--- title: "EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties" author: "Sorena AI" description: "FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "GPAI" - "general-purpose AI models" - "systemic risk" - "Article 53" - "Article 55" - "AI Office" - "training content summary" - "copyright policy" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. *FAQ* *EU AI Act* ## EU AI Act GPAI and systemic-risk duties General-purpose AI model providers must separate baseline Article 53 duties from the additional Article 55 duties that apply only to GPAI models with systemic risk. Use this FAQ to check provider status, systemic-risk classification, downstream documentation, copyright and training-summary work, serious-incident reporting, cybersecurity, and Code of Practice caveats. The EU AI Act regulates general-purpose AI models through Chapter V. Article 53 applies to providers of GPAI models placed on the Union market. Article 55 adds model-evaluation, systemic-risk, serious-incident, and cybersecurity duties when a GPAI model is classified as having systemic risk. ## What does Article 53 require from GPAI model providers? Article 53 requires providers of general-purpose AI models to keep technical documentation for authorities, provide information to downstream AI system providers, maintain a copyright-compliance policy, and publish a sufficiently detailed summary of the content used for training. The downstream information is not marketing copy. It must help AI system providers understand the model's capabilities and limitations and comply with their own AI Act obligations, while still protecting intellectual property, confidential business information, and trade secrets. - Keep model technical documentation up to date, including the training and testing process and evaluation results, for the AI Office and national competent authorities on request. - Provide integration documentation to downstream providers, including capabilities, limitations, acceptable use policies, release and distribution details, architecture, software dependencies, and other Annex XII information. - Put in place a policy to comply with Union copyright and related-rights law, including rights reservations under Article 4(3) of Directive (EU) 2019/790. - Publish the Article 53(1)(d) public summary of training content using the AI Office template. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 53 duties and Annex XI and XII documentation content. - [European Commission - GPAI provider guidelines](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance on GPAI model provider scope, lifecycle documentation, downstream information, open-source exemptions, and staged application. ## When is a GPAI model classified as having systemic risk? Article 51 classifies a general-purpose AI model as a GPAI model with systemic risk if it has high-impact capabilities, or if the Commission designates it after an ex officio assessment or a qualified alert from the scientific panel using Annex XIII criteria. The Act creates a compute-based presumption: a GPAI model is presumed to have high-impact capabilities when the cumulative computation used for training is greater than 10^25 floating point operations. Article 52 then requires notification to the Commission without delay and in any event within two weeks after the requirement is met or it becomes known that it will be met. - Record the model's training compute estimate, methodology, and supporting evidence before market placement decisions. - Escalate if training compute exceeds 10^25 FLOP or if model reach, modalities, autonomy, scalability, tools, user base, or training data suggest Annex XIII significance. - If relying on the Article 52 exception argument, keep objective evidence for why the model does not present systemic risk despite meeting the high-impact presumption. - Track Commission designation and reassessment decisions because systemic-risk status changes the provider duty set. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 51 classification, Article 52 notification and reassessment, and Annex XIII designation criteria. - [European Commission - GPAI provider guidelines](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance explaining GPAI scope, the systemic-risk presumption, notification to the AI Office, and training-compute estimation context. ## What extra duties apply under Article 55 for GPAI models with systemic risk? Article 55 duties apply in addition to Articles 53 and 54. Providers of GPAI models with systemic risk must evaluate the model with state-of-the-art protocols and tools, conduct and document adversarial testing, assess and mitigate systemic risks at Union level, track and report serious incidents, and protect the model and its physical infrastructure with adequate cybersecurity. The Article 55 work should be continuous across development, placing on the market, and use. It should cover sources of systemic risk, post-market learning from incidents and misuse, corrective measures, and security risks such as model leakage, unauthorised releases, circumvention of safety measures, unauthorised access, and model theft. - Model evaluation file: protocols, benchmarks or other methodologies, evaluation criteria, metrics, results, known limitations, and who performed the evaluation. - Adversarial testing file: internal or external testing plan, test scope, model adaptations, red-team findings, mitigation decisions, and unresolved risk rationale. - Systemic-risk file: Union-level risk sources, affected public interests, likelihood and severity, mitigation measures, residual risk, and post-market monitoring triggers. - Serious-incident file: incident facts, model version, affected use or integration, known or likely harm, corrective measures, reporting route to the AI Office and, where appropriate, national competent authorities. - Cybersecurity file: controls for weights, algorithms, servers, datasets, access management, physical security, leak prevention, vulnerability handling, and attack response. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 55 model evaluation, systemic-risk mitigation, serious-incident reporting, and cybersecurity duties. - [European Commission - AI Act serious incident template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission page announcing the reporting template for serious incidents involving GPAI models with systemic risk. - [European Commission - GPAI Code of Practice](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai?ref=sorena.io) - Commission page explaining the GPAI Code of Practice chapters, including the Safety and Security chapter for Article 55 systemic-risk obligations. ## How do copyright policy, training summaries, open-source models, and the Code of Practice fit together? The Article 53 copyright policy and public training-content summary are separate duties. The copyright policy is an internal compliance policy for Union copyright and related-rights law. The public summary is a transparency artifact about the content used for model training, published according to the AI Office template. Open-source status can reduce some Article 53 documentation duties only when the licence and public availability conditions are met, and it does not remove the copyright-policy or training-summary duties. It also does not exempt GPAI models with systemic risk from the transparency-related obligations. - Copyright policy: identify and comply with rights reservations under Article 4(3) of Directive (EU) 2019/790, including through state-of-the-art technologies where relevant. - Training-content summary: publish a sufficiently detailed summary using the AI Office template, generally comprehensive in scope while protecting trade secrets and confidential business information. - Open-source caveat: Article 53(2) excludes only Article 53(1)(a) and (b) for qualifying open-source GPAI models, and not for GPAI models with systemic risk. - Code of Practice caveat: providers may rely on approved codes of practice to demonstrate compliance until harmonised standards are published, but providers outside an approved code or standard must show alternative adequate means to the Commission. - Copyright Code caveat: the GPAI Copyright Chapter helps demonstrate Article 53(1)(c) implementation, but it does not itself decide compliance with Union copyright law. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 53 copyright, training-summary, open-source exemption, and code-of-practice provisions. - [European Commission - Training-content summary template](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models?ref=sorena.io) - Commission page for the explanatory notice and template for public summaries of training content under Article 53(1)(d). - [European Commission - Training-content summary FAQ](https://digital-strategy.ec.europa.eu/en/faqs/template-general-purpose-ai-model-providers-summarise-their-training-content?ref=sorena.io) - Commission FAQ explaining that the template gives a common minimal baseline for public training-content summaries. - [GPAI Code of Practice - Copyright Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118115?ref=sorena.io) - Code chapter used for the caveat that adherence supports Article 53(1)(c) demonstration but does not itself determine Union copyright-law compliance. ## What staged application and enforcement points are supported for GPAI duties? The Commission guidelines state that Chapter V obligations for GPAI model providers apply from 2 August 2025. They also state that Commission enforcement powers for these obligations enter into application on 2 August 2026, and that providers of GPAI models placed on the market before 2 August 2025 must take necessary compliance steps by 2 August 2027. The same guidance says the guidelines are not legally binding and that authoritative interpretation of the AI Act is for the Court of Justice of the European Union. Treat the dates above as implementation milestones grounded in the cited Commission guidance, not as a complete enforcement calendar for every AI Act duty. - From 2 August 2025: Chapter V GPAI provider obligations enter into application according to the Commission guidelines. - From 2 August 2026: the Commission says its enforcement powers for GPAI provider obligations enter into application, including fines under Article 101. - By 2 August 2027: providers of GPAI models placed on the market before 2 August 2025 must take necessary steps to comply, according to the guidelines and Article 111(3) reference. - Do not use this GPAI FAQ to infer deadlines for unrelated high-risk AI system, prohibited-practice, transparency, product-law, or national-authority obligations. Sources for this answer: - [European Commission - GPAI provider guidelines](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance supporting the Chapter V application date, enforcement-power date, legacy-model compliance date, non-binding-guidance caveat, and Commission enforcement role. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 101, Article 111, Article 113, and the underlying Chapter V obligations referenced by the Commission guidelines. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for GPAI definitions, Article 51 classification, Article 52 procedure, Article 53 provider duties, Article 55 systemic-risk duties, Annex XI, Annex XII, and Annex XIII. - Quote: "GENERAL-PURPOSE AI MODELS" - [European Commission - GPAI provider guidelines](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance on GPAI provider scope, lifecycle obligations, downstream modifiers, open-source exemptions, systemic-risk classification, Code of Practice use, and staged enforcement. - Quote: "Guidelines for providers of general-purpose AI models" - [European Commission - GPAI Code of Practice](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai?ref=sorena.io) - Commission page explaining the GPAI Code of Practice as a voluntary tool with Transparency, Copyright, and Safety and Security chapters. - Quote: "General-Purpose AI Code of Practice" - [European Commission - Training-content summary template](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models?ref=sorena.io) - Commission source for the public summary of training content template under Article 53(1)(d). - Quote: "Public Summary of Training Content" - [European Commission - Training-content summary FAQ](https://digital-strategy.ec.europa.eu/en/faqs/template-general-purpose-ai-model-providers-summarise-their-training-content?ref=sorena.io) - Commission FAQ supporting the mandatory template and common minimal baseline for GPAI training-content summaries. - Quote: "common minimal baseline" - [European Commission - AI Act serious incident template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission source for the serious-incident reporting template for GPAI models with systemic risk. - Quote: "serious incidents involving general-purpose AI models with systemic risk" - [GPAI Code of Practice - Copyright Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118115?ref=sorena.io) - GPAI Code chapter used for copyright-policy implementation caveats under Article 53(1)(c). - Quote: "adherence to the Code does not constitute compliance" ## Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. *Recommended next step* *Placement: before sources* ## Turn GPAI provider duties into reviewable records Sorena can help map a GPAI model portfolio to Article 53 documentation, downstream information, copyright policy, training-content summaries, systemic-risk files, serious-incident routing, and cybersecurity evidence. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about GPAI provider scope, Article 53, Article 55, systemic-risk classification, and evidence expectations. - [Talk through GPAI obligations](/contact.md): Review your model documentation, downstream integration package, copyright policy, public training-content summary, and systemic-risk controls with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties