What Is GPAI Under the EU AI Act?
General-Purpose AI (GPAI) refers to AI models trained on broad data at scale that can competently perform a wide range of distinct tasks — and can be integrated into various downstream systems or applications. Chapter V (Articles 51–56) of Regulation EU 2024/1689 establishes a distinct compliance framework specifically for GPAI model providers, separate from the high-risk AI framework in Chapter III.
GPAI encompasses large language models (LLMs), multimodal foundation models, image generation models, and other AI systems trained at scale to perform diverse functions. The defining characteristic is generality — the capacity to serve many tasks — rather than training method or specific architecture.
Who Has GPAI Obligations?
GPAI obligations apply to providers of GPAI models — organisations that develop and make GPAI models available in the EU, whether to end users or to downstream providers integrating the model into their own products. This includes: providers of foundation models made available via API; providers of fine-tuned models made available to others; and providers of open-source GPAI models released publicly (with some reduced obligations for open-source).
Downstream providers — companies building applications on top of GPAI APIs — are not GPAI providers under the Act. They receive GPAI-related information from the model provider and have their own obligations if their downstream application is a high-risk AI system.
Standard GPAI Obligations (All GPAI Models)
1. Technical Documentation
Draw up and maintain technical documentation covering model architecture, training methodology, compute used, training data sources and governance, evaluation procedures, performance benchmarks, known limitations, and safety measures. Must be sufficient for the European AI Office to assess compliance.
2. Information for Downstream Providers
Provide sufficient information to downstream providers to understand the model's capabilities, limitations, and how to use it in compliance with the Act. Includes usage policies, acceptable use guidelines, and technical integration information enabling downstream providers to meet their own obligations.
3. Copyright Compliance Policy
Establish and publish a policy for complying with EU copyright law, including the Text and Data Mining (TDM) exception under the EU Copyright Directive. Must describe how the provider respects rights holder opt-outs and handles copyright-protected training data.
4. Training Data Summary
Publish a sufficiently detailed summary of training data: sources, collection methodology, data categories, and any filtering or preprocessing applied. Detailed enough for meaningful understanding without necessarily disclosing commercially sensitive specifics.
GPAI with Systemic Risk: Additional Obligations
A GPAI model has systemic risk if trained using compute above 10²⁵ FLOPs — the threshold defined in Regulation EU 2024/1689. The European AI Office may update this threshold as compute scales. GPAI models with systemic risk must additionally:
- Adversarial testing (red-teaming): Conduct adversarial testing to identify and mitigate systemic risks, including with independent third-party evaluators where designated by the AI Office.
- Incident reporting: Report serious incidents and possible corrective measures to the European AI Office within 15 working days of becoming aware.
- Cybersecurity measures: Implement protection against adversarial attacks, data poisoning, model extraction, and other security threats proportionate to the systemic risk profile.
- Systemic risk mitigation: Assess and mitigate possible systemic risks at EU level from the model's development and deployment. Document all relevant results and measures.
Open-Source GPAI Models
Open-source GPAI model providers — where model parameters are publicly available — are exempt from the standard information provision and copyright compliance policy requirements. However, open-source GPAI models with systemic risk are not exempt from systemic risk obligations. This is a critical distinction for open-source foundation model providers: being open-source does not provide protection from the systemic risk framework.
GPAI Code of Practice (July 2025)
The European AI Office published a voluntary GPAI Code of Practice in July 2025, providing practical guidance for GPAI providers on implementing Chapter V obligations. While voluntary, adherence creates a presumption of compliance with corresponding legal obligations. GPAI providers should treat the Code as a practically essential compliance reference, equivalent in importance to the regulatory text itself for implementation purposes.
No. If you integrate a third-party GPAI model via API, you are a downstream provider — not a GPAI provider. The GPAI obligations sit with the model provider (the API company). However, if your downstream application constitutes a high-risk AI system under Annex III, you have your own high-risk AI obligations as the provider of that system. You should receive information from the GPAI provider enabling you to fulfil those downstream obligations.
The threshold refers to total compute used in pre-training the model, measured in floating point operations. This should be documented in your technical records from training. Current frontier models (GPT-4 class and above) are generally estimated to exceed this threshold. Most fine-tuned models derived from open-source bases do not approach it. The European AI Office may issue additional methodology guidance for compute measurement.