GPAI obligations have applied since August 2025

GPAI obligations live since August 2025. Providers of general-purpose AI (GPAI) models have been subject to EU AI Act obligations since 2 August 2025. This includes drawing up technical documentation, implementing a Union copyright compliance policy, publishing a sufficiently detailed summary of training content, and supplying information to downstream AI system providers.[1][2]

Models placed on the market after this date must comply immediately. Models already on the market before 2 August 2025 have until 2 August 2027. The practical priority in 2026 is determining whether your organisation qualifies as a provider of a GPAI model (distinct from an AI system) and whether the open-source exemptions or substantial modification rules apply.[3]

Law status (May 2026)

• Current law: GPAI provider obligations (Chapter V, Articles 53–55) are in application since 2 August 2025. Guidelines on scope, provider definition, and systemic risk classification are published and guide enforcement.[4]
• Enforcement: Commission powers begin August 2026; national authorities and the AI Office are operational.
• Proposed changes: The Digital Omnibus proposal and related discussions focus primarily on high-risk AI system timelines and simplification for SMEs. They do not alter the August 2025 GPAI application date. Any future amendments will be labelled clearly as proposal or negotiation status.

The core GPAI obligations entered into force on 2 August 2025. They target providers who develop, substantially modify, or place GPAI models on the Union market.[1]

Key live requirements include:

• Technical documentation on model development and testing, available to the AI Office or national authorities upon request.
• Information and documentation flows to downstream providers of AI systems so they can understand capabilities, limitations, and meet their own obligations.
• A policy to comply with EU copyright and related rights, including state-of-the-art measures to respect rights reservations.
• Publication of a sufficiently detailed summary of the training content (template available via the AI Office).
• For non-EU providers: appointment of an authorised representative in the Union before placing the model on the market (Article 54).[3]

Providers of GPAI models with systemic risk face additional obligations (notification, risk assessment, incident reporting, cybersecurity). An indicative threshold in the guidelines is training compute exceeding 10^23 FLOP combined with flexible generation capabilities (language, text-to-image, text-to-video), though case-by-case assessment applies.[3]

Open-source models can qualify for exemptions from certain obligations if specific licence, non-monetisation, and full disclosure conditions are met — but systemic-risk models do not benefit from these exemptions.

Legacy models placed on the market before 2 August 2025 must be brought into compliance by 2 August 2027.

Many teams still treat GPAI obligations as future requirements. The most common points of confusion are role classification, the model-versus-system distinction, and downstream responsibilities.

Provider definition: You are a provider if you develop a model, commission its development, or make substantial modifications and then place it (or make it available) on the Union market. Minor fine-tuning or simple integration does not automatically trigger provider status for the downstream actor. The Commission guidelines provide pragmatic criteria on “substantial modification.”[3]

GPAI model vs AI system: A GPAI model is the foundational, general-purpose component. When it is integrated with additional components (user interface, specific prompting, safety layers, domain data) for a particular purpose, the result is typically an AI system. The integrator then becomes the provider of that AI system and has different obligations. See our guide: AI system versus GPAI model: the distinction that changes obligations.

Downstream information flows: GPAI providers must proactively supply technical information and documentation. Downstream teams cannot fully comply with their own rules without it. Many contracts and APIs still lack structured data sheets or model cards meeting Article 53 standards.

Three realistic examples

• Hosted model provider: A company offering API access to a proprietary large language model is the GPAI provider. It must maintain technical documentation, publish the training summary, and give downstream application builders the required information.
• Open-weight model distributor: Releasing weights, architecture, and usage information under a qualifying open-source licence can trigger exemptions for non-systemic-risk models. However, if the distributor makes substantial modifications or the model meets systemic-risk criteria, full obligations (including notification) apply.
• Downstream application vendor: A productivity startup that fine-tunes a third-party open model lightly and wraps it in a task-specific interface is usually not the GPAI model provider. It acts as an AI system provider or deployer and should focus on obtaining adequate upstream documentation rather than recreating full GPAI technical files.

Read the detailed obligations guide: General-purpose AI model obligations under the AI Act.

1. Classify your role and models — Use the official guidelines to decide for each foundation model or significantly modified variant whether you are a GPAI provider, a downstream modifier, or an AI system provider. Document the reasoning.

1. Gather and structure documentation — Create or update technical documentation covering training process, data, evaluation results, and limitations. Prepare the public training-content summary using the AI Office template.

1. Clarify representative questions — Non-EU teams should identify and formally appoint an authorised representative where required. This entity handles information requests and enforcement contacts.

1. Align value-chain information flows — Update contracts, APIs, and developer portals to deliver the information downstream providers need. Many organisations now include a standardised “GPAI Compliance Pack” with each model release or API key.

1. Assess systemic risk where relevant and decide on Code of Practice adherence. Signatories can demonstrate compliance more readily.

The AI Office encourages early informal collaboration, especially for advanced models.

• [ ] Run the provider and GPAI model classification exercise for every model or major variant in your portfolio or supply chain.
• [ ] Confirm or create technical documentation and the training-content summary.
• [ ] Verify downstream recipients are receiving adequate information (test by asking a customer what they received).
• [ ] If non-EU based, confirm authorised representative status and contact details are current.
• [ ] Review open-source releases against the exact exemption conditions in the guidelines.
• [ ] Log decisions and evidence in a central compliance register for future AI Office or national authority requests.
• [ ] Subscribe to official AI Office updates and test your artifacts against the latest templates.

Common operational pitfalls we see in 2026 include treating every fine-tune as a new GPAI model, assuming all open-weight distributions are automatically exempt, providing only marketing materials instead of structured technical information to customers, and delaying documentation until an enforcement notice arrives.

Next step Stay ahead of enforcement by subscribing to Try AI Compliance updates on GPAI developments. Scan your current materials and documentation flows with our readiness tools or review the full guide at General-purpose AI model obligations under the AI Act. Early evidence collection now reduces pressure when national authorities or the AI Office request information.

Sources

• European Commission guidelines on obligations for providers of general-purpose AI models (2025).
• AI Act Service Desk timeline and Article 113 application dates.
• Official GPAI Q&A and Code of Practice materials from digital-strategy.ec.europa.eu and ai-act-service-desk.ec.europa.eu.

All statements reflect current official EU positions as of April 2026. This page is an operational update resource, not legal advice.