Systemic Risk Under the EU AI Act: Definition, Designation, and Obligations

Systemic risk is a distinct legal concept in Regulation (EU) 2024/1689 that applies exclusively to general-purpose AI (GPAI) models — not to the high-risk systems listed in Annex III, and not to ordinary AI systems deployed in business settings. If you build or deploy a GPAI model above a certain capability threshold, systemic risk is the category that triggers the heaviest obligations the Act places on any actor in the GPAI chain.

Understanding the term matters because it is widely confused with "high-risk." The two concepts sit in different parts of the Act, apply to different subjects, and carry different obligation sets. Getting that distinction right is the starting point.

The EU AI Act Definition (Article 3, Point 65)

Article 3 of Regulation (EU) 2024/1689 defines systemic risk at point 65 as:

"a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole, that can be propagated at scale across the value chain."

Three elements are embedded in this definition. First, the risk must be specific to high-impact capabilities — not every GPAI model carries systemic risk, only those whose capabilities cross a capability threshold. Second, the impact must be significant at Union scale, whether through the model's reach (deployment volume, number of downstream applications) or through the nature of harm (public health, safety, security, fundamental rights, societal harm). Third, propagation through the value chain is the distinguishing dynamic: a GPAI model sits upstream of many applications, so a flaw, misuse, or failure at model level can cascade through every downstream deployer built on it.

Systemic risk is therefore not about a single harmful output from a single use. It is about structural, wide-scale harm enabled by the position and capabilities of the model itself.

How a Model Is Designated as Systemic Risk (Article 51)

Chapter V of the Act (Articles 51–56) governs GPAI models. Article 51 sets out the designation mechanism for systemic risk. There are three routes.

The 10²⁵ FLOP presumption. A GPAI model is presumed to have systemic risk if the cumulative amount of compute used to train it exceeds 10²⁵ floating-point operations (FLOP). This is a hard threshold: once crossed, the provider is presumed to have a systemic-risk model without needing a Commission decision. The Act does not require that harm has occurred — the compute level alone triggers the presumption. Providers may rebut the presumption, but the burden is on them to do so through the procedure in Article 52.

Commission decision. Even below the 10²⁵ FLOP threshold, the European Commission may designate a GPAI model as having systemic risk on the basis of its capabilities. The Commission considers criteria including the number of users, the number of downstream providers, the model's capabilities across modalities, or its integration into critical systems. This discretionary route ensures that capability leaps — including models that achieve high-impact capabilities through architectural efficiency rather than raw compute — do not escape the regime simply because training compute fell short of the threshold.

Article 90 scientific-panel qualified alert. A scientific panel of independent experts, established under Article 68, may issue a qualified alert to the Commission under Article 90 when it has reason to believe a GPAI model poses a systemic risk. A qualified alert is not itself a designation, but it triggers a Commission review that can result in designation under Article 51. This route gives technical experts a formal channel to flag models that the compute threshold alone would miss — including models that undergo fine-tuning, distillation, or capability extension after their initial release.

All three routes feed into the same Article 52 notification procedure, through which the Commission informs the provider and gives them an opportunity to respond before a formal designation is issued.

Extra Obligations for Systemic-Risk GPAI Models (Article 55)

Providers of GPAI models with systemic risk carry the full baseline obligations applicable to all GPAI providers under Article 53 — which include maintaining technical documentation, providing information to downstream providers, implementing a copyright policy, and publishing a summary of training data. Article 55 then adds four further obligations.

Model evaluation. Providers must conduct evaluations of their systemic-risk model in accordance with standardised protocols. This includes capability assessments designed to identify whether the model can generate harmful content, enable misuse, or be repurposed in ways that were not intended. Evaluation is not a one-time gate: the obligation is ongoing and must be repeated when the model is significantly updated.

Adversarial testing. Article 55 specifically requires adversarial testing — commonly called red-teaming — to uncover capabilities that standard evaluation might miss. Red-teaming must be conducted by independent experts, either internal or external. This is a statutory obligation, not a best-practice recommendation. It is also one of the clearest statutory footholds for red-teaming as a compliance activity rather than an optional safety exercise.

Serious-incident reporting to the AI Office. Providers of systemic-risk models must report serious incidents — including cases of misuse by third parties, security breaches, or outputs that cause or nearly cause significant harm — to the AI Office. The AI Office is the Commission body with primary supervisory responsibility for GPAI models; it is not a member-state authority. This distinguishes GPAI incident reporting (AI Office, Article 55) from high-risk AI-system incident reporting (member-state market-surveillance authorities, Article 73).

Cybersecurity. Systemic-risk GPAI providers must ensure adequate cybersecurity for the model and its physical infrastructure. Given that a compromised model affects every downstream application built on it, the Act treats cybersecurity at the model level as a matter of Union-wide concern rather than an issue left to downstream deployers.

GPAI model obligations, including those under Article 55, have applied since 2 August 2025. They are already live, not a future requirement.

Systemic Risk Is NOT the Same as High-Risk

This is the most common misconception, and the Act's terminology makes it easy to confuse them. The word "risk" appears in both, but the two regimes are structurally separate.

High-risk AI systems are defined in Article 6 and listed in Annex III (and Annex I for product-safety components). High-risk classification applies to AI systems — software that processes inputs and produces outputs influencing decisions in specific domains (recruitment, creditworthiness, biometrics, law enforcement, and so on). The obligations for high-risk AI systems sit in Articles 9–15, 16–27, 43, 47–49, and 72–73. The deadline for stand-alone Annex III high-risk systems is 2 December 2027 (2 August 2028 for Annex I product safety components), under the Digital Omnibus agreed in May 2026.

Systemic risk applies to GPAI models — large-scale trained models that can perform a wide range of tasks across domains. GPAI obligations sit in Chapter V (Articles 51–56). The designation mechanism is Article 51; the heavy obligations are Article 55. These have been in force since 2 August 2025.

A GPAI model is not classified by what tasks it performs in a given deployment. It is classified by its training scale and capabilities. A product built on a systemic-risk GPAI model that is then deployed for, say, recruitment would face both regimes: the downstream deployer or provider of that product faces the Annex III high-risk obligations under Article 6 and Annex III point 4, while the GPAI model provider separately faces the Article 55 systemic-risk obligations. The two layers stack; they do not substitute for each other.

One practical implication: if your company uses a systemic-risk GPAI model as a foundation for a product you place on the market, you are not thereby exempt from Annex III classification. Your role as provider under Article 16 (by virtue of Article 25, which shifts provider status to anyone who places a system on the market under their own name) carries independent high-risk obligations if the use falls within Annex III. The GPAI model vendor's compliance with Article 55 does not discharge yours.

Frequently Asked Questions

Q: Does the 10²⁵ FLOP threshold apply to fine-tuned or adapted models, or only to models trained from scratch?

The Act refers to "cumulative amount of compute used for training." Fine-tuning adds compute on top of the pre-training run; whether the combined total crosses 10²⁵ FLOP depends on the numbers. In practice, most fine-tuning operations are orders of magnitude smaller than pre-training, so the threshold is primarily crossed by the largest foundation models. However, providers of heavily fine-tuned or continually retrained models should calculate their cumulative training compute and document the result, because the Article 52 procedure requires them to notify the Commission and demonstrate whether the threshold applies.

Q: A systemic-risk GPAI model was on the market before 2 August 2025. Does it get extra time to comply with Article 55?

GPAI models placed on the Union market before 2 August 2025 had until 2 August 2027 to comply with Chapter V obligations (including Article 55). Models launched after that date must comply immediately. This transitional window does not apply to models launched after 2 August 2025. The Digital Omnibus deferral that pushed high-risk Annex III dates to December 2027 did not affect Chapter V — GPAI timelines are unchanged.

Q: Who oversees Article 55 compliance — national authorities or the AI Office?

The AI Office, operating within the European Commission, has primary supervisory responsibility for GPAI models, including systemic-risk models under Article 55. This is distinct from the high-risk AI system regime, where member-state market-surveillance authorities have primary enforcement responsibility. For GPAI providers, the point of contact for systemic-risk incident reporting and oversight is the AI Office, not a national body.

Q: What is the fine for non-compliance with Article 55 obligations?

Fines for GPAI providers are governed by Article 101 (not Article 99, which applies to providers and deployers of AI systems). Under Article 101, the Commission may impose fines of up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. This is separate from Article 99 penalties that apply to the downstream AI system tier.

Q: Can a company avoid systemic-risk designation by releasing a model as open-source?

No. The open-source carve-out in Article 53(2) relieves baseline GPAI providers of the Annex XI technical documentation and Annex XII downstream-disclosure duties. It does not apply to systemic-risk models. A systemic-risk GPAI model released under an open-source licence remains subject to Article 55 obligations in full. Open-source status affects Article 53 obligations; it does not affect Article 51 designation or Article 55 requirements.

Q: Our company uses GPT-4 or a similar systemic-risk model to build a product. Do we inherit the Article 55 obligations?

No. Article 55 obligations rest with the provider of the GPAI model — the company that trained and placed the model on the market. Your company, as a downstream provider building a product on top of that model, does not inherit Article 55. However, you may inherit Article 16 provider obligations for your own system (by virtue of Article 25 if you place it on the market under your name), and your system may be classified as high-risk under Article 6 depending on its intended use. The GPAI model vendor's Article 55 compliance does not substitute for your own classification analysis.

Related Terms

• General-purpose AI model — the subject of Chapter V and the category to which systemic risk applies
• General-purpose AI system — the downstream application built using a GPAI model
• Article 51 — Systemic-risk classification — the threshold, presumption, and Commission-decision mechanism
• Article 53 — Baseline GPAI obligations — the obligations that apply to all GPAI providers, before Article 55 adds further requirements
• GPAI compliance — practical guide to the full Chapter V compliance programme
• Foundation model compliance — compliance considerations for large pre-trained models

---

Confir's rule-based classification engine covers GPAI scoping questions — including whether your organisation acts as a GPAI provider, downstream provider, or deployer, and what that means for your Article 53 and Article 55 exposure. The engine applies deterministic logic to your intake answers and produces a finding you can audit: same input, same output, no inference involved. From €600/year at confir.eu.