GPAI Model Obligations Under the EU AI Act: A Practical Summary
EU AI Act GPAI obligations in force since Aug 2025: Art 53 baseline (Annex XI/XII, copyright), Art 55 systemic risk, Art 101 fines up to €15M or 3%.
General-purpose AI (GPAI) models sit in their own chapter of the EU AI Act — Chapter V, Articles 51–56 — entirely separate from the high-risk regime in Chapter III. The obligations in force since 2 August 2025 apply to the companies that train and place GPAI models on the market, not to the much larger population of companies that simply use those models. If you buy access to an LLM via an API, you are almost certainly a downstream user receiving the Annex XII information package, not a GPAI provider. That distinction drives everything that follows.
For the detailed legal treatment of each Article in this chapter, see our deep-dive guide on Article 53. This page gives you the practical map.
What counts as a GPAI model?
A GPAI model, defined in Article 3(63) of Regulation (EU) 2024/1689, is a model trained on large data volumes using self-supervised learning at scale and capable of performing a wide range of distinct tasks. Large language models, multimodal vision-language models, and general-purpose foundation models fall within this definition. Narrow, task-specific models do not.
The definition is use-agnostic — it applies to the model itself, not to what any downstream application does with it. A GPAI model can end up embedded in a high-risk AI system, a minimal-risk chatbot, or a prohibited application; those downstream uses are classified under separate provisions (Articles 5 and 6). The GPAI chapter governs the model layer.
Who the obligations fall on
Article 53 imposes obligations on GPAI providers — the entities that train a GPAI model and place it on the EU market or put it into service. Whether the model is proprietary, open-source, or API-accessed, the provider bears the obligations.
Most companies are not GPAI providers. If you integrate a third-party model into your product, you are a downstream provider (and possibly a high-risk AI system provider under Article 25 if your use falls in Annex III) — but you are not the GPAI provider. You are on the receiving end: the GPAI provider is required to give you the Annex XII information so you can fulfil your own downstream obligations.
Baseline obligations for all GPAI providers (Article 53)
Every GPAI provider, regardless of model size, must comply with four requirements:
Technical documentation (Annex XI). Draw up and keep current the technical documentation specified in Annex XI. This covers model architecture, training methodology, data composition, compute used in training, evaluation approach, and known limitations. It must be available to the AI Office and, on request, to competent authorities.
Downstream-provider information (Annex XII). Provide the information specified in Annex XII to any downstream provider who integrates the GPAI model into their own AI system. This is the structured package that enables downstream providers to understand what they are building on and to meet their own obligations.
Copyright policy (Article 4(3) of Directive 2019/790). Publish a policy demonstrating compliance with the text-and-data-mining opt-out mechanism under EU copyright law. Rights-holders can reserve their content from training data; providers must have a documented process for honouring those reservations.
Training-data summary (AI Office template). Publish a sufficiently detailed summary of the training data used, following the template established by the AI Office. This summary is public-facing; the full Annex XI documentation is not.
Open-source GPAI models benefit from a partial exemption under the Act: they are relieved from some of the Article 53 obligations (primarily the Annex XI/XII documentation duties) unless the model carries systemic risk. The copyright-policy requirement applies regardless.
Systemic-risk GPAI: additional obligations under Article 55
Article 51 sets the classification threshold. A GPAI model is presumed to present systemic risk if the cumulative training compute exceeds 10²⁵ FLOP. The AI Office can also designate a model as systemic risk on qualitative grounds under Article 52. Once classified, the Article 52 notification procedure applies.
Systemic-risk GPAI providers must fulfil everything in Article 53 plus a further layer under Article 55:
- Model evaluation and adversarial testing. Conduct evaluations — including red-team adversarial tests — in accordance with AI Office protocols, before and after placing the model on the market.
- Systemic-risk assessment and mitigation. Track, document, and mitigate systemic risks identified through those evaluations, updating as capabilities evolve.
- Incident reporting. Report serious incidents and corrective measures to the AI Office without undue delay.
- Cybersecurity. Implement adequate cybersecurity measures to protect the model, its weights, and its infrastructure.
In practice, today's frontier models from a small number of large developers — not European companies in general — sit above the 10²⁵ FLOP threshold. If you are uncertain whether your model qualifies, the compute figure is the first test; you should also review the AI Office's guidance on qualitative designation under Article 52.
Authorised representatives and codes of practice
If a GPAI provider is established outside the EU but places a model on the EU market, it must designate an authorised representative in the EU under Article 54 — exactly as high-risk AI system providers must do under Article 22.
Article 56 establishes Codes of Practice as the primary practical tool for demonstrating compliance. The AI Office coordinates and endorses these codes; providers who adhere to a code benefit from a presumption of conformity with the corresponding obligations. The first codes are being developed through 2025–2026.
When the obligations apply
GPAI obligations have been in force since 2 August 2025. GPAI models already on the market before that date have until 2 August 2027 to achieve compliance — the Act's two-year grace period for pre-existing models. The Digital Omnibus delay that pushed the high-risk Annex III deadline to 2 December 2027 does not affect Chapter V; GPAI dates are unchanged.
Penalties
Fines for GPAI providers are imposed by the European Commission (not national authorities) under Article 101: up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. The Commission can also require access to the GPAI model for the purpose of investigation.
What most companies actually need to do
The majority of companies using tools built on GPAI models — ChatGPT, Gemini, Mistral, Azure OpenAI, and similar — are downstream users. Their practical obligation is to receive and retain the Annex XII documentation from their GPAI provider, and to factor it into their own compliance assessments when building AI systems.
If you are building an AI system on top of a GPAI model and that system falls within Annex III (say, a recruitment screening tool or a creditworthiness model), your obligations are those of a high-risk AI system provider under Chapter III — the GPAI model provider's obligations are theirs, not yours. Article 25 governs the point at which a downstream provider may take on provider-level responsibilities.
How Confir helps
Confir's intake workflow records your GPAI dependencies — the models you use, the providers, and the Annex XII documentation you have received. Because the classification, scoping, and findings logic is rule-based and deterministic, the system consistently maps your role (downstream user, not GPAI provider) and surfaces the obligations that actually apply to you. The AI register captures which GPAI models feed which AI systems in your portfolio, giving you an auditable chain from model to deployment. For the rare case where you are a GPAI provider, the same intake flags the Article 53 obligations and the systemic-risk threshold question.
Frequently Asked Questions
What is the difference between a GPAI provider and a downstream AI system provider?
A GPAI provider trains and places a general-purpose AI model on the market — think of the company that built and released the LLM. A downstream AI system provider builds a specific AI product or system using that LLM. The GPAI provider owes the Article 53 obligations (Annex XI documentation, Annex XII downstream package, copyright policy, training-data summary); the downstream provider owes the obligations that correspond to their system's risk classification — high-risk Chapter III obligations if the system falls in Annex III, transparency duties under Article 50 if it is customer-facing and limited-risk. The GPAI provider is never responsible for how a downstream provider uses the model.
Are open-source GPAI models exempt from Article 53?
Partially. Open-source GPAI providers are relieved from the Annex XI technical-documentation and Annex XII downstream-information duties in Article 53. They must still maintain a copyright compliance policy under Article 4(3) of Directive 2019/790 and publish the AI Office training-data summary. The open-source exemption disappears entirely for models that carry systemic risk — all Article 53 obligations and the additional Article 55 duties apply regardless of licensing model.
What triggers systemic-risk classification under Article 51?
The presumption of systemic risk is triggered when the cumulative training compute exceeds 10²⁵ FLOP (floating-point operations). Providers self-assess and notify the AI Office under the Article 52 procedure. The AI Office can also designate a model as systemic risk based on qualitative criteria — such as a large number of downstream users, integration into critical infrastructure, or demonstrated capabilities posing serious adverse effects — even if the model sits below the compute threshold.
Do GPAI obligations apply to models trained before 2 August 2025?
Yes, eventually. Models already on the EU market before 2 August 2025 must comply with Chapter V by 2 August 2027. Models placed on the market after 2 August 2025 must comply immediately. The Digital Omnibus deferral applies only to the high-risk Chapter III regime; it has no effect on the Chapter V GPAI deadlines.
What is the Annex XII downstream information package?
Annex XII specifies what a GPAI provider must give to downstream providers who integrate the GPAI model: information on the model's capabilities and limitations, how it was trained, the training-data summary, the copyright policy, and anything else the downstream provider needs to meet its own obligations. If you are a downstream provider and you have not received this package from your GPAI vendor, request it — you need it to substantiate your own technical documentation and risk management records.
What are the fines for GPAI non-compliance?
Under Article 101, the European Commission may fine GPAI providers up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. These fines are imposed by the Commission directly — not by member-state authorities — reflecting the Commission's role as the central supervisor of GPAI models.
Does a Code of Practice under Article 56 replace the Article 53 obligations?
No. A Code of Practice endorsed by the AI Office gives a provider a presumption of conformity — it is strong evidence that the provider is meeting the corresponding obligations. The obligations themselves are set in the Regulation. Adherence to an endorsed code is the practical route to demonstrating compliance; it is not a substitute for actually meeting the substantive requirements.
Related guides
- Article 52 systemic-risk procedure and notification
- Article 51 systemic-risk classification of GPAI models
- Article 53 baseline GPAI provider obligations
- OpenAI API compliance framework
- Article 50 transparency obligations
- Article 2 definitions and scope
- risk management tools comparison
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →