What is a General-Purpose AI (GPAI) model under the EU AI Act?
The EU AI Act (Regulation 2024/1689) defines a General-Purpose AI model as an AI model trained on large amounts of data at scale, designed to serve a range of purposes, and capable of being integrated into a variety of downstream applications or systems. In plain English: foundation models and large language models (LLMs) like GPT, Claude, Gemma, Mistral, and multimodal models like GPT-4o or Gemini — all fall under the GPAI definition if they are made available commercially in the EU.
GPAI obligations in the EU AI Act are divided into two tiers: obligations applying to all GPAI providers (Art. 53), and additional obligations applying to GPAI providers with systemic risk (Art. 55). The key threshold for presumed systemic risk is training compute above 10^25 floating point operations (FLOPs). The EU AI Office can also designate models as systemic risk based on qualitative criteria regardless of compute.
When did GPAI obligations take effect?
The EU AI Act entered into force on 1 August 2024. GPAI provisions (Chapter V, Art. 51-56) became applicable on 2 August 2025 — one year after entry into force. Full AI Act applicability (covering high-risk AI systems and all other provisions) runs from 2 August 2026. GPAI providers should already be compliant with Art. 53 and Art. 55 obligations by August 2025.
Art. 53 obligations — All GPAI providers
Every provider placing a GPAI model on the EU market must comply with Art. 53, regardless of compute or risk designation:
Art. 53(1)(a) — Technical documentation
GPAI providers must draw up and keep up-to-date technical documentation covering: the general description of the GPAI model, its intended purpose and limitations; the training methodologies and data used; the compute resources used (hardware, training time, energy); the model's capabilities and performance across tasks; and information on testing and evaluation. The Commission has provided an Annex XI template with eight required elements.
Art. 53(1)(b) — Information for downstream providers
When a GPAI model is made available via API or integrated into products by downstream providers, the GPAI provider must supply those downstream providers with adequate information to understand the model's capabilities, limitations, and appropriate use — effectively a standardised model card. The EU AI Office Code of Practice has developed recommended model card formats.
Art. 53(1)(c) — Copyright policy
GPAI providers must put in place a policy to comply with EU copyright law, including the text and data mining (TDM) exception under Art. 3 and 4 of the DSM Directive (2019/790). In practice this means: honouring robots.txt exclusions and opt-out signals from rights holders; using licensed data where the TDM research exception doesn't apply; maintaining records of data provenance; and implementing a process to handle valid copyright infringement complaints.
Art. 53(1)(d) — Training data summary
GPAI providers must publish a sufficiently detailed summary of the content used to train the model. The EU AI Office has issued guidance indicating this must include: major data source categories (web crawl, curated datasets, licensed data, synthetic data); geographic coverage; time period; approximate proportions; and known quality limitations or filtering approaches. Commercial sensitivity of exact data mixtures can be protected, but a meaningful public summary is required.
Open-source carve-outs
GPAI models released under a free and open-source licence enjoy a partial exemption from Art. 53: open-source GPAI providers are not required to provide technical documentation to downstream providers. However, the copyright policy obligation (Art. 53(1)(c)) and the training data summary obligation (Art. 53(1)(d)) still apply — and there is no exemption from Art. 55 systemic risk obligations if the model exceeds the compute threshold.
Art. 55 obligations — GPAI with systemic risk
Providers of GPAI models designated as having systemic risk — either by exceeding the 10^25 FLOPs threshold or by EU AI Office designation — must comply with additional obligations under Art. 55:
Model evaluation and adversarial testing
Systemic risk GPAI providers must conduct model evaluations in accordance with standardised protocols (to be specified in the Code of Practice), including adversarial testing. Red-teaming must specifically assess risks such as: CBRN (chemical, biological, radiological, nuclear) misuse potential; cyberattack facilitation; large-scale disinformation and manipulation; undermining critical infrastructure; and general model safety. Results must be documented and acted upon.
Incident reporting to the EU AI Office
Art. 55(1)(c) requires GPAI providers with systemic risk to report serious incidents to the EU AI Office without undue delay. A "serious incident" includes incidents that result in death or serious harm to health, safety, or fundamental rights, as well as incidents involving significant disruption to critical infrastructure. Providers must maintain an incident log and establish clear internal escalation processes.
Cybersecurity for model weights
Art. 55(1)(d) requires providers to implement adequate cybersecurity protection for the model and its physical infrastructure. For systemic risk models, this means: access controls restricting who can access model weights and training infrastructure; insider threat detection and monitoring; exfiltration prevention; regular security audits; and supply chain security for hardware and software dependencies used in training.
The EU AI Office Code of Practice
The EU AI Office has convened a multi-stakeholder process to develop the GPAI Code of Practice. The first iteration of the Code was published in March 2025. The Code is not legally binding per se, but compliance with it creates a strong presumption of compliance with Art. 53 and 55. The Code covers five workstreams: (1) transparency and copyright, (2) risk and safety taxonomy, (3) technical robustness and evaluation, (4) governance and accountability, and (5) open-source. Major AI labs — including OpenAI, Google DeepMind, Anthropic, Meta, Mistral, and others — are participating in the Code of Practice process.
Providers who are not participating should at minimum monitor the Code's development and align internal practices with it. Signing up for the Code of Practice is free and signals good faith to EU AI Office regulators.
Enforcement and penalties
The EU AI Office is the primary supervisor for GPAI models, with powers to request information, conduct evaluations, and impose penalties. For infringement of GPAI obligations, penalties can reach €15 million or 3% of total worldwide annual turnover, whichever is higher. For systemic risk obligations, these penalties can be imposed for non-compliance with adversarial testing, incident reporting, or cybersecurity requirements. National competent authorities retain jurisdiction over downstream deployers, but the EU AI Office coordinates and has primary GPAI oversight.
Building your GPAI compliance programme
A practical GPAI compliance programme should include: (1) a technical documentation file maintained in Annex XI format, updated with each model version; (2) a standardised model card for downstream providers; (3) a documented copyright policy covering TDM compliance and opt-out signal monitoring; (4) a published training data summary; (5) for systemic risk models, a red-teaming programme with documented methodology, results, and remediation tracking; (6) an incident log and EU AI Office reporting process; (7) cybersecurity controls for model weights and infrastructure; and (8) a designated GPAI compliance function with a named responsible person.
Assess your GPAI conformity
The EU AI Act GPAI Conformity Assessment tool covers all 42 GPAI obligations across six domains: technical documentation (Art. 53(1)(a)-(b)), copyright and training data (Art. 53(1)(c)-(d)), systemic risk assessment (Art. 51/55), adversarial testing (Art. 55(1)(a)-(b)), incident reporting and cybersecurity (Art. 55(1)(c)-(d)), and governance and the Code of Practice. Mark each obligation as compliant, partial, gap, or not applicable, and generate an AI-drafted conformity report with a prioritised remediation roadmap.
Related tools
See also: EU AI Act High-Risk AI Conformity Assessment, ISO 42001 AI Management System Gap Assessment, NIST AI RMF Gap Assessment, AI Fairness & Bias Audit Checklist, EU AI Liability Directive Gap Assessment.