EU AI Act GPAI Provider Obligations

Start with role and model classification. A provider is the organisation that develops a general-purpose AI model, or has one developed, and places it on the market under its own name or trademark. A deployer, downstream AI-system provider, reseller, or customer may have AI Act duties, but Article 53 and Article 55 are written for GPAI model providers.

Use foundation model as a search synonym only. The public compliance record should use the AI Act term general-purpose AI model, because the obligations and annexes are tied to that defined term.

Article 53 requires four core workstreams for providers of general-purpose AI models: model technical documentation for the AI Office and authorities, information for downstream AI-system providers, a Union copyright-law policy, and a public summary of training content using the AI Office template.

The documentation workstream is not just a model card. Annex XI points to model purpose, acceptable-use policies, release and distribution method, architecture, parameters, modality, licence, training and testing process, data provenance and curation, compute used for training, training time, and known or estimated energy consumption where relevant.

Article 53 has a limited open-source exception for the documentation and downstream-information duties in Article 53(1)(a) and (b). It applies only when the model is released under a free and open-source licence allowing access, use, modification, and distribution, and when parameters, weights, architecture information, and model-usage information are made publicly available.

That exception does not remove the copyright-policy duty or the public training-summary duty, and it does not apply to GPAI models with systemic risk. The Commission's GPAI provider guidelines also warn that significant modifications can make the modifier a provider for the relevant model changes, while minor changes are treated differently.

A GPAI model is classified as having systemic risk if it has high-impact capabilities evaluated with appropriate tools and methodologies, including indicators and benchmarks, or if the Commission designates it based on equivalent capabilities or impact. Article 51 creates a presumption of high-impact capabilities when training compute is greater than 10^25 floating point operations.

When the systemic-risk classification applies, Article 55 adds duties on top of Articles 53 and 54. The provider must evaluate the model, assess and mitigate Union-level systemic risks, track and report serious incidents without undue delay, and ensure an adequate level of cybersecurity protection for the model and its physical infrastructure.

The downstream package should let AI-system providers understand capabilities and limitations and meet their own AI Act duties. Annex XII requires more than marketing claims: it points to tasks, integration types, acceptable-use policies, release and distribution details, external hardware or software interactions, relevant software versions, architecture and parameters, input and output modality and format, licence, integration means, input and output limits, and training, testing, and validation data information where applicable.

The Transparency chapter of the GPAI Code of Practice adds a practical access pattern for signatories: disclose contact information for the AI Office and downstream providers, provide the most up-to-date model documentation intended for downstream providers, and provide necessary additional information within a reasonable timeframe, no later than 14 days after receiving the request except in exceptional circumstances.

The GPAI Code of Practice is voluntary. The Commission and AI Board have confirmed it as an adequate voluntary tool for GPAI model providers to demonstrate AI Act compliance, but Article 53 and Article 55 still allow other routes: harmonised standards grant presumption of conformity where they cover the obligations, and providers that do not adhere to an approved code or harmonised standard must demonstrate alternative adequate means of compliance for Commission assessment.

The Code should not be treated as a copyright safe harbour. Its Copyright chapter states that adherence to the Code does not constitute compliance with Union copyright law and does not affect copyright enforcement by Member State courts or the Court of Justice of the European Union.