EU AI Act GPAI provider obligations:
what model developers actually need to do
GPAI provider obligations under Articles 53 and 55 of the EU AI Act entered force on 2 August 2025. Active enforcement begins 2 August 2026. The Code of Practice was published 10 July 2025. Here’s the practical breakdown of what providers of general purpose AI models must do.
The one thing to understand
GPAI obligations are split in two tiers. Article 53 applies to all providers of GPAI models: technical documentation, downstream provider information, copyright policy, training data summary. Article 55 layers on top for providers of GPAI models with systemic risk: those above the 10^25 FLOP training threshold (Article 51). Adopting the AI Office Code of Practice (10 July 2025) is voluntary but the cleanest path to demonstrating compliance for both tiers.
Who is a GPAI provider
Article 3(63) defines a general purpose AI model as “an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks, regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications.”
A provider, under Article 3(3), is the entity that develops the model and places it on the market under its own name or trademark. The full set of European and major US foundation model labs are GPAI providers in this sense. European examples include Mistral AI (France), Aleph Alpha (Germany), Black Forest Labs (Germany), and DeepL (Germany). Major non-EU providers placing models on the EU market also fall within scope, with the additional Article 54 EU representative requirement.
Narrow task-specific models (a credit scoring model, a single-purpose translation model trained for one language pair, a specialised radiology classifier) are not GPAI within the meaning of Article 3(63) and fall outside Articles 53 and 55, although they may be high risk under Annex III in their own right.
Article 53: obligations for all GPAI providers
Four core duties that attach to every GPAI provider regardless of systemic risk classification.
Technical documentation
Draw up and keep up to date the technical documentation of the model, including its training and testing process and the results of its evaluation. Minimum elements are specified in Annex XI. The documentation must be available on request to the AI Office and to national competent authorities.
Information for downstream providers
Provide documentation enabling AI system providers that intend to integrate the GPAI model into their AI systems to understand the model's capabilities and limitations and to comply with their own Regulation obligations. Minimum elements are specified in Annex XII. The documentation should support downstream conformity assessments and Article 13 transparency obligations.
Copyright compliance policy
Put in place a policy to comply with Union copyright law, including identifying and respecting the rights reservations expressed by rightsholders under Article 4(3) of Directive (EU) 2019/790 (the DSM Directive). The policy must address text and data mining opt outs and provide a procedure for honouring them.
Training data summary
Draw up and make publicly available a sufficiently detailed summary about the content used for training the GPAI model, following a template provided by the AI Office. The template is intended to enable rightsholders to identify whether their content was used and to exercise their rights.
The open source exception (Article 53(2))
Article 53(2) carves out two of the four Article 53(1) obligations for providers of GPAI models released under a free and open source licence that allows access, use, modification, and distribution of the model, and whose parameters (including weights), information on model architecture, and information on model usage are publicly available.
Specifically, the technical documentation obligation (53(1)(a)) and the downstream provider information obligation (53(1)(b)) do not apply to genuinely open source GPAI providers. The copyright policy obligation (53(1)(c)) and the training data summary obligation (53(1)(d)) still apply.
Important: the open source exception does not apply to GPAI models with systemic risk under Article 55. A model above the 10^25 FLOP threshold released under an open source licence still owes the full Article 55 obligation set, and a stricter reading of the Article 53 obligations is required given the systemic risk classification.
EU representative requirement (Article 54)
Article 54 requires that providers of GPAI models established outside the EU shall, prior to placing a GPAI model on the Union market, appoint by written mandate an authorised representative established in the Union.
The EU representative is the contact point for the AI Office and national competent authorities. The representative holds copies of the technical documentation, the relevant information enabling compliance verification, and the contact details of the provider.
The Article 54 obligation has no open source exception. Even genuinely open source GPAI providers established outside the EU must appoint a representative before placing models on the Union market. This is one of the cleanest obligations to address operationally and one of the easiest to overlook.
Article 55: additional obligations for GPAI with systemic risk
Four further duties that layer on top of Article 53 for providers of GPAI models classified as systemic risk under Article 51.
Model evaluation and adversarial testing
Perform model evaluation in accordance with standardised protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks.
Systemic risk assessment and mitigation
Assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, the placing on the market, or the use of the GPAI model with systemic risk.
Serious incident reporting
Keep track of, document, and report, without undue delay, to the AI Office and, as appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them.
Cybersecurity protection
Ensure an adequate level of cybersecurity protection for the GPAI model with systemic risk and the physical infrastructure of the model.
The 10^25 FLOP systemic-risk threshold (Article 51)
Article 51 establishes a rebuttable presumption that a GPAI model has high impact capabilities (and therefore systemic risk) when the cumulative amount of computation used for its training measured in floating point operations is greater than 10^25.
As of mid 2026, this threshold captures roughly 5 to 15 providers worldwide: the largest US labs (OpenAI, Anthropic, Google DeepMind, Meta for some Llama models), a handful of Chinese labs, and at the European margin the most advanced frontier model providers. The Commission can adjust the threshold and add supplementary benchmarks through delegated acts as the field evolves.
The presumption is rebuttable. A provider above the FLOP threshold may contest the designation by demonstrating that the model lacks the capabilities that make it systemic risk. The procedure for contesting designation runs through the AI Office. A provider below the threshold may still be designated as systemic risk by the Commission based on a different indicator set, though in practice this has been used sparingly.
The GPAI Code of Practice (Article 56)
Article 56 mandates the AI Office to facilitate codes of practice to help providers of GPAI models comply with Articles 53 et seq. The General-Purpose AI Code of Practice was published by the AI Office on 10 July 2025, organised into three chapters: Transparency, Copyright, and Safety and Security.
The first two chapters apply to all GPAI providers. The third (Safety and Security) applies only to providers of GPAI models with systemic risk under Article 55. Signing the Code is voluntary, but the European Commission and the AI Board have confirmed it as an adequate compliance tool. Signing creates a presumption of compliance and reduces administrative burden compared to demonstrating compliance through bespoke documentation.
For most GPAI providers, the practical position is: sign the Code, build compliance against its specific provisions, and treat any non-Code compliance pathways as fallback options. Providers that choose not to sign should be prepared to demonstrate equivalent compliance to the AI Office, with the burden of proof effectively reversed.
Practical implementation
A readiness programme for GPAI providers preparing for active enforcement on 2 August 2026.
Confirm GPAI classification
Article 3(63) defines a GPAI model as one that displays significant generality and is capable of competently performing a wide range of distinct tasks. Models below that threshold (narrow models for a single task) are not GPAI. Confirm your model qualifies before applying Article 53.
Run the Article 51 systemic-risk threshold check
Article 51 presumes systemic risk where cumulative training compute exceeds 10^25 floating point operations. This is a rebuttable presumption: a provider above the threshold can contest the designation by demonstrating absence of high impact capabilities. As of mid 2026, the threshold captures roughly 5 to 15 providers worldwide.
Adopt or evaluate the GPAI Code of Practice
The General-Purpose AI Code of Practice was published by the AI Office on 10 July 2025, organised into three chapters: Transparency, Copyright, and Safety and Security. Signing the Code is voluntary, but the Commission and AI Board have confirmed it as an adequate compliance tool. Signing creates a presumption of compliance and reduces administrative burden compared to demonstrating compliance through other means.
Build the Annex XI technical documentation
For Article 53(1)(a), draw up technical documentation covering training and testing processes, evaluation results, and the elements specified in Annex XI. The documentation must be ready on request from the AI Office.
Build the Annex XII downstream documentation
For Article 53(1)(b), create the documentation that downstream AI system providers will need to integrate your model into their systems compliantly. This is separate from the Annex XI documentation, with different content scope.
Stand up the copyright opt-out honouring process
Build a process to identify and honour text and data mining opt outs under DSM Directive Article 4(3). This typically involves crawler-respecting robots.txt directives, header signals, and a takedown process for content that should not have been included in training.
Publish the training data summary
For Article 53(1)(d), draft a public summary of training content following the AI Office template. The summary should be detailed enough to enable rightsholders to identify whether their content was used.
Appoint an EU representative (non-EU providers)
Article 54 requires GPAI providers established outside the EU to appoint, prior to placing their model on the EU market, an authorised representative established in the Union. The representative is a contact point for the AI Office and handles regulatory cooperation.
Where this fits in the AI Act stack
GPAI provider obligations sit at the top of the AI value chain. Downstream deployers using your GPAI model in their AI systems carry their own obligations: Article 26 deployer duties (see August 2: what attaches for deployers), Article 27 FRIA where they qualify (see Article 27 FRIA scope), Article 50 transparency where applicable (see Article 50 transparency), and substantial modification triggers if they wrap or fine-tune your model significantly (see Article 25(1)(b) substantial modification).
Your Article 53 documentation is what enables downstream deployers to do their own compliance work. The quality and structure of that documentation directly shapes the friction your customers face in their own AI Act readiness programmes. A well-built Annex XII downstream documentation pack is a competitive advantage in the enterprise procurement process, not just a compliance artefact.
Run a GPAI Article 53 readiness check
ActComply maps your GPAI model against the full Article 53 obligation set (and Article 55 if systemic risk applies), identifies which Code of Practice provisions cover your specific compliance posture, and returns a gap analysis with a remediation path before 2 August 2026 enforcement.
Assess your GPAI model free →No credit card required
Related guides
More EU AI Act compliance pieces from ActComply.
EU AI Act Compliance Checklist
All 27 obligations across high risk, limited risk, general provider, and GPAI categories.
EU AI Act Risk Classification
Walk through the four risk tiers and how to classify your AI system.
High Risk AI Systems
Annex III categories and what counts as high risk under the AI Act.
Omnibus Update
How the May 2026 provisional agreement shifts high risk deadlines, and what stays unchanged.
Article 26 Deployer Obligations
All twelve Article 26 obligations attaching to every deployer of a high risk system on August 2.
Article 27 FRIA Scope
Who the Fundamental Rights Impact Assessment actually applies to, and what fills the gap when it doesn't.
Article 27 FRIA Template
Working one page template covering the six Article 27(1) inputs, with PDF download.
Article 50 Transparency Obligations
Provider and deployer obligations across chatbots, generative content, emotion recognition, and deep fakes.
Article 25(1)(b) Substantial Modification
When a deployer becomes a provider through substantial modification, and what crossing the line costs.