not a chatbot.

Run the free check