EU AI Act topic guide

General-purpose AI under the EU AI Act: rules for foundation models

General-purpose AI (GPAI) models - the foundation models behind AI assistants, image generators and coding tools - are regulated on a separate track from AI systems. These rules apply to the model providers (not necessarily to downstream deployers), with extra obligations for the most powerful "systemic risk" models. GPAI rules have been applicable since 2 August 2025.

Reviewed by the AI Act Navigator team · Last updated 9 June 2026

TL;DR

  • GPAI rules apply to providers of AI models that can competently perform a wide range of distinct tasks (large language models, multimodal models, etc.).
  • All GPAI providers (Article 53): technical documentation, information for downstream providers, EU copyright compliance policy, and a public training-data summary.
  • Open-source exemption: providers of freely available open-source GPAI models are exempt from documentation duties - unless the model has systemic risk.
  • Extra duties for systemic-risk models (Article 55): adversarial testing, systemic risk assessment/mitigation, serious incident reporting, and cybersecurity measures.
  • Systemic risk is presumed at >10²⁵ FLOP training compute (Article 51).
Classify your AI systemObligations guide

Scope

What this covers

  • Any provider that trains or has trained a GPAI model (including fine-tuning a base model to create a new GPAI model) and places it on the EU market or puts it into service, regardless of where the provider is established.
  • Article 53 obligations for all GPAI providers: technical documentation (per Annex XI/XII), information and documentation for downstream AI system providers integrating the model, an EU copyright law compliance policy (including respecting Text-and-Data-Mining opt-outs), and a publicly available summary of training content.
  • Article 55 extra obligations for systemic-risk GPAI models (presumed at >10²⁵ FLOP): model evaluation including adversarial testing (red-teaming); assess and mitigate systemic risks at EU level; track, document and report serious incidents to the AI Office without undue delay; ensure adequate cybersecurity.

Open-source exemption (Article 53): providers of GPAI models released under a free and open-source licence are exempt from the Art. 53(1)(a)-(b) documentation duties. This exemption does NOT apply if the model has systemic risk.

Source: Regulation (EU) 2024/1689 (EUR-Lex)

Compliance challenges

Key compliance challenges

  • Determining whether your model meets the GPAI definition - the GPAI Guidelines use an indicative threshold of >10²³ FLOP for models that generate language/text-to-image/text-to-video, but the legal test is "significant generality and competent performance of a wide range of distinct tasks."
  • The systemic risk threshold (>10²⁵ FLOP) is currently met only by the largest foundation models, but the Commission can update it by delegated act.
  • Downstream provider obligations: if you integrate a GPAI model into an AI system you place on the market, you are a provider of that AI system - and the GPAI provider is required to give you the documentation you need for your own compliance.
  • The GPAI Code of Practice is a voluntary tool but the most practical near-term compliance pathway; non-participation shifts the burden of proof onto the provider to demonstrate compliance by other means.

The EU AI Act applies a risk-based approach: obligations scale with the level of risk posed. AI Act high-level summary

What to do

What to do

  1. Identify whether your model meets the GPAI definition based on its generality, capability breadth, and the GPAI Guidelines compute threshold.
  2. Check whether the model has systemic risk (>10²⁵ FLOP or designated by the Commission); if yes, build the Article 55 compliance programme.
  3. For all GPAI models: prepare technical documentation per Annex XI (for providers) and Annex XII (for downstream providers); document your copyright/TDM compliance policy; draft the public training-data summary per the AI Office template.
  4. If the model is open-source, confirm it qualifies for the Art. 53 exemption and document that assessment.
  5. Consider joining the GPAI Code of Practice process to engage with the AI Office and shape compliance expectations.

For the full obligations breakdown, see the AI Act obligations guide, and for role-specific duties see the provider vs deployer guide.

GPAI rules are already in force - no postponement

Unlike most high-risk obligations, the GPAI rules under Chapter V (Articles 51-56) have been fully applicable since 2 August 2025. They are not affected by the Digital Omnibus provisional agreement. The GPAI Code of Practice has been operative since that date. Council press release, 7 May 2026

FAQ

General-purpose AI (GPAI): common questions

If I just use a GPAI model (not train it), do I have GPAI obligations?
No, GPAI obligations fall on the model provider (the entity that trained/deployed it). If you use a GPAI model to build an AI system and put that system on the market under your own name, you are an AI system provider and must comply with the AI system rules (including high-risk rules if applicable) - not the GPAI Chapter V rules directly.
Does the open-source exemption cover all obligations?
Only the Article 53(1)(a)-(b) documentation duties are exempted for open-source GPAI providers. All providers (including open-source) must still comply with: copyright compliance policy (Article 53(1)(c)); and the training-data summary (Article 53(1)(d)). And systemic-risk obligations under Article 55 apply to open-source models just as to proprietary ones.
What is the GPAI Code of Practice and is it mandatory?
The Code of Practice is a voluntary compliance tool drawn up by the AI Office, with GPAI model providers and other stakeholders. Compliance with an adequate Code of Practice can serve as evidence of conformity with Articles 53 and 55. It is not mandatory, but declining to follow it means the provider must demonstrate compliance through other means.
My model has >10²³ FLOP but not >10²⁵ FLOP. Does systemic risk apply?
No - systemic risk is presumed only above 10²⁵ FLOP (Article 51). The 10²³ FLOP threshold in the GPAI Guidelines is an indicative marker for the general GPAI classification, not for systemic risk. However, the Commission can designate specific models as having systemic risk regardless of compute if they exhibit high-impact capabilities.
Do GPAI rules apply to fine-tuned or adapted versions of foundation models?
Yes, if the fine-tuned model still meets the GPAI definition (significant generality and wide-range capability), its provider has the GPAI obligations. If fine-tuning creates a specialised, narrow-purpose model, it may fall out of the GPAI definition but could then be an AI system subject to the AI system rules (including potentially the high-risk track).

Get AI Act-ready

Use the risk classifier to find your system's tier, then explore the obligations and checklist for your role.

Classify your AI system

This is guidance, not legal advice

This is guidance to help you understand how the EU AI Act applies to general-purpose ai (gpai), not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified legal adviser.

Sources

  1. [1]Regulation (EU) 2024/1689 (EU AI Act) - EUR-Lexretrieved 9 Jun 2026
  2. [2]European Commission: AI regulatory frameworkretrieved 9 Jun 2026
  3. [3]AI Act Explorer: high-level summaryretrieved 9 Jun 2026
  4. [4]AI Act implementation timelineretrieved 9 Jun 2026
  5. [5]Council of the EU: Digital Omnibus provisional agreement, 7 May 2026retrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

General-purpose AI (GPAI) rules under the EU AI Act: Articles 53 & 55 explained | AI Act Navigator · AI Act Navigator