The EU AI Act's treatment of General Purpose AI (GPAI) models was one of the most contested elements of the legislative negotiations. The final text creates a tiered framework: all GPAI model providers face baseline obligations, while those whose models present "systemic risk" face significantly enhanced requirements. Understanding where your organisation sits in this framework is the first step to a compliant position.
What is a GPAI model?
Article 3(63) of the AI Act defines a General Purpose AI model as "an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications."
In practical terms, this captures large language models (GPT-4, Claude, Gemini, Mistral), large vision models, and multimodal foundation models. It does not capture narrow AI systems designed and trained for a single specific task.
Provider vs deployer: the critical distinction
The GPAI obligations apply to providers of GPAI models — the organisations that develop, train, and make these models available. If your company accesses a GPAI model through an API (OpenAI, Anthropic, Google, Mistral), you are a downstream provider or a deployer, not the GPAI model provider. The GPAI obligations fall on the model developer, not on you.
However, this does not mean API users have no obligations. If you build an AI system on top of a GPAI model and that system falls into a high-risk category under Annex III, you become a provider of a high-risk AI system and the full high-risk obligations apply to your application — even though the underlying model is someone else's.
Baseline GPAI obligations (Articles 53–54)
All GPAI model providers — including those whose models are not designated as systemic risk — must:
- Prepare and maintain technical documentation describing the model architecture, training processes, data used for training, validation and testing, computational resources used, and performance metrics.
- Draw up instructions for use that downstream providers can understand and use to build compliant applications.
- Comply with EU copyright law and publish a summary of the training data used. This summary must be sufficiently detailed that downstream providers can assess copyright exposure.
- Implement a policy to comply with Union law on copyright and related rights, particularly Article 4(3) of the Digital Single Market Directive (the text and data mining opt-out provision).
Systemic risk GPAI: enhanced obligations
GPAI models are presumed to present systemic risk if they have been trained using a total computing power of more than 10²⁵ floating point operations (FLOPs). This threshold captures the largest models — GPT-4-level scale and above.
Providers of systemic risk GPAI models face additional requirements:
- Perform adversarial testing (red-teaming) of the model before market placement and, where necessary, on an ongoing basis.
- Assess and mitigate systemic risks, including at Union level.
- Report serious incidents to the European AI Office within two weeks of becoming aware.
- Implement technical measures enabling cybersecurity protections proportionate to the systemic risks identified.
- Report on energy consumption where the European Commission requests it.
Open-source models
The AI Act contains specific provisions for open-source GPAI models. Providers that release GPAI model weights under a free and open licence are generally exempt from the documentation and transparency requirements above, provided the model parameters are publicly accessible.
This exemption does not apply to systemic risk models — if your open-source model exceeds the 10²⁵ FLOP threshold, all systemic risk obligations apply regardless of the licensing model.
What this means for companies using AI APIs
If you are integrating a GPAI model (via API or on-premises) into your products or services, your primary obligation under the AI Act is to conduct a risk classification of your AI application — not the underlying model. Ask:
- Does my application fall into any of the Annex III high-risk categories? (Hiring, lending, insurance, education, law enforcement, immigration, administration of justice, critical infrastructure, biometric identification.)
- Does my application generate content that triggers the limited-risk transparency obligations? (Chatbots, synthetic media, deepfakes.)
- Does my application fall under the prohibited practices in Article 5? (Subliminal manipulation, social scoring, prohibited biometric identification.)
If your application is high-risk, you must comply with the full Article 9–15 framework. If it is limited risk, you need transparency disclosures. If it is minimal risk, the Act imposes no specific obligations — though voluntary adherence to the codes of practice the European AI Office is developing is encouraged.
The August 2026 deadline for high-risk AI applications is not far away when you account for the time required to conduct a proper risk classification, build a compliance file, implement required technical controls, and prepare a conformity declaration. For companies that have not started this process, the time to begin is now.