EU AI Act Downstream Provider Obligations Under GPAI

# EU AI Act Downstream Provider Obligations Under GPAI This page explains what the EU AI Act means by "downstream provider," which obligations flow from Article 53(1)(b) to software vendors that call a general-purpose AI model via API, and what you need to have in place by August 2 2026. --- ## What the EU AI Act Says The EU AI Act (Regulation (EU) 2024/1689) establishes a layered supply chain for general-purpose AI (GPAI) models. Under Article 3(44), a GPAI model is an AI model trained on large amounts of data that can perform a wide range of tasks. Under Article 3(3), a "provider" is any natural or legal person who places an AI system on the market or puts it into service under their own name or trademark. When your software product calls a GPAI model via API and ships that capability to customers, you are a provider of an AI system that integrates a GPAI model. The company that trained and exposed the underlying model (OpenAI, Anthropic, Google) is the upstream GPAI model provider. You, the software vendor, are the downstream provider. Article 53 sets out the obligations for GPAI model providers. Article 53(1)(b) is the provision that directly governs your relationship with the upstream model provider. It requires GPAI model providers to draw up and keep up to date technical documentation and to make available information and documentation to downstream providers that integrate the GPAI model into their AI systems. This documentation must be sufficient for the downstream provider to meet their own obligations under the regulation. Recital 119 of the regulation makes the intent explicit: upstream providers must pass enough technical information downstream so that the companies building on top of their models can comply. If that documentation does not arrive, or arrives incomplete, the downstream provider carries the compliance gap. --- ## Who This Applies To This framework applies to you if: - Your product or service calls a GPAI model via API (including OpenAI GPT-4o, Anthropic Claude, Google Gemini, Mistral, or any comparable model) and that output reaches end users or downstream systems. - You place that product on the market or put it into service in the EU, or you target EU-based users, regardless of where your company is incorporated. - You operate as a provider, not merely a deployer. A deployer uses an AI system for their own internal purposes without making it available to others. If you are shipping a product to customers that includes AI-generated output, you are a provider. Company size does not exempt you from GPAI-related obligations. The regulation does provide some accommodations for SMEs and startups on certain procedural requirements, but the core obligation to obtain and hold compliant documentation from your upstream model provider applies regardless of headcount or revenue. Sector is not a limiting factor either: a legal-tech SaaS, a HR analytics tool, a customer service bot, and a medical documentation assistant all fall within scope if they integrate a GPAI model. --- ## What the Obligation Actually Requires As a downstream provider integrating a GPAI model, Article 53(1)(b) means you need to: **1. Obtain technical documentation from your upstream provider.** This includes information about the model's training data sources, intended capabilities and limitations, known risks, and the measures the upstream provider has taken to address those risks. This is not a generic privacy policy or terms of service. It is structured technical documentation that maps to the requirements in Annex XI and Annex XII of the regulation. **2. Review that documentation against your use case.** The documentation the upstream provider supplies covers the base model. Your downstream system introduces additional context: your system prompt, retrieval augmentation, fine-tuning, the specific tasks you are directing the model to perform, and the user population you are serving. You need to assess whether the risks the upstream documentation identifies are amplified or mitigated by your integration. **3. Prepare your own technical documentation for your AI system.** Article 11 requires providers of AI systems (including those built on GPAI models) to draw up technical documentation before placing the system on the market. This documentation must demonstrate that the system meets the applicable requirements of the regulation. **4. Establish a system for handling information requests from your customers.** If your customers are themselves providers or deployers who need information about the AI capabilities in your product to meet their own obligations, you need a process to respond to those requests. **5. Identify whether your system also falls under Annex III.** Some downstream systems that integrate GPAI models will simultaneously qualify as high-risk AI systems under Annex III. If your system is used in employment screening, credit decisioning, biometric categorisation, critical infrastructure, or education, the high-risk requirements stack on top of the GPAI downstream obligations. --- ## Key Deadlines **February 2 2025 (already in force):** Article 5 prohibitions on unacceptable-risk AI practices apply. This covers subliminal manipulation, social scoring by public authorities, and certain biometric categorisation uses. These are hard bans with no transition period. **August 2 2026:** GPAI obligations and Article 50 transparency requirements apply. Article 50 requires providers to ensure AI-generated content is marked as such where applicable, and that users are informed when they are interacting with an AI system. This is the deadline that matters most for software vendors calling GPAI models via API. **December 2 2027:** Annex III high-risk AI system requirements apply to systems not already covered by pre-existing sector legislation. If your downstream system qualifies as high-risk, this is when the full conformity assessment, CE marking, and registration requirements become enforceable for that tier. --- ## What to Do Now **1. Request Article 53(1)(b)-compliant documentation from your upstream model provider today.** Do not assume the model card or API documentation is sufficient. Ask specifically for documentation that maps to the EU AI Act's Annex XI requirements. If the upstream provider cannot produce it, document the request and the gap. That record matters if regulators ask. **2. Map every GPAI API call in your product.** Identify which features call which models, what system prompts are in use, and what the output is used for. You cannot assess your obligations until you know the scope of your GPAI integrations. **3. Draft your own system-level technical documentation.** Start with what your upstream provider gives you and layer on the specifics of your integration: the task, the user population, the output modality, and the risk assessment for your particular use case. **4. Assess whether any of your downstream systems meet the Annex III high-risk criteria.** If yes, begin the conformity assessment process now. December 2027 is not far away if you have significant technical documentation and quality management obligations to build. **5. Add an AI transparency disclosure to your user-facing product.** Article 50 requires certain disclosures when users interact with AI systems. August 2 2026 is the enforcement date, but shipping this now reduces risk and demonstrates good faith to regulators and enterprise customers running their own procurement audits. --- ## Check Your Obligations Now The obligations that apply to your specific system depend on what it does, who it serves, and how the GPAI model is integrated. Use the free ActComply risk screener to see which obligations apply to your system: https://www.getactcomply.com/check

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener
EU AI Act Downstream Provider Obligations Under GPAI | ActComply