Foundation Models & GPAI

The EU AI Act creates a dedicated regime for general-purpose AI — Articles 51 through 56. Every GPAI provider faces documentation, transparency, and copyright obligations. Those with systemic risk face additional requirements: adversarial testing, incident reporting, and cybersecurity protections.

Provider Obligations

What the EU AI Act requires from GPAI providers

Six core obligations that apply to all general-purpose AI model providers, regardless of systemic risk classification.

Model Cards & Documentation

Art. 53(1)(a)

GPAI providers must draw up and maintain technical documentation of the model, including training and testing processes, and provide it to downstream providers. This documentation forms the basis for downstream conformity assessments.

Information for Downstream Providers

Art. 53(1)(b)

Providers must supply downstream deployers with information to understand the model's capabilities and limitations. This includes intended and foreseeable uses, performance metrics, and known risks — enabling downstream compliance.

Art. 53(1)(c)

GPAI providers must implement a policy to comply with EU copyright law, including the Text and Data Mining Directive. This means respecting opt-out mechanisms, maintaining records of training data sources, and handling takedown requests.

Model Evaluation

Art. 53(1)(d)

Providers must evaluate GPAI models using state-of-the-art methodologies, including adversarial testing. Evaluation must cover capabilities, limitations, and foreseeable risks — with results documented and made available to authorities.

Transparency for Users

Art. 53(2)

GPAI providers placing models on the EU market must publish a sufficiently detailed summary of the training data, following a template provided by the AI Office. This summary must be publicly accessible.

Codes of Practice

Art. 56

The AI Office encourages GPAI providers to develop codes of practice that detail compliance approaches. Adherence to codes of practice provides a presumption of conformity — making them practically mandatory for market access.

Systemic Risk

Systemic risk classification and obligations

GPAI models above the compute threshold — or designated by the Commission — face additional obligations beyond the standard GPAI requirements.

Threshold	Classification	Obligations
Cumulative compute > 10^25 FLOP	Systemic Risk	Automatic classification as GPAI with systemic risk. Providers must perform model evaluation, adversarial testing, track and report serious incidents, and ensure adequate cybersecurity protections.
Commission designation	Systemic Risk	The Commission may designate a GPAI model as having systemic risk based on impact criteria — even below the compute threshold. Number of registered users, cross-border reach, and interconnectedness are considered.
Below compute threshold	Standard GPAI	Standard obligations apply: technical documentation, downstream provider information, copyright compliance, training data summary. No adversarial testing or incident reporting required unless designated.
Open-source models	Reduced Obligations	Open-source GPAI models (excluding systemic risk) benefit from reduced obligations — mainly training data summary and copyright compliance. Full documentation requirements do not apply.

GPAI Provider Compliance

Navigate Articles 51-56 — structured guidance for foundation model providers on documentation, evaluation, systemic risk assessment, and codes of practice.

Request Access Talk to Us