--- title: "EU AI Act GPAI evidence pack checklist for Article 53 and 55" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow" author: "Sorena AI" description: "Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "GPAI evidence pack" - "Article 53" - "Article 55" - "model documentation" - "training content summary" - "systemic risk" - "GPAI" - "technical documentation" - "copyright policy" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act GPAI evidence pack checklist for Article 53 and 55 Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. *Evidence Checklist* *EU AI Act* ## GPAI evidence pack Article 53 and 55 checklist Assemble the records a GPAI model provider needs for EU AI Act Article 53 obligations, with Article 55 extensions when the model has systemic risk. Use this page to collect technical documentation, downstream-provider information, copyright-policy evidence, a public training-content summary, and systemic-risk testing, incident, and cybersecurity records where applicable. This checklist is for teams that provide, modify, distribute, or integrate a general-purpose AI model and need a maintainable evidence pack for the EU AI Act. It keeps Article 53 baseline records separate from the extra Article 55 records that apply to GPAI models with systemic risk. ## 1. Confirm the model and provider record Start the pack with a model-level record, not a product feature record. Article 53 applies to providers of general-purpose AI models, and the Commission guidance explains that the GPAI obligations are meant to clarify who must comply and what is expected from them. Record whether the organisation is the original model provider, has placed a modified or fine-tuned GPAI model on the Union market, or is only integrating another provider's model into an AI system. Keep the model version, release date, Union market release date, distribution method, licence, dependencies, authorised representative status where relevant, and evidence of model authenticity in one place. - Evidence to keep: legal provider name, contact point, model name and version, model family coverage, model authenticity evidence such as a secure hash or endpoint, release date, Union market release date, model dependencies, licence, and distribution channels. - Owner: model governance or legal owns the role decision; model engineering owns model identity, dependencies, and authenticity evidence; product owns Union distribution channels. - Reopen trigger: a new model version, material modification, fine-tuning path, new Union distribution channel, licence change, or provider-role change. Sources for this answer: - [European Commission - Guidelines for GPAI providers](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Supports using provider-role and model-scope analysis before assigning GPAI obligations. - [GPAI Code of Practice - Transparency Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118120?ref=sorena.io) - Supports using the Model Documentation Form to organize model identity, recipient, and downstream-provider records. ## 2. Build the Article 53 technical documentation file Article 53(1)(a) requires providers to draw up and keep up-to-date technical documentation of the model, including training and testing process information and evaluation results, for provision to the AI Office and national competent authorities on request. Use Annex XI as the minimum table of contents. The pack should show what the model is intended to do, the systems it can be integrated into, acceptable use policies, release and distribution details, architecture and parameter information, input and output modalities and formats, licence, development process, data provenance and curation, training/testing/validation data, computational resources, training time, and known or estimated energy consumption. - Required pack section: model description, intended tasks, integration contexts, acceptable use policy, release and distribution record, architecture and parameter summary, modalities and formats, licence, development design choices, training methodology, data provenance and curation, bias-detection measures where applicable, evaluations, training compute, training time, and energy information. - Evidence standard: each field should identify the source system or document, last update date, evidence owner, and whether the information is intended for the AI Office, national competent authorities, downstream providers, or public release. - Reopen trigger: a model architecture change, new training run, new evaluation result, new data-source class, changed acceptable use policy, updated licence, or changed energy or compute estimate. Sources for this answer: - [Regulation (EU) 2024/1689 - Articles 53 and Annex XI](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for Article 53(1)(a) and Annex XI technical documentation content for GPAI models. - [GPAI Code of Practice - Transparency Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118120?ref=sorena.io) - Provides the Code's practical transparency documentation structure and Model Documentation Form approach. ## 3. Prepare downstream-provider information under Annex XII Article 53(1)(b) is not only an authority-facing documentation duty. Providers must also draw up, keep up-to-date, and make available information and documentation to providers of AI systems that intend to integrate the GPAI model into their AI systems. The downstream pack should be written for integration decisions. It should help downstream providers understand capabilities and limitations, comply with their own AI Act duties, and integrate the model with the technical means, input/output constraints, licence, acceptable use policy, and data provenance information listed in Annex XII. - Downstream bundle: model tasks, intended integration contexts, acceptable use policy, release and distribution method, licence, software versions where relevant, hardware or software interactions where relevant, architecture and parameters, modalities, formats, maximum input and output size, technical integration means, and data provenance information. - Delivery evidence: customer documentation link, developer portal page, model card, API documentation, release notes, terms or licence page, and a change log showing when downstream-facing information changed. - Reopen trigger: changed capabilities or limitations, changed input/output size, new integration method, licence or acceptable-use change, or a downstream-provider request showing that current documentation is unclear. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 53 and Annex XII](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for downstream-provider information under Article 53(1)(b) and Annex XII. - [GPAI Code of Practice - Transparency Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118120?ref=sorena.io) - Supports distinguishing information intended for downstream providers from information provided to the AI Office or national competent authorities on request. ## 4. Add copyright-policy and training-summary evidence Article 53(1)(c) requires a policy to comply with Union copyright law and related rights, including identification of and compliance with rights reservations under Article 4(3) of Directive (EU) 2019/790. The GPAI Code's Copyright Chapter operationalizes this through a maintained copyright policy, assigned responsibilities, crawler and rights-reservation controls, and measures to mitigate copyright-infringing outputs. Article 53(1)(d) separately requires a sufficiently detailed public summary of training content using the AI Office template. The evidence pack should therefore contain both the internal copyright-policy evidence and the public summary evidence, with clear separation between private records and public-facing disclosures. - Copyright-policy evidence: policy owner, current policy version, responsibilities, lawful-access controls for web crawling, robots.txt or other machine-readable rights-reservation handling, rightsholder information channel, output-risk mitigation measures, and copyright complaint or takedown handling records. - Training-summary evidence: provider and authorised-representative details where relevant, versioned model names, model dependencies, date placed on the Union market, modalities, training-data size ranges, content types, latest acquisition or collection date, EU-language characteristics where applicable, public datasets, private third-party datasets, scraped online sources, synthetic data, other data sources, and processing aspects relevant to copyright and illegal-content removal. - Publication evidence: public summary URL, version history, update date, distribution-channel placement, and a check that the public summary is narrative, understandable, and not a dump of confidential technical detail. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 53(1)(c) and 53(1)(d)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for the copyright-policy and public training-content summary obligations. - [GPAI Code of Practice - Copyright Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118115?ref=sorena.io) - Supports concrete copyright-policy controls such as assigned responsibilities, rights-reservation handling, and crawler transparency. - [European Commission - Public summary of training content template](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models?ref=sorena.io) - Supports the public training-content summary structure and the Commission's baseline for information to make public. ## 5. Add Article 55 records for systemic-risk GPAI models If the model is classified or designated as a GPAI model with systemic risk, Article 55 adds obligations on top of Articles 53 and 54. Keep these records in a separate systemic-risk annex so teams can see which controls apply only to systemic-risk models. The annex should cover model evaluation, documented adversarial testing, assessment and mitigation of Union-level systemic risks and their sources, serious-incident tracking and reporting, corrective measures, and adequate cybersecurity protection for the model and its physical infrastructure. - Systemic-risk testing file: evaluation strategy, criteria, metrics, results, limitations, internal and external adversarial testing where applicable, red-team records, model adaptation or alignment records, and sign-off on systemic-risk acceptance or mitigation. - Serious-incident file: start and end dates or best approximations, resulting harm and affected group, chain of events, model involved, available evidence of the model's involvement, provider response, recommendation to the AI Office or national competent authorities, root-cause analysis, and post-market monitoring patterns such as near misses. - Cybersecurity file: protection objectives, access controls for model weights and infrastructure, monitoring and response evidence, security testing, vulnerability handling, and records showing how the security level is adequate for the systemic-risk profile. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 55](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for systemic-risk GPAI model obligations on evaluation, systemic-risk mitigation, incident reporting, and cybersecurity. - [GPAI Code of Practice - Safety and Security Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118119?ref=sorena.io) - Supports the systemic-risk management, evaluation, mitigation, security, and governance record structure for Article 55 models. - [European Commission - GPAI serious-incident reporting template](https://ec.europa.eu/newsroom/dae/redirection/document/121270?ref=sorena.io) - Supports the serious-incident report fields for GPAI models with systemic risk under Article 55(1)(c). ## 6. Evidence-pack closeout checklist Close the pack only when every required section has an owner, source, update trigger, and evidence location. The strongest pack separates authority-facing documentation, downstream-provider material, public summaries, and systemic-risk evidence instead of mixing all records into one policy document. Do not claim Article 55 readiness unless the model has been assessed against the systemic-risk obligations and the evidence pack includes the extra testing, incident, mitigation, and cybersecurity records. Do not claim open-source exemptions without documenting the licence, public availability of parameters and architecture information, and whether the model presents systemic risk. - Article 53 baseline complete: technical documentation, downstream-provider information, copyright policy, and public training-content summary are present and current. - Recipient markings complete: every record is marked as public, downstream-provider-facing, AI Office or national competent authority on-request, or internal confidential evidence. - Systemic-risk annex complete if applicable: classification or designation rationale, Article 55 evaluation and mitigation records, serious-incident workflow, and cybersecurity evidence. - Change controls complete: model release, modification, data-source, evaluation, incident, licence, public-summary, and downstream-documentation changes each have a named review owner. Sources for this answer: - [European Commission - The General-Purpose AI Code of Practice](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai?ref=sorena.io) - Supports separating Transparency and Copyright obligations for all GPAI providers from Safety and Security obligations for systemic-risk GPAI providers. - [Regulation (EU) 2024/1689 - Articles 53 and 55](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for the baseline and systemic-risk evidence categories used in the closeout checklist. *Recommended next step* *Placement: before sources* ## Build a cited Article 53 and 55 GPAI evidence pack Sorena can help convert model, training-data, copyright, downstream-documentation, systemic-risk, incident, and cybersecurity records into a maintained EU AI Act evidence pack. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about GPAI provider obligations, model documentation, training summaries, copyright policy, and systemic-risk evidence. - [Talk through implementation](/contact.md): Review your GPAI model scope, Article 53 evidence gaps, and Article 55 systemic-risk records with Sorena. ## Primary sources - [Regulation (EU) 2024/1689 - EU AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for GPAI provider obligations in Article 53, systemic-risk obligations in Article 55, and Annex XI/XII documentation content. - Quote: "Obligations for providers of general-purpose AI models" - [European Commission - Guidelines for GPAI providers](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance page for interpreting the scope of GPAI provider obligations and provider-role analysis. - Quote: "general-purpose AI models" - [European Commission - The General-Purpose AI Code of Practice](https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai?ref=sorena.io) - Commission page explaining that the Code contains Transparency, Copyright, and Safety and Security chapters for demonstrating GPAI compliance. - Quote: "voluntary tool" - [GPAI Code of Practice - Transparency Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118120?ref=sorena.io) - Code chapter supporting technical documentation and downstream-provider information records, including the Model Documentation Form structure. - Quote: "Transparency Chapter" - [GPAI Code of Practice - Copyright Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118115?ref=sorena.io) - Code chapter supporting the copyright-policy evidence items under Article 53(1)(c). - Quote: "Copyright Chapter" - [European Commission - Public summary of training content template](https://digital-strategy.ec.europa.eu/en/library/explanatory-notice-and-template-public-summary-training-content-general-purpose-ai-models?ref=sorena.io) - Commission template and explanatory notice for the Article 53(1)(d) public summary of training content. - Quote: "Public Summary of Training Content" - [GPAI Code of Practice - Safety and Security Chapter](https://ec.europa.eu/newsroom/dae/redirection/document/118119?ref=sorena.io) - Code chapter supporting systemic-risk evaluation, mitigation, governance, and cybersecurity evidence for Article 55 models. - Quote: "Safety and Security" - [European Commission - GPAI serious-incident reporting template](https://ec.europa.eu/newsroom/dae/redirection/document/121270?ref=sorena.io) - Commission template for serious-incident reporting by providers of GPAI models with systemic risk under Article 55(1)(c). - Quote: "Report for Serious Incidents" ## Related Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow