Foundation Models & GPAI

The EU AI Act creates a dedicated regime for general-purpose AI — Articles 51 through 56. Every GPAI provider faces documentation, transparency, and copyright obligations. Those with systemic risk face additional requirements: adversarial testing, incident reporting, and cybersecurity protections.

Provider Obligations

What the EU AI Act requires from GPAI providers

Six core obligations that apply to all general-purpose AI model providers, regardless of systemic risk classification.

Model Cards & Documentation

Art. 53(1)(a)

GPAI providers must draw up and maintain technical documentation of the model, including training and testing processes, and provide it to downstream providers. This documentation forms the basis for downstream conformity assessments.

Information for Downstream Providers

Art. 53(1)(b)

Providers must supply downstream deployers with information to understand the model's capabilities and limitations. This includes intended and foreseeable uses, performance metrics, and known risks — enabling downstream compliance.

Art. 53(1)(c)

GPAI providers must implement a policy to comply with EU copyright law, including the Text and Data Mining Directive. This means respecting opt-out mechanisms, maintaining records of training data sources, and handling takedown requests.

Model Evaluation

Art. 53(1)(d)

Providers must evaluate GPAI models using state-of-the-art methodologies, including adversarial testing. Evaluation must cover capabilities, limitations, and foreseeable risks — with results documented and made available to authorities.

Transparency for Users

Art. 53(2)

GPAI providers placing models on the EU market must publish a sufficiently detailed summary of the training data, following a template provided by the AI Office. This summary must be publicly accessible.

Codes of Practice

Art. 56

The AI Office encourages GPAI providers to develop codes of practice that detail compliance approaches. Adherence to codes of practice provides a presumption of conformity — making them practically mandatory for market access.

Systemic Risk

Systemic risk classification and obligations

GPAI models above the compute threshold — or designated by the Commission — face additional obligations beyond the standard GPAI requirements.

Threshold	Classification	Obligations
Cumulative compute > 10^25 FLOP	Cumulative compute > 10^25 FLOP	Cumulative compute > 10^25 FLOP
Commission designation	Commission designation	Commission designation
Below compute threshold	Below compute threshold	Below compute threshold
Open-source models	Open-source models	Open-source models

GPAI Provider Compliance

Navigate Articles 51-56 — structured guidance for foundation model providers on documentation, evaluation, systemic risk assessment, and codes of practice.

Request Access Talk to Us