EU AI Act Article 53: Obligations for All GPAI Model Providers
EU AI Act Article 53: what every GPAI provider must do — Annex XI docs, Annex XII integrator info, a copyright policy, a public training-data summary.
Article 53 of Regulation (EU) 2024/1689 sets the baseline compliance obligations for every provider that places a general-purpose AI (GPAI) model on the EU market or puts one into service. These obligations apply regardless of whether the model presents systemic risk. If your model does cross the systemic-risk threshold, Article 55 layers on additional requirements — but Article 53 comes first, for everyone.
Most organisations reading this are not GPAI providers. They are companies integrating a third-party foundation model — OpenAI, Anthropic, Mistral, or similar — into their own products. For you, Article 53 matters because it dictates what the model provider must hand you: the Annex XII documentation that proves the model was built lawfully, documents its limitations, and enables you to meet your own downstream obligations. Understanding what Article 53 requires of providers tells you exactly what to ask for — and what gaps in a provider's documentation create compliance exposure for you.
What Article 53 Covers — and What It Does Not
Article 53 sits in Chapter V of the Act alongside Articles 51, 52, 54, 55, and 56. The chapter heading is "General-Purpose AI Models." Get the article map right:
- Article 51 — classification of a GPAI model as systemic-risk (including the 10²⁵ FLOP training-compute presumption).
- Article 52 — the notification procedure when systemic-risk status is designated.
- Article 53 — baseline obligations for all GPAI providers (the subject of this guide).
- Article 54 — authorised representatives for non-EU GPAI providers.
- Article 55 — additional obligations that apply only to providers of systemic-risk GPAI models (model evaluation, adversarial testing, incident reporting, cybersecurity measures).
- Article 56 — the GPAI Code of Practice.
The old version of this page conflated Article 53 with Article 55. They are separate. If a provider falls under Article 53 but not Article 55, they have no obligation to conduct adversarial testing or report incidents to the AI Office. Article 55 kicks in only once systemic-risk status is established.
When Do Article 53 Obligations Apply?
GPAI obligations under Chapter V applied from 2 August 2025. The Digital Omnibus political agreement of May 2026 deferred the high-risk application dates (to 2 December 2027 and 2 August 2028) but did not alter Chapter V. GPAI providers who placed models on the market after 2 August 2025 must comply now.
One transitional window applies: models already on the market before 2 August 2025 must come into compliance by 2 August 2027.
The Four Article 53(1) Obligations
(a) Technical documentation under Annex XI
Providers must draw up and keep up to date technical documentation of the model. This documentation covers the model's general description, the training and testing process, and the evaluation results — formatted according to Annex XI of the Act (not Annex IV, which governs high-risk AI systems under Article 11). The documentation must be made available to the AI Office and national competent authorities on request.
Annex XI is divided into two sections. Section A applies to GPAI models placed on the market as standalone products or offered directly to end users. Section B covers models made available through APIs for downstream integration. The difference is practical: a model sold via API is typically documented at the model level, while a consumer-facing product may require additional information about the interface, safety filters, and post-training alignment measures.
What must the Annex XI documentation contain? At a minimum: a general description of the model architecture and intended purpose; a detailed account of the training process, including the data sources, data processing methodology, and compute resources used; the evaluation procedures applied and the results, including capability benchmarks and safety evaluations; known limitations and risks identified through evaluation; technical measures implemented to address those risks; and the procedures and safeguards applied during deployment or integration. The documentation must be kept current — if the provider retains the model, updates it, or identifies new risks post-deployment, Annex XI records must reflect that.
This is the documentation that the AI Office may request during supervision. It is not published publicly (unlike the training-data summary under obligation (d)), but providers should assume it could be scrutinised during an investigation or as part of the codes-of-practice auditing process. A provider that cannot produce coherent, up-to-date Annex XI documentation when asked by the AI Office faces the Article 99(5) ceiling for supplying incomplete information — €7,500,000 or 1% of turnover.
(b) Information and documentation for downstream providers — Annex XII
Providers must draw up, keep up to date, and make available to downstream providers (the companies integrating the model) the information and documentation set out in Annex XII. This is distinct from the Annex XI documentation required by obligation (a): Annex XI is for regulators, Annex XII is for integrators.
Annex XII requires providers to supply at minimum: a general description of the GPAI model and its intended purpose; the elements of training data (categories and sources); the computational resources used; the known limitations and risks relevant to downstream use; and technical measures necessary for safe integration. This is the package a downstream company needs to complete its own conformity assessment or FRIA.
The practical significance here is greater than the regulatory language suggests. For a downstream company building a high-risk AI system on top of a GPAI model, the Annex XII documentation from the upstream provider feeds directly into the Article 11 / Annex IV technical documentation file for the downstream system. Without it, the downstream technical file has a gap that cannot be papered over. A credit-scoring tool built on a foundation model API cannot fully document its data governance or risk profile without understanding what data the underlying model was trained on, what its known failure modes are, and what integration measures the provider recommends.
Downstream providers should therefore request Annex XII documentation explicitly when entering contracts with GPAI providers — and should document whether it was received and in what form. Article 53(1)(b) creates a legal obligation on the provider to supply it; downstream providers who rely on a model whose provider cannot or will not supply the Annex XII pack should document that gap and consider whether it affects the viability of their own conformity assessment.
If you are integrating a GPAI model and the provider cannot supply an Annex XII–compliant information pack, that is a compliance gap for the provider — and a risk-management flag for you.
(c) Copyright compliance policy
Providers must put in place a policy to comply with Union copyright law, with particular attention to identifying and complying with any reservation of rights under Article 4(3) of Directive (EU) 2019/790 (the Copyright in the Digital Single Market Directive). Article 4(3) allows rights-holders to opt out of text-and-data-mining by machine-readable means — such as robots.txt directives or HTTP headers — and GPAI providers must honour those reservations when assembling or licensing training data.
The obligation is process-level: have the policy in place, document it, follow it. The Act does not prescribe the exact form. In practice, providers need a documented procedure for identifying opt-out signals in the datasets they use, for excluding or separately licensing content where a reservation has been made, and for retaining records that demonstrate that scraping and training-data assembly was conducted in compliance with the Directive.
This matters beyond formal regulatory compliance. A GPAI provider that cannot demonstrate a compliant copyright policy exposes its downstream integrators to legal risk — deployers and developers building on the model may face claims that their outputs incorporate unlicensed material. The copyright policy obligation is one of the two Article 53 obligations that apply to all providers including open-source ones, precisely because copyright infringement in training data does not disappear when the model weights are made freely available.
(d) Publicly available training-data summary
Providers must draw up and make publicly available a sufficiently detailed summary of the content used to train the GPAI model. The AI Office has published a template for this summary. The requirement is to follow that template rather than produce a freeform description.
The summary is not the same as the full Annex XI documentation — it is a public-facing document, necessarily less granular, designed to allow deployers, researchers, and regulators to understand the broad composition of the training corpus without requiring access to confidential technical records.
What does an adequate training-data summary contain under the AI Office template? The summary should identify the broad categories of data used (web crawl data, licensed content, code repositories, scientific publications, etc.); the languages represented and their approximate proportions; the time range of the training corpus; the major data sources or data providers; and a description of any filtering, deduplication, or quality-processing steps applied. The summary does not need to disclose the exact dataset composition in a way that reveals trade secrets, but it must be detailed enough for a reader to assess the likely presence of specific content types — for example, whether the corpus includes medical literature, legal documents, or content from a particular jurisdiction.
The training-data summary is publicly searchable. Researchers, journalists, civil society organisations, and regulators can use it to assess the provenance of models they or others rely on. Providers who publish a vague or incomplete summary — for example, simply stating "publicly available internet data" without further breakdown — risk both regulatory scrutiny from the AI Office and reputational exposure when the summary's inadequacy is publicly visible.
The Open-Source Exemption
Obligations (a) and (b) — the Annex XI technical documentation and the Annex XII downstream information pack — do not apply to providers of GPAI models released under a free and open-source licence, provided that the model weights are made publicly available.
The exemption rests on a disclosure logic: if the weights are publicly available, downstream users can, in principle, inspect the model themselves. Regulators can access the weights directly. The rationale for requiring the provider to produce and hand over a structured documentation pack is weakened when the model itself is openly accessible.
But the exemption is conditional in two important respects.
First, it applies only if the licence is genuinely free and open-source — it cannot be a restricted licence labelled "open" for marketing purposes. The AI Office and the GPAI Code of Practice process are expected to clarify what licence conditions are compatible with the exemption; providers using non-standard licences that restrict commercial use or impose other conditions should not assume the exemption applies.
Second, it evaporates entirely if the open-source model is later classified as systemic-risk under Article 51. Once that threshold is crossed — whether through the 10²⁵ FLOP presumption or through a Commission decision — all four Article 53(1) obligations attach, open-source or not. An organisation that releases open weights for a frontier-scale model cannot avoid the Annex XI and Annex XII requirements simply because it has not charged for access.
Obligations (c) and (d) — the copyright policy and the training-data summary — apply to all GPAI providers, including open-source ones. There is no carve-out for copyright compliance, which makes sense: the copyright status of training data does not change because the resulting model weights are made publicly available.
Non-EU Providers: Article 54 and Authorised Representatives
A provider established outside the EU that places a GPAI model on the EU market must designate an authorised representative within the EU under Article 54. The representative acts as the point of contact for the AI Office and national authorities, receives enforcement communications on the provider's behalf, and can be held jointly liable for compliance failures. This mirrors the Article 22 mechanism for high-risk AI providers.
If you are integrating a non-EU GPAI model and the provider has not designated an Article 54 authorised representative, that is a red flag worth documenting in your own risk register.
The GPAI Code of Practice
Article 56 mandates that the AI Office oversee the creation of a Code of Practice for GPAI providers. Participation in and adherence to the Code is a way to demonstrate compliance with Articles 53 and 55. The Code does not replace the legal obligations — it operationalises them, providing model evaluation protocols, documentation standards, and transparency templates that providers can adopt to satisfy the underlying requirements.
The AI Office published the first draft of the GPAI Code of Practice in November 2024 and has run consultation rounds into 2025. A provider following the Code's guidance on training-data documentation, capability evaluation, and downstream disclosure will be in a strong position to demonstrate Article 53 compliance to authorities.
Practical Implications for Downstream Integrators
The majority of companies subject to the EU AI Act are not GPAI providers. They are downstream integrators: a SaaS company embedding a foundation model API into an HR tool, a financial services firm using a language model for document processing, a health tech startup wrapping a GPAI model in a specialist clinical application.
For these companies, Article 53 is relevant in two ways.
First, the Annex XII documentation you receive from a GPAI provider feeds directly into your own technical documentation under Article 11 and Annex IV (if your system is high-risk). If the provider's information pack is incomplete, your technical file has a gap. That gap does not disappear because it originates upstream — your conformity assessment or FRIA must still address it.
Second, the copyright policy (obligation (c)) sits with the provider, not with you. But if a GPAI provider cannot demonstrate it has a compliant copyright policy, downstream integrators face reputational and legal exposure from relying on a model trained on unlicensed data.
Worked example. A 60-person legal-tech firm builds a contract-analysis tool on top of a major foundation model API. The tool assists lawyers in reviewing commercial agreements — it falls under Article 6 and Annex III (access to essential private services) if it makes or influences creditworthiness decisions, but more typically it is classified as minimal or limited risk under the Act. Regardless of the tool's own risk tier, the firm needs the GPAI provider's Annex XII documentation to understand what limitations apply to the model in a legal-analysis context, what data the model was trained on (to assess potential copyright contamination in outputs), and what technical measures the provider recommends for safe integration. That documentation is the provider's Article 53(1)(b) obligation. The firm should request it explicitly and document whether it was received.
If the legal-tech firm later repositions its tool for employment screening — for example, summarising candidate CVs and flagging them for rejection — the system becomes high-risk under Annex III, point 4 (employment and worker management). At that point the firm needs not only the Annex XII documentation from its GPAI provider, but also the full Article 11 / Annex IV technical documentation pack for its own system, and must complete a conformity assessment under Article 43 before deployment. The upstream Article 53 obligation does not change — the GPAI provider still owes the same Annex XII package — but the downstream obligations escalate sharply. This is the intersection most compliance teams miss: a GPAI integration that is minimal-risk today can become high-risk tomorrow if the intended purpose changes, and the Article 53 documentation from the provider needs to be on file before that transition happens.
How Confir Helps
Confir's compliance register lets you record every GPAI model your organisation integrates and track whether you have received the required Annex XII documentation from each provider. The documentation received is logged with a timestamp and linked to the relevant AI system record, so you can demonstrate in an audit that you obtained and reviewed it.
The engine is rule-based and deterministic: it flags gaps automatically when a system is marked as using a GPAI component and no Annex XII documentation has been attached, rather than relying on manual checklists.
Penalties
Non-compliance with Article 53 obligations is enforced by the Commission (for GPAI providers) under Article 101, which sets a specific GPAI fine ceiling of €15,000,000 or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For smaller companies, Article 101 applies the same proportionality protection as Article 99(6) for other obligations.
Supplying incorrect, incomplete, or misleading information to the AI Office carries a lower but still significant ceiling of €7,500,000 or 1% of turnover under Article 99(5).
Article 53 at a Glance
| Obligation | Applies to | Exempt (open-source, publicly available weights) |
|---|---|---|
| (a) Annex XI technical documentation | All GPAI providers | Yes — unless systemic-risk |
| (b) Annex XII downstream information | All GPAI providers | Yes — unless systemic-risk |
| (c) Copyright compliance policy | All GPAI providers | No |
| (d) Public training-data summary | All GPAI providers | No |
Additional obligations under Article 55 (model evaluation, adversarial testing, incident reporting, cybersecurity) apply only where systemic-risk status has been established under Article 51.
Frequently Asked Questions
Does Article 53 apply only to systemic-risk GPAI models?
No. Article 53 applies to all GPAI model providers. The systemic-risk obligations — adversarial testing, model evaluation, incident reporting, and cybersecurity measures — are in Article 55 and apply only when a model has been classified as systemic-risk under Article 51. Article 53 is the baseline for every GPAI provider.
What is Annex XI, and how does it differ from Annex IV?
Annex IV sets the technical documentation requirements for high-risk AI systems under Article 11. Annex XI sets the technical documentation requirements for GPAI models under Article 53(1)(a). They serve different regulatory purposes: Annex IV is about a specific system's intended purpose, risk management, and conformity; Annex XI is about the model's architecture, training process, and evaluation results at the model level.
What is the Article 53 compliance deadline for models already on the market?
GPAI models placed on the market before 2 August 2025 must comply with Article 53 obligations by 2 August 2027. Models placed on the market from 2 August 2025 onwards must comply immediately. The Digital Omnibus high-risk deferral does not affect this timeline.
Do open-source GPAI models have any Article 53 obligations?
Yes. The open-source exemption covers obligations (a) and (b) — the Annex XI documentation and the Annex XII downstream information pack — provided the model weights are publicly available and the model is not systemic-risk. Obligations (c) and (d) — the copyright policy and the public training-data summary — apply to all providers, including open-source ones.
As a company integrating a GPAI model, what should I ask the provider for?
Request the Annex XII information package: the model's general description, training data categories and sources, computational resources used, known limitations relevant to your use case, and recommended technical measures for safe integration. If your own AI system is high-risk, this documentation feeds into your Article 11 technical file. If the provider cannot supply it, document that gap and assess whether it affects your ability to complete your own conformity assessment.
What is the GPAI Code of Practice and do I need to follow it?
The GPAI Code of Practice (Article 56) is developed under AI Office oversight and provides practical guidance on meeting Articles 53 and 55. Adherence to the Code is a way to demonstrate compliance — not a legal obligation in itself. For GPAI providers, following the Code's documentation and evaluation templates is the most efficient path to demonstrating that Article 53(1) obligations are met.
Can a non-EU GPAI provider be subject to Article 53?
Yes. Article 53 applies to any provider placing a GPAI model on the EU market, regardless of establishment. Non-EU providers must also designate an authorised representative within the EU under Article 54. That representative is the contact point for the AI Office and national authorities and may be held jointly liable for compliance gaps.
Related guides
- Annex IV risk assessment methodology
- provider obligations checklist
- Article 53 risk management systems
- Article 9 high-risk classification requirements
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →