General-purpose AI model obligations under the AI Act

GPAI obligations under the EU AI Act are in force. Providers of general-purpose AI models must draw up technical documentation, supply information to downstream AI system providers, implement a policy to respect Union copyright law, and publish a sufficiently detailed summary of training content. These requirements have applied since 2 August 2025 for models placed on the market on or after that date; earlier models must comply by 2 August 2027. Non-EU providers must appoint an authorised representative. Models with systemic risk carry additional evaluation, mitigation, incident reporting, and cybersecurity obligations. This guide maps these rules to concrete artifacts, value-chain handoffs, and readiness checks that teams can action immediately.

Current law status (May 2026) GPAI obligations under Articles 53, 54, and (where relevant) 55 of the AI Act are live. The Commission’s official guidelines clarify scope, the definition of “provider,” significant modifications, open-source exemptions, and the indicative 10²³ FLOP compute threshold paired with content-generation capabilities. The voluntary General-Purpose AI Code of Practice offers practical measures for demonstrating compliance. Proposals under the Digital Omnibus package address high-risk timelines and SME simplifications but have not changed core GPAI rules. Always consult primary EU sources for your specific situation; this page is not legal advice.

A provider is the entity that develops a general-purpose AI model or has it developed and then places it on the Union market. The AI Act looks at functional responsibility rather than labels: if you substantially modify an existing model in a way that creates a new model with significantly different capabilities or performance, you are likely treated as the provider for that modified version.

Official guidelines use an indicative criterion: training compute exceeding 10²³ floating-point operations (FLOP) combined with the ability to generate language (text or audio), text-to-image, or text-to-video content. Models meeting this are presumed to display significant generality and perform a wide range of tasks. Exceptions exist in both directions—some models below the threshold may still qualify as GPAI, while certain high-compute models may not if they lack meaningful generality.

Open-source models released under free and open-source licenses can qualify for exemptions from certain obligations provided they meet the conditions set out in the guidelines (systemic-risk models remain fully subject to higher obligations). Minor changes or fine-tuning by downstream users do not automatically create new provider obligations.

See also: AI system vs GPAI model and provider vs deployer roles.

Article 53 requires providers to:

• Draw up and keep technical documentation that describes the model’s architecture, training process, data governance, evaluation results, and limitations. This must be available to the AI Office upon request and shared with downstream providers as needed.
• Supply sufficient information and documentation to downstream AI system providers so they can understand capabilities, limitations, and risks and meet their own obligations.
• Put in place a policy to comply with Union copyright and related rights law. This includes using state-of-the-art tools to identify rights reservations (e.g., via the TDM reservation protocol).
• Publish a sufficiently detailed summary of the content used for training, following the Commission’s template.

For general-purpose AI models with systemic risk (classified under Article 51), Article 55 adds notification to the Commission, model evaluations, systemic risk assessment and mitigation, serious incident reporting, and robust cybersecurity protections.

The voluntary General-Purpose AI Code of Practice translates these rules into detailed measures. Providers may demonstrate compliance by adhering to the Code or by showing alternative adequate means. Submissions to the AI Office (notifications, reports, summaries) use the EU SEND platform.

These obligations focus on transparency, downstream enablement, and risk management across the value chain rather than one-size-fits-all certification.

Downstream providers of AI systems built on or integrated with GPAI models depend on timely, accurate information from the model provider. Without it they cannot reliably assess whether their system is high-risk, implement appropriate transparency measures under Article 50, or conduct necessary risk management.

Typical requests include capability cards, limitation statements, known hallucination or bias patterns, training-data summaries, and details on intended use cases. Friction commonly appears when model providers supply only high-level marketing materials, fail to version documentation, or treat every integration request as a one-off support ticket instead of a scalable information package.

Examples

• Open-weight model provider: Must still publish the training-content summary and maintain technical documentation. If the license and conditions qualify for exemption, certain documentation-sharing burdens may be reduced, but systemic-risk obligations remain if they apply.
• Hosted model API provider: Typically delivers information through structured API references, dedicated compliance portals, or model cards that downstream customers can reference when building applications.
• Downstream application vendor needing information from its model supplier: Must request and incorporate the GPAI provider’s technical documentation and risk information to fulfil its own transparency or high-risk obligations. Gaps here often surface during internal audits or authority questions.

Clear contracts and information-sharing protocols reduce friction. See non-EU companies and the AI Act for additional considerations when the model provider is outside the EU.

Create an artifact inventory with clear ownership and review cadence. Typical artifacts include:

• Up-to-date technical documentation (development process, architecture, data, evaluations, limitations)
• Public training-content summary using the official template
• Documented copyright compliance policy with evidence of state-of-the-art rights-reservation detection
• Downstream information package (datasheet, model card, risk summary)
• Systemic-risk assessment and mitigation plan (if applicable)
• Signed mandate with an EU authorised representative (for non-EU providers under Article 54)

Assign joint ownership—engineering for technical accuracy, legal/compliance for policy and representative appointments, product for downstream materials. Review at least annually and after any significant model update or training run.

Representative question for non-EU actors: “Do we (or our distributors) place this GPAI model on the EU market? If yes, have we appointed and empowered an authorised representative established in the Union who can be addressed by authorities and perform the required tasks?”

GPAI obligation map

Provider maturity table

What applies to GPAI providers right now? Technical documentation, downstream information sharing, copyright policy, and training-content summary obligations apply to models placed on the market since 2 August 2025. Pre-existing models have until 2 August 2027. Systemic-risk models have additional notification, evaluation, and mitigation duties. The Code of Practice is voluntary but provides a practical compliance pathway.

How is a GPAI model different from a chatbot app? A GPAI model is the foundational component capable of a wide range of tasks. A chatbot app is typically an AI system built on top of one or more models, adding an interface, safety layers, and specific use-case logic. The model provider and system provider obligations therefore differ. See AI system vs GPAI model.

What do downstream providers need from model providers? They need actionable information on capabilities, limitations, known risks, performance characteristics, and training-data summaries so they can assess their own system classification, implement transparency measures, and manage risks appropriately.

Do non-EU model providers need an authorised representative? Yes. Under Article 54, a provider established outside the EU must appoint an authorised representative in the Union before placing a GPAI model on the market. The representative can be addressed by authorities and performs the tasks mandated by the AI Act.

• Confirm whether your model meets the GPAI criteria using the Commission’s official guidelines.
• Compile or update technical documentation to the expected standard.
• Create and publish the training-content summary using the Commission template.
• Document and implement your Union copyright compliance policy.
• If outside the EU, appoint and mandate an authorised representative.
• Prepare a standardised downstream information package.
• Assess potential systemic risk and document notification or mitigation steps if relevant.
• Review alignment with the General-Purpose AI Code of Practice or equivalent measures.
• Assign owners and set a review cadence (annual plus major-update trigger).
• Test your current evidence against authority or downstream expectations.

Take the next step. Download the non-EU GPAI initial screen sample report to see a concrete example of how these obligations translate into organised evidence that satisfies both the AI Office and downstream partners. Use it as a ready-to-adapt template for your own documentation workflow.

Sources

• Guidelines for providers of general-purpose AI models (European Commission)
• Guidelines on obligations for GPAI providers FAQ
• General-Purpose AI Models Q&A (AI Office)
• Article 54: Authorised representatives (AI Act Service Desk)
• Timeline and Article 113 application dates (AI Act Service Desk)
• Regulation (EU) 2024/1689 (EUR-Lex)

All legal statements are drawn from these primary official sources. This page does not constitute legal advice or guarantee compliance.