ChatGPT, Copilot, Claude, and Gemini are well-known examples of general-purpose AI models, commonly referred to as GPAI models. Since 2 August 2025, providers of this type of model have been subject to obligations under the EU AI Act. Organisations that deploy these models as deployers do not themselves need to comply with the GPAI obligations, but they do need to understand what those obligations entail: they determine what information providers must make available to them and what responsibilities consequently fall to their own organisation.

What is a GPAI model?

The EU AI Act defines a general-purpose AI model as a model that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way it is placed on the market (Article 3(63)). Large generative AI models are the most typical example, as stated in recital 99 of the Regulation.

As an indicative criterion, the European Commission's guidelines on the scope of obligations specify that a model is presumed to be a GPAI model when the computation used for its training exceeds 10²³ floating-point operations (FLOP) and the model can generate language, audio, images, or video. Models used solely for purely internal processes with no consequences for third parties or the rights of natural persons are in principle excluded from the obligations (recital 97).

Two categories: standard and systemic risk

The Regulation distinguishes between two categories of GPAI models, each subject to its own set of obligations.

Standard GPAI models are all GPAI models not designated as systemic risk models. These are subject to the baseline transparency and documentation obligations set out in Article 53.

GPAI models with systemic risk are models with high-impact capabilities. Article 51(2) provides that a model is presumed to have such capabilities when the cumulative computation used for its training exceeds 10²⁵ FLOP. At the current state of the art, training a model that meets this threshold is estimated to cost tens of millions of euros. The Commission may adjust the threshold through delegated acts as technology evolves (Article 51(3)). Currently, only a handful of companies develop GPAI models with systemic risk.

Obligations for all GPAI providers (Article 53)

Every provider of a GPAI model, whether or not systemic risk applies, is required under Article 53 to:

  • Draw up and keep up-to-date technical documentation containing at minimum the information set out in Annex XI, and make it available upon request to the AI Office and national competent authorities.
  • Draw up, keep up-to-date, and make available information for downstream providers so that they can integrate the model into their AI systems and comply with their own obligations; the minimum content is set out in Annex XII.
  • Put in place a copyright compliance policy under Union law on copyright and related rights, in particular to identify and comply with any reservation of rights pursuant to Article 4(3) of Directive (EU) 2019/790.
  • Draw up and make publicly available a training content summary of the content used to train the model, based on a template provided by the AI Office.

Providers of open-source models are in principle exempt from the documentation obligations under (a) and (b), provided that the model's parameters, architecture, and usage information are made publicly available. This exemption does not apply to systemic risk models.

Additional obligations for systemic risk models (Article 55)

In addition to the above, providers of GPAI models with systemic risk are also required to:

  • Carry out model evaluations in accordance with standardised protocols, including adversarial testing to identify model vulnerabilities (red-teaming).
  • Assess and mitigate systemic risks at Union level, including during the development phase.
  • Document and report serious incidents to the AI Office and, where applicable, to national competent authorities.
  • Ensure adequate cybersecurity protection for the model and its physical infrastructure.

When a model meets or is reasonably expected to meet the 10²⁵ FLOP threshold, the provider must notify the AI Office without delay and within two weeks (Article 52(1)).

Demonstrating compliance through the GPAI Code of Practice

Providers may demonstrate compliance by signing up to the GPAI Code of Practice, published by the European Commission on 10 July 2025 and assessed as adequate. The Code is structured into three chapters: Transparency, Copyright, and Safety and Security. The first two chapters apply to all GPAI providers; the third applies exclusively to providers of systemic risk models. Participation is voluntary, but providers who do not sign the Code must demonstrate that their alternative means of compliance are equally adequate.

Enforcement of GPAI obligations rests with the European Commission through the AI Office. Infringements may result in fines of up to 3% of global annual turnover or €15 million, whichever is higher (Article 101).

What this means for deployers

Organisations that use GPAI models as deployers are not themselves subject to the GPAI obligations under Articles 53 and 55. Nevertheless, the provider's compliance directly affects their own position. Providers are required to make available information that enables deployers to understand the model and fulfil their own obligations under the Regulation, including the AI literacy obligation under Article 4. If a GPAI provider fails to meet its documentation obligations, it becomes more difficult for the deployer to demonstrate that staff sufficiently understand how the model works, what its limitations are, and what risks are associated with its use.