EU AI Act requirements for GPAI models

EU AI Act requirements for GPAI models

If your startup has trained or fine-tuned a large language model, a multimodal model, or any general-purpose AI model that can serve a wide range of downstream tasks, you are a GPAI model provider under the EU AI Act. This is one of the most technically demanding compliance tracks in the regulation, and the deadline is August 2, 2026. For AI-native startups and foundation model builders operating in Europe, this is the most pressing compliance question right now.

What the EU AI Act requires

Articles 51 to 56 set out a two-tier framework for GPAI models. All GPAI model providers must comply with a baseline set of obligations under Article 53: prepare and maintain technical documentation about training data, model architecture, capabilities, and limitations; draw up a policy to comply with EU copyright law including identifying and respecting rights reservations; and publish a summary of training data content. Additionally, all GPAI providers must cooperate with the AI Office under Article 55 and keep documentation available for downstream providers who integrate the model. The second and more demanding tier applies to GPAI models with systemic risk, defined in Article 51 as models trained using more than 10^25 floating point operations (FLOPs). These models face additional obligations under Article 55: adversarial testing and red-teaming, incident reporting to the AI Office, cybersecurity measures, and energy efficiency reporting. The fines for non-compliance are up to EUR 15 million or 3% of global annual turnover, effective August 2, 2026.

What this means for your business

Most startups building on top of GPT-4, Claude, Gemini, or similar third-party APIs are not GPAI providers; they are deployers and fall under the standard risk-tier framework. However, startups that have trained their own foundation models, released open-weight models, or offer model-as-a-service APIs to other developers are GPAI providers. The 10^25 FLOP threshold for systemic risk is high enough that most startup-trained models will not reach it, but the baseline obligations in Article 53 apply to all GPAI models regardless of training compute. Open-source model releases receive a partial exemption from Article 53(2) technical documentation requirements if the model weights are made publicly available, but copyright policy and transparency summaries still apply.

Steps to get compliant

1. Determine whether you are a GPAI provider: if you have trained, fine-tuned (substantially), or distribute a model that third parties can use for general tasks, the answer is likely yes. 2. Build Article 53 technical documentation now: training data provenance, data sources, filtering and curation methodology, model architecture, evaluation results, and known limitations. This documentation is both a compliance requirement and a useful internal artifact. 3. Implement a copyright compliance policy covering your training data, and publish a brief public summary of training data content as required by Article 53(1)(d). 4. Assess whether your model crosses the 10^25 FLOP threshold and, if so, commission adversarial testing and prepare an incident reporting channel to the AI Office before August 2026.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener
EU AI Act requirements for GPAI models | ActComply