GPAI evidence pack Article 53 and 55 checklist

Start the pack with a model-level record, not a product feature record. Article 53 applies to providers of general-purpose AI models, and the Commission guidance explains that the GPAI obligations are meant to clarify who must comply and what is expected from them.

Record whether the organisation is the original model provider, has placed a modified or fine-tuned GPAI model on the Union market, or is only integrating another provider's model into an AI system. Keep the model version, release date, Union market release date, distribution method, licence, dependencies, authorised representative status where relevant, and evidence of model authenticity in one place.

Article 53(1)(a) requires providers to draw up and keep up-to-date technical documentation of the model, including training and testing process information and evaluation results, for provision to the AI Office and national competent authorities on request.

Use Annex XI as the minimum table of contents. The pack should show what the model is intended to do, the systems it can be integrated into, acceptable use policies, release and distribution details, architecture and parameter information, input and output modalities and formats, licence, development process, data provenance and curation, training/testing/validation data, computational resources, training time, and known or estimated energy consumption.

Article 53(1)(b) is not only an authority-facing documentation duty. Providers must also draw up, keep up-to-date, and make available information and documentation to providers of AI systems that intend to integrate the GPAI model into their AI systems.

The downstream pack should be written for integration decisions. It should help downstream providers understand capabilities and limitations, comply with their own AI Act duties, and integrate the model with the technical means, input/output constraints, licence, acceptable use policy, and data provenance information listed in Annex XII.

Article 53(1)(c) requires a policy to comply with Union copyright law and related rights, including identification of and compliance with rights reservations under Article 4(3) of Directive (EU) 2019/790. The GPAI Code's Copyright Chapter operationalizes this through a maintained copyright policy, assigned responsibilities, crawler and rights-reservation controls, and measures to mitigate copyright-infringing outputs.

Article 53(1)(d) separately requires a sufficiently detailed public summary of training content using the AI Office template. The evidence pack should therefore contain both the internal copyright-policy evidence and the public summary evidence, with clear separation between private records and public-facing disclosures.

If the model is classified or designated as a GPAI model with systemic risk, Article 55 adds obligations on top of Articles 53 and 54. Keep these records in a separate systemic-risk annex so teams can see which controls apply only to systemic-risk models.

The annex should cover model evaluation, documented adversarial testing, assessment and mitigation of Union-level systemic risks and their sources, serious-incident tracking and reporting, corrective measures, and adequate cybersecurity protection for the model and its physical infrastructure.

Close the pack only when every required section has an owner, source, update trigger, and evidence location. The strongest pack separates authority-facing documentation, downstream-provider material, public summaries, and systemic-risk evidence instead of mixing all records into one policy document.

Do not claim Article 55 readiness unless the model has been assessed against the systemic-risk obligations and the evidence pack includes the extra testing, incident, mitigation, and cybersecurity records. Do not claim open-source exemptions without documenting the licence, public availability of parameters and architecture information, and whether the model presents systemic risk.