GPAI Provider Duties Under the EU AI Act

TL;DR — Under [the EU AI Act][1], general-purpose AI (GPAI) providers must comply with transparency and documentation requirements, including risk assessments, technical documentation, and information provision to downstream users and regulators. High-impact GPAI systems face stricter obligations, including systemic risk assessment and mitigation measures. Providers must also follow applicable codes of practice, such as those governing [marking and labelling of AI-generated content][3].

What are the core transparency obligations for GPAI providers?

GPAI providers must make technical documentation available, maintain records of training data, and provide clear information to deployers about model capabilities and limitations. These measures enable downstream users to understand and safely integrate the model into their own applications. Documentation should be proportionate to the model's complexity and intended use.

Which GPAI systems face heightened obligations?

[High-impact GPAI models][1] — those with significant systemic risks — must undergo more rigorous assessment. Providers of these models must conduct and document systemic risk evaluations, implement appropriate risk mitigation measures, and notify the relevant authorities of identified risks. This tiered approach targets oversight where potential harms are greatest.

What role do codes of practice play in GPAI compliance?

[The Commission has published a Code of Practice on marking and labelling AI-generated content][3], which GPAI providers should follow to enhance transparency. Industry-led codes complement mandatory legal requirements and help establish best practices for responsible AI deployment across the EU.

Must GPAI providers monitor how their models are used downstream?

Yes. Providers must establish monitoring systems to detect misuse and maintain mechanisms for information-sharing with authorities and other stakeholders. This ongoing oversight helps identify emerging risks and supports rapid responses to harmful applications.

When do these obligations take effect?

The [EU AI Act][1] entered into force on 1 August 2024 and applies in phases: prohibitions on unacceptable-risk systems from 2 February 2025, obligations for general-purpose AI (GPAI) providers from 2 August 2025, and most high-risk-system obligations from 2 August 2026 (a limited set from 2 August 2027). Check the regulation for the deadline that applies to your model.

Frequently Asked Questions

Q: Are all AI model providers considered GPAI providers?
A: No. The [EU AI Act][1] defines GPAI narrowly as models trained on broad data that can be adapted for a wide range of downstream tasks. Purpose-built or task-specific models are not classified as GPAI and have different compliance pathways.

Q: What happens if a GPAI provider fails to comply?
A: The [EU AI Act][1] establishes administrative fines and corrective measures enforced by national competent authorities. Non-compliance can result in significant penalties, suspension of model deployment, and reputational damage.

Q: Do GPAI providers need to monitor all end-uses of their models?
A: Providers must have reasonable monitoring and response mechanisms in place, but practical monitoring is proportionate to the provider's control and visibility. Deployers and end-users also bear responsibility for lawful use.

Q: Can GPAI providers rely on contractual clauses to transfer compliance responsibility?
A: While contracts can allocate responsibilities between providers and deployers, GPAI providers cannot entirely escape their statutory obligations under [the EU AI Act][1]. Both parties typically share accountability for different aspects of compliance.

Q: Is the Code of Practice on AI-generated content mandatory?
A: [The Code of Practice][3] is a voluntary industry standard that complements mandatory law. However, adoption is expected, and non-compliance may be considered evidence of failure to meet legal transparency obligations.

Sources

[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 September 2024 laying down harmonised rules on artificial intelligence. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689

[2] European Parliament Press Release: Artificial intelligence: press conference on simplification measures (15 June 2026). https://www.europarl.eu/news/en/press-room/20260615IPR45412/

[3] European Commission Digital Strategy: Commission publishes Code of Practice on marking and labelling AI-generated content. https://digital-strategy.ec.europa.eu/en/news/commission-publishes-code-practice-marking-and-labelling-ai-generated-content

[4] European Commission Digital Strategy: Info session — Code of practice for transparency of AI-generated content & signature process. https://digital-strategy.ec.europa.eu/en/events/info-session-code-practice-transparency-ai-generated-content-signature-process

---

This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.