RegOps for GPAI

GPAI Providers & ISVs

Whether you're training foundation models or shipping AI-enabled software, the EU AI Act creates specific obligations for providers placing AI systems on the EU market. Articles 51-56 establish the GPAI regime. The broader AI system requirements apply to every ISV releasing AI-powered products to European customers. The question isn't whether these obligations apply — it's whether you're ready to evidence compliance when the market surveillance authority asks.

GPAI Obligations

Articles 51-56: What every GPAI provider must do

Six core obligations for providers of general-purpose AI models placed on the EU market — regardless of where the provider is headquartered.

Technical Documentation & Model Cards

Art. 53(1)(a)

Every GPAI provider must create and maintain technical documentation — including model cards — that describe the model's capabilities, limitations, intended use, training methodology, and evaluation results. This documentation must be made available to downstream providers integrating your model into their AI systems.

Art. 53(1)(c) + GDPR

GPAI providers must implement a policy to comply with EU copyright law, including the Text and Data Mining Directive. If your model was trained on copyrighted material, you must document the data sources, respect opt-out mechanisms under Art. 4 of the TDM Directive, and under GDPR, establish lawful basis for any personal data in training sets.

Downstream Provider Support

Art. 53(1)(b)

When your model is integrated into downstream AI systems, those systems may become high-risk. You must provide downstream providers with sufficient information — technical documentation, usage instructions, and capability boundaries — to enable them to meet their own EU AI Act obligations.

Model Evaluation & Testing

Art. 53(1)(a)

Comprehensive evaluation including capability benchmarking, limitation testing, risk assessment for foreseeable misuse, bias evaluation, and safety testing. For models approaching systemic risk thresholds, evaluation must include adversarial testing and red-teaming.

Codes of Practice

Art. 56

The AI Office is developing codes of practice for GPAI providers. Adherence to these codes creates a presumption of conformity. Participating in the code development process and adopting the resulting practices is the most practical path to demonstrating compliance.

EU Authorised Representative

Art. 54

Non-EU providers placing GPAI models on the EU market must appoint an authorised representative established in the EU. This representative acts as your regulatory contact point and must have the mandate and resources to handle compliance enquiries and enforcement actions.

Systemic Risk

When your model crosses the threshold

GPAI models with systemic risk face additional obligations — adversarial testing, incident reporting, and enhanced cybersecurity.

Systemic Risk Classification

GPAI models are classified as having systemic risk when their cumulative compute used for training exceeds 10^25 FLOP, or when the Commission designates them based on capabilities with equivalent impact. This triggers additional obligations beyond the standard GPAI requirements.

Adversarial Testing

Providers of systemic risk models must perform and document adversarial testing, including red-teaming, to identify and mitigate systemic risks. Testing must cover foreseeable risks to public health, safety, fundamental rights, and democratic processes.

Incident Monitoring & Reporting

Systemic risk model providers must track, document, and report serious incidents to the AI Office and relevant national authorities. This includes incidents caused by downstream uses that the provider could reasonably have foreseen.

Cybersecurity Protections

Adequate cybersecurity protections for the model and its physical infrastructure. This extends beyond standard IT security to model-specific threats: training data poisoning, model extraction, prompt injection, and adversarial attacks on model outputs.

For ISVs

Shipping AI-enabled software to the EU market

You don't need to be training foundation models to have GPAI obligations. Every ISV releasing AI-powered software to European customers is a provider under the AI Act.

Embedding GPAI in Your Product

When you integrate a foundation model into your software product, the composite system inherits obligations from both the GPAI regime (your model provider's responsibilities) and the AI system regime (your responsibilities as a provider placing a system on the market). The platform helps you map which obligations are yours and which flow to your model supplier.

Multi-Market Deployment

Selling AI-enabled software across EU member states means navigating 27 national implementations of the same regulation. Market surveillance authorities, notification requirements, and enforcement practices vary by jurisdiction. The platform tracks deployment geography and surfaces jurisdiction-specific obligations.

Customer Conformity Support

Your customers — the deployers of your AI-enabled software — have their own EU AI Act obligations. They will ask you for technical documentation, risk assessments, and compliance evidence to support their conformity assessment. The platform generates deployer-facing documentation packages from your provider data.

Governance by Design for ISVs

Build compliance into your development lifecycle, not as a release gate. The platform's Governance by Design framework maps regulatory requirements to your product architecture, generates compliance tasks within your sprint cycles, and exports to Jira, Trello, and Asana.

CE Marking & Declaration of Conformity

High-risk AI systems require CE marking before market placement. The platform manages the conformity assessment process — documentation, testing, review, approval — and generates the Declaration of Conformity to Article 47 specification. One workflow from development to market.

IP Protection & Data Rights

Balancing transparency obligations with intellectual property protection. The AI Act requires technical documentation, but trade secrets and proprietary training methodologies can be protected under specific conditions. The platform helps you disclose what's required while protecting what's valuable.

The IP landscape for AI training

Copyright law and GDPR create overlapping obligations for training data — from text and data mining rights to data subject access requests.