EU AI ActGPAIGeneral-purpose AIProviders

GPAI model obligations under the EU AI Act: Articles 53 and 55 explained

Published July 18, 2026 · 6 min read

General-purpose AI models, the large models behind chatbots and copilots, get their own chapter in the EU AI Act. If you provide one, or fine-tune one into your own, a specific set of duties applies. Here is what Articles 53 and 55 require, and when a smaller team actually falls in scope.

Who is a GPAI provider?

You are a provider of a general-purpose AI (GPAI) model if you develop one and place it on the market under your own name (Article 3(3)). Merely using a model does not make you its provider. But fine-tuning or materially modifying one can, with duties then limited to your modification (Recital 109). The Commission's July 2025 guidance treats a downstream fine-tuner as a new GPAI provider only when the compute for the modification exceeds about one-third of the original model's training compute (guidance, not the Regulation itself), so light fine-tuning generally keeps you a deployer.

The baseline duties: Article 53

Every GPAI provider has four obligations under Article 53(1):

  1. Technical documentation. Draw up and maintain documentation of the model, including its training and testing process and evaluation results (minimum content in Annex XI).
  2. Downstream information. Give the businesses that integrate your model into their systems the information and documentation they need to comply (Annex XII).
  3. A copyright policy. Put in place a policy to comply with EU copyright law, including honouring rights reservations (text-and-data-mining opt-outs) under the Copyright Directive.
  4. A training-content summary. Publish a sufficiently detailed summary of the content used to train the model, using the AI Office's template.

Open-source models: a partial exemption

Models released under a free and open-source licence, with parameters, weights, architecture and usage publicly available, are exempt from the technical-documentation and downstream-information duties (Article 53(2)). But the copyright policy and training-content summary still apply, and the exemption does not apply at all to systemic-risk models.

Systemic-risk models: Article 55

A GPAI model is presumed to carry systemic risk when the cumulative compute used to train it exceeds 10^25 floating-point operations (Article 51(2)), a rebuttable presumption, or when the Commission designates it. Only the largest frontier models reach this. If yours does, Article 55 adds four heavier duties:

  • model evaluation, including documented adversarial testing (red-teaming);
  • assessing and mitigating systemic risks at EU level;
  • tracking and reporting serious incidents to the AI Office without undue delay;
  • ensuring an adequate level of cybersecurity for the model and its infrastructure.

The Code of Practice route

Until harmonised standards exist, the GPAI Code of Practice (Article 56) is a voluntary way to demonstrate compliance. Providers of non-systemic-risk models can limit their adherence to the Article 53 duties. Signing up gives you a recognised path to show you meet the obligations.

Deadlines and enforcement

GPAI obligations have applied since 2 August 2025. The Commission's power to fine GPAI providers, up to EUR 15M or 3% of worldwide turnover, whichever is higher, under Article 101, applies from 2 August 2026. See what EU SMEs risk for the penalty detail.

Where to start

If you fine-tune or ship models, map your role first. The free EU AI Act Snapshot flags whether you are likely a provider or a deployer, and our 9-step compliance checklist covers the documentation trail. If you also use generative AI in your product, see our generative AI transparency guide. Plans start at EUR 0.

Related guides