GPAI obligations under the EU AI Act: what applies from August 2026

GPAI obligations under the EU AI Act: what applies from August 2026

The EU AI Act's General Purpose AI (GPAI) chapter is one of the most consequential parts of the regulation for the current generation of AI startups. It creates a dedicated compliance framework for foundation models, large language models, and multimodal systems that are not purpose-built for a single application but instead power a wide range of downstream uses. Whether you are training your own GPAI model, distributing one, or building products on top of third-party GPAI APIs, the August 2, 2026 deadline for GPAI obligations is the most pressing compliance milestone in the EU AI Act calendar for many teams.

What the EU AI Act requires

The GPAI obligations are set out primarily in Articles 51 to 56 of the EU AI Act. Article 53 establishes four baseline obligations for all GPAI providers: technical documentation covering training methodology, data, capabilities and limitations; an information package for downstream providers enabling them to meet their own compliance obligations; a copyright compliance policy with an opt-out mechanism for text and data mining reservations; and a publicly available training data summary. Article 55 adds a further tier of obligations for GPAI models designated as presenting systemic risk under Article 51, currently defined by a training compute threshold of 10^25 floating point operations. Systemic risk obligations include model evaluation and adversarial testing, incident reporting to the AI Office, cybersecurity safeguards, and energy efficiency reporting. All GPAI obligations apply from August 2, 2026. Fines for non-compliance with GPAI provisions reach EUR 15 million or 3% of global annual turnover under Article 99, and up to EUR 3 million for the provision of incorrect information to the AI Office.

What this means for your business

For startups that train or distribute their own language models or multimodal systems, August 2, 2026 is a hard deadline for publication of technical documentation and training data summaries. For startups building products on top of commercial GPAI APIs, the key question is whether you have received the downstream provider documentation required under Article 53(1)(b) from your upstream provider. If your GPAI API provider cannot demonstrate compliance with Article 53, and your product is deployed in a high-risk use case, Article 25 may require you to treat yourself as the de facto provider. This is a contractual and procurement risk that procurement and legal teams at AI startups should be actively addressing with API providers now, ahead of the August 2026 deadline.

Steps to get compliant

1. Classify your AI systems against the GPAI definition in Article 3(63): a model trained on broad data at scale, capable of serving multiple purposes, and made available to downstream integrators. If you meet this definition, you are a GPAI provider with Article 53 obligations.
2. Prepare and publish the four Article 53(1) documentation requirements before August 2, 2026: technical documentation, downstream provider information package, copyright compliance policy, and training data summary.
3. Assess whether your model's training compute approaches the Article 51 systemic risk threshold of 10^25 FLOPs and, if so, begin preparing for the additional Article 55 obligations including adversarial testing and AI Office notification.
4. If you are a downstream builder using a third-party GPAI API, request the Article 53(1)(b) downstream documentation from your provider in writing, and document the request and response as part of your own compliance record.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener