Skip to main content

05 · General-Purpose AI (GPAI) Models

Sources
note

Chapter V (GPAI obligations) became applicable 2 August 2025.

Definitions

TermMeaning
GPAI modelModel trained on large data via self-supervision at scale, capable of a wide range of tasks, integrable into downstream systems. Does not include models used only internally for R&D before market release.
GPAI systemAI system based on a GPAI model, serving various purposes, for direct use or integration in other systems.
Systemic riskRisk from GPAI models with cumulative training compute > 10²⁵ FLOPs, or designated by the Commission as having high-impact capabilities even below this threshold. Providers must notify the Commission within 2 weeks of meeting the threshold.

Obligations on all GPAI model providers

  1. Draw up technical documentation (training process, evaluation results, architecture)
  2. Prepare information and documentation for downstream providers (capabilities, limitations, intended use)
  3. Establish a policy to respect the Copyright Directive (EU 2019/790)
  4. Publish a sufficiently detailed summary of training data content

Additional obligations for providers of systemic-risk GPAI models

  1. Perform model evaluations including adversarial testing
  2. Assess and mitigate systemic risks (including their sources)
  3. Track, document and report serious incidents to the AI Office and relevant national authorities without undue delay
  4. Ensure adequate cybersecurity protections

Open-weight / open-source exception

Providers of free and open-licence GPAI models (parameters, weights, architecture, and usage terms all publicly available) only need to comply with obligations 3 and 4 (copyright + training summary), unless the model presents a systemic risk — in which case all obligations apply regardless.

GPAI Code of Practice (CoP)

Published: 10 July 2025 by the European Commission, following the independent expert drafting process

Nature: Voluntary compliance tool. It can help providers demonstrate compliance with Articles 53 and 55 while harmonised standards are unavailable, but PE-CONS 30/26 clarifies that these codes have limited legal effect and do not create a presumption of conformity.

URL: https://code-of-practice.ai/

EC page: https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai

Three chapters:

  • Transparency: what information must be documented and disclosed
  • Copyright: how to implement a copyright policy for training data
  • Safety & Security: for systemic-risk models — evaluation, red-teaming, incident reporting, cybersecurity

Providers that do not rely on the Code still need to demonstrate compliance with Articles 53 and 55 through other adequate measures.

Signatory taskforce

The signatory taskforce process involved industry players (OpenAI, Google DeepMind, Meta, Mistral, etc.) working with independent experts. Results fed into the final CoP. URL: https://digital-strategy.ec.europa.eu/en/policies/signatory-taskforce-gpai-code-practice

Scope guidelines (July 2025)

The Commission published guidelines clarifying who along the AI value chain must comply with GPAI obligations, including when a fine-tuner or integrator becomes a "provider" vs. staying a "deployer." URL: https://digital-strategy.ec.europa.eu/en/library/guidelines-scope-obligations-providers-general-purpose-ai-models-under-ai-act

Training content summary template

Providers must publish an overview of training data sources (large datasets, top domain names) and data processing aspects. URL: https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models

Key articles

TopicArticle(s)
GPAI model definitionArt. 3(63)
Systemic risk thresholdArt. 51
Obligations – all GPAIArt. 53
Obligations – systemic riskArt. 55
Code of PracticeArt. 56
Downstream integrationArt. 54
Enforcement (AI Office)Arts. 88–94
Transitional – pre-Aug 2025 modelsArt. 111(3)