GPAI model obligations under the EU AI Act: Articles 53 and 55 explained
Published July 18, 2026 · 6 min read
General-purpose AI models, the large models behind chatbots and copilots, get their own chapter in the EU AI Act. If you provide one, or fine-tune one into your own, a specific set of duties applies. Here is what Articles 53 and 55 require, and when a smaller team actually falls in scope.
Who is a GPAI provider?
You are a provider of a general-purpose AI (GPAI) model if you develop one and place it on the market under your own name (Article 3(3)). Merely using a model does not make you its provider. But fine-tuning or materially modifying one can, with duties then limited to your modification (Recital 109). The Commission's July 2025 guidance treats a downstream fine-tuner as a new GPAI provider only when the compute for the modification exceeds about one-third of the original model's training compute (guidance, not the Regulation itself), so light fine-tuning generally keeps you a deployer.
The baseline duties: Article 53
Every GPAI provider has four obligations under Article 53(1):
- Technical documentation. Draw up and maintain documentation of the model, including its training and testing process and evaluation results (minimum content in Annex XI).
- Downstream information. Give the businesses that integrate your model into their systems the information and documentation they need to comply (Annex XII).
- A copyright policy. Put in place a policy to comply with EU copyright law, including honouring rights reservations (text-and-data-mining opt-outs) under the Copyright Directive.
- A training-content summary. Publish a sufficiently detailed summary of the content used to train the model, using the AI Office's template.
Open-source models: a partial exemption
Models released under a free and open-source licence, with parameters, weights, architecture and usage publicly available, are exempt from the technical-documentation and downstream-information duties (Article 53(2)). But the copyright policy and training-content summary still apply, and the exemption does not apply at all to systemic-risk models.
Systemic-risk models: Article 55
A GPAI model is presumed to carry systemic risk when the cumulative compute used to train it exceeds 10^25 floating-point operations (Article 51(2)), a rebuttable presumption, or when the Commission designates it. Only the largest frontier models reach this. If yours does, Article 55 adds four heavier duties:
- model evaluation, including documented adversarial testing (red-teaming);
- assessing and mitigating systemic risks at EU level;
- tracking and reporting serious incidents to the AI Office without undue delay;
- ensuring an adequate level of cybersecurity for the model and its infrastructure.
The Code of Practice route
Until harmonised standards exist, the GPAI Code of Practice (Article 56) is a voluntary way to demonstrate compliance. Providers of non-systemic-risk models can limit their adherence to the Article 53 duties. Signing up gives you a recognised path to show you meet the obligations.
Deadlines and enforcement
GPAI obligations have applied since 2 August 2025. The Commission's power to fine GPAI providers, up to EUR 15M or 3% of worldwide turnover, whichever is higher, under Article 101, applies from 2 August 2026. See what EU SMEs risk for the penalty detail.
Where to start
If you fine-tune or ship models, map your role first. The free EU AI Act Snapshot flags whether you are likely a provider or a deployer, and our 9-step compliance checklist covers the documentation trail. If you also use generative AI in your product, see our generative AI transparency guide. Plans start at EUR 0.