AI system versus GPAI model: the distinction that changes obligations

AI System vs GPAI Model under the EU AI Act: Classification Framework and Operational Impact

An AI system is a specific implementation that uses inference from inputs to generate outputs influencing physical or virtual environments for explicit or implicit objectives. A GPAI model (general-purpose AI model) is a foundational model displaying significant generality, capable of competently performing a wide range of distinct tasks and integrable into many downstream AI systems.

The distinction is operational, not abstract: it determines who counts as the provider, which obligations apply, what information must flow downstream, and which compliance artifacts you must prepare. If you place a versatile base model on the market (via API or download), you are likely a GPAI provider with technical documentation, copyright policy, and training-summary duties (applicable since 2 August 2025). If you build a user-facing application, feature, or SaaS on top of such a model, you are typically the provider of an AI system and must use the information supplied by the GPAI provider to meet your own requirements.[1][2]

This classification directly changes your next actions—documentation depth, information-sharing duties, and intersections with Article 50 transparency rules.

Law status (May 2026) Current law is based on Regulation (EU) 2024/1689. Commission guidelines on the AI system definition (published February 2025) and guidelines on obligations for providers of general-purpose AI models provide non-binding practical interpretation. GPAI obligations apply from 2 August 2025 for models placed on the market after that date; pre-existing models follow a later timeline (by August 2027). High-risk AI system rules phase in separately in 2026–2027. No binding amendments alter the core AI-system vs GPAI-model distinction. Proposed simplification measures under the Digital Omnibus remain proposals and are labeled as such where relevant. This page reflects official EU sources only.

The AI Act regulates AI systems and separately addresses general-purpose AI (GPAI) models because the latter serve as building blocks for many downstream applications.

According to the Commission’s guidelines on the definition of an artificial intelligence system, an AI system is a machine-based system designed to operate with varying levels of autonomy. It infers from inputs how to generate outputs (predictions, content, recommendations, or decisions) that can influence physical or virtual environments. Not all software qualifies; the key is the inferential, adaptive element rather than purely deterministic rules. The guidelines emphasize practical assessment over theoretical labels and are designed to evolve with real-world use cases.[3]

A GPAI model is defined as an AI model that displays significant generality and is capable of competently performing a wide range of distinct tasks, regardless of how it is placed on the market, and that can be integrated into a variety of downstream systems or applications. Recitals and guidelines highlight that large generative models (text, image, video, audio) are typical examples. An indicative computational threshold is training with more than 10^23 FLOP combined with flexible generation capabilities (language, text-to-image, text-to-video). Models below this threshold may still qualify if they show significant generality; models above it may exceptionally not qualify if narrowly scoped.

Systems built on GPAI models are separate AI systems. The GPAI model provider supplies technical information and documentation. The downstream provider integrates it, evaluates the resulting AI system’s risk level (e.g. high-risk HR screening tool), and fulfills the corresponding obligations. The model itself is not the final “system” offered to end users in most cases.

Operationally this creates a chain: GPAI providers focus on transparency, copyright compliance, and enabling downstream understanding. AI system providers focus on risk classification, conformity, human oversight, and (where applicable) Article 50 transparency toward users.

Classification requires examining what is actually placed on the market or put into service, not the underlying technology in isolation. Ask:

• Is the offering a standalone, versatile capability (model/API) that many parties can integrate in different ways?
• Or is it a finished, purpose-specific application or feature with defined objectives and user interactions?

Models and base-model APIs are typically GPAI models when they meet the generality criteria. The provider’s main obligations are technical documentation, information packages for downstream developers, a Union copyright policy, and a sufficiently detailed summary of training content.

User-facing applications, SaaS products, plugins, or internal tools are AI systems. Their provider must classify the system’s risk level and comply accordingly. When they incorporate a GPAI model, they rely on the upstream information to perform their own conformity assessment or risk management.

Wrappers or simple integrations are not automatically AI systems or GPAI providers. The question is who places the product on the market and what is presented to customers. A thin wrapper that merely forwards prompts without adding meaningful inference or purpose-specific functionality may not shift the provider role. A wrapper that adds significant customisation, safety layers, domain-specific prompting, or user interface that shapes the objectives is more likely part of an AI system.

Downstream integrations (embedding a GPAI model into a larger product) usually make the integrator the provider of the resulting AI system. The original model provider remains the GPAI provider.

Internal tools used solely within an organisation are often exempt from many provider obligations but may still trigger deployer duties or Article 50 transparency if they qualify as certain AI systems.

Use the tables below to map your offering.

These classifications are not absolute. Always document your reasoning with reference to the Commission guidelines and retain evidence of the decision process.

The classification changes concrete compliance work.

GPAI obligations (Article 53 and following) focus on the model level: technical documentation (including training details), provision of information to downstream AI system providers so they can comply with their rules, a policy to respect Union copyright law, and publication of a summary of training content. Providers of GPAI models with systemic risk have additional evaluation, mitigation, incident reporting, and cybersecurity requirements. These rules have applied since 2 August 2025 for new models.

Downstream information duties are one of the main reasons the distinction exists. GPAI providers must give AI system providers enough detail on capabilities, limitations, known biases, and recommended use cases. Downstream providers must then demonstrate they have taken this information into account.

Article 50 intersections arise mainly for AI systems. Certain user-facing AI systems (chatbots, deepfake generators, emotion recognition) must inform people they are interacting with or viewing AI-generated content. A pure GPAI model offered via API does not usually trigger these end-user obligations itself; the downstream application does.

Provider/deployer logic is clarified in official guidance. The entity that places the GPAI model on the market (develops and releases it under its own name or brand) is the GPAI provider. An organisation that fine-tunes a model significantly and releases the result under its own brand may become a new provider. Simple users or deployers of a finished AI system have narrower duties focused on proper use, monitoring, and human oversight where required. Do not blur these roles. See our guide on provider vs deployer roles.

For non-EU companies offering GPAI models in the Union market, authorised representative obligations under Article 54 apply. See non-EU companies and the AI Act.

The distinction therefore determines which technical files you maintain, what you must publish, what you must hand to customers or partners, and which authority requests you are likely to receive.

• Calling every chatbot a GPAI model. Most consumer chatbots are AI systems built on one or more GPAI models. The chatbot provider is usually not the original GPAI provider unless they developed and released the base model itself. This mistake leads to preparing the wrong documentation set and missing downstream information duties.
• Treating every wrapper or API integration as automatically creating a new AI system provider without analysing market placement. If the wrapper merely exposes an upstream model with minimal added functionality, the original provider may still be considered the main entity placing the capability on the market. Document your analysis.
• Confusing model provider with deployer. A company that simply uses a public GPAI API inside its internal processes is typically a deployer of an AI system, not a GPAI provider. A company that fine-tunes at scale, hosts the model, and offers it to third parties under its own branding is more likely a provider.
• Assuming that open-source automatically exempts all obligations. Open-source GPAI models can qualify for exemptions from certain provider duties, but systemic-risk models and copyright-summary requirements often remain.
• Overlooking the information-flow obligation. Downstream AI system providers sometimes claim they lack sufficient information from upstream GPAI providers. Official guidance makes clear that GPAI providers must supply adequate documentation; downstream entities must demonstrate they requested and used it.

Action checklist

• Map every offering (model, API, application, plugin, internal tool) against the classification criteria above and document the outcome.
• For GPAI models: prepare technical documentation, copyright policy, training-content summary, and information package for downstream users.
• For AI systems: classify risk level, request and reference upstream GPAI documentation, implement required transparency measures.
• Maintain version-controlled records of classification decisions and information exchanged with upstream or downstream parties.
• Review obligations again whenever you significantly modify a model or change how it is placed on the market.
• Use structured evidence collection to support future authority requests or audits.

Is ChatGPT itself an AI system or a GPAI model? The underlying models are GPAI models. The public consumer interface (chatbot) is an AI system that uses those models and is subject to transparency obligations under Article 50 where applicable. OpenAI acts as both a GPAI provider and an AI system provider depending on the specific offering.

Can one product involve both? Yes. A single company can be a GPAI model provider for its base models and an AI system provider for its downstream applications built on those models. The obligations apply separately to each role and offering.

Does this distinction matter for deployers too? It does. Deployers of AI systems must understand whether they are using a GPAI model so they can correctly interpret the information and instructions supplied by the upstream provider and meet any human oversight or monitoring requirements.

How does this affect non-EU providers? Non-EU providers of GPAI models placed on the Union market must appoint an authorised representative in the EU (Article 54) and comply with the same obligations as EU providers. Downstream EU companies integrating those models must still receive the required information. See our dedicated guide: How the EU AI Act reaches companies outside the EU.

Ready to classify your products and generate the right evidence package? Use the Evidence Scanner to map your models and AI systems, auto-generate obligation checklists, and build a defensible compliance folder that aligns with official Commission guidelines. It is the fastest way to turn this framework into concrete next steps for your specific portfolio.

Sources

• Commission guidelines on the definition of an artificial intelligence system (February 2025)
• Guidelines on obligations for providers of general-purpose AI models and related FAQ (digital-strategy.ec.europa.eu)
• General-Purpose AI Models in the AI Act – Questions & Answers (AI Office)
• Regulation (EU) 2024/1689 (EUR-Lex)
• AI Act Service Desk resources on timeline and GPAI

All legal statements are anchored to these primary official sources. This page is for educational and readiness purposes and does not constitute legal advice.