GPAI Provider Duties Under The EU AI Act
GPAI Provider Duties Under the EU AI Act
TL;DR — [General-purpose AI (GPAI) providers][1] must comply with transparency, documentation, and risk management obligations under the EU AI Act from July 2026. Key duties include: publishing detailed summaries of training data and energy use; implementing safeguards against misuse; responding to regulators; and ensuring downstream compliance monitoring. Providers of high-impact GPAI models face stricter obligations including systemic risk assessments and red-teaming.
What is a GPAI provider under the EU AI Act?
A GPAI provider is an organisation that develops and releases [general-purpose AI models][1]—AI systems designed to perform a wide range of tasks with minimal task-specific fine-tuning. Under [EU Regulation 2024/1689][1], GPAI providers become directly liable for compliance once the regulation's Chapter 3 obligations take effect on 1 July 2026.
What are the core transparency obligations for GPAI providers?
[GPAI providers must publish accessible summaries][1] of:
- Training data characteristics – sufficient detail to enable downstream compliance
- Energy consumption during training
- Architecture and capabilities relevant to systemic risk
These summaries must be made available before or simultaneously with release and updated when material changes occur. The aim is to equip deployers and regulators with baseline information to assess risk and ensure compliance downstream.
What documentation must GPAI providers maintain?
[Providers must keep records demonstrating compliance][1] with:
- Transparency and summary publication
- Implementation of safeguards against misuse
- Response to regulator requests and instructions
- Monitoring of known serious incidents and malfunctions
Documentation must be retained for the operational lifetime of the model and made available to competent authorities upon request.
What safeguards against misuse are required?
[GPAI providers must implement technical and organisational safeguards][1] appropriate to the risk profile, including:
- Monitoring and reporting known serious incidents (e.g., illegal activity enabled by the model)
- Access controls and security measures
- Usage policies and enforcement mechanisms
- Incident reporting to relevant authorities where required
The standard is proportionate to actual and foreseeable misuse risks.
What are "high-impact GPAI models"?
[High-impact GPAI models][1] are those that pose systemic risks due to their capabilities and reach. Providers of such models face enhanced obligations:
- Systemic risk assessment – evaluate risks to public health, safety, security, and democratic processes
- Risk mitigation measures – implement controls commensurate with identified risks
- Red-teaming and adversarial testing – document efforts to identify and address failure modes
- Incident reporting to the AI Office – report serious incidents causing actual harm
The EU AI Office will publish criteria and thresholds for determining high-impact status.
What are GPAI providers' obligations to regulators?
[GPAI providers must][1]:
- Respond to authority requests for information, documentation, or clarification within a reasonable timeframe (typically 30 days)
- Comply with instructions from competent authorities to mitigate identified risks
- Grant access to competent authorities for testing, inspection, and assessment of compliance
- Notify authorities of serious incidents or malfunctions without undue delay
Failure to cooperate is itself an infringement subject to penalties.
Do GPAI providers have to monitor downstream use?
[While primary responsibility for specific-use compliance rests with deployers][1], GPAI providers must:
- Make transparency information available to support downstream compliance
- Monitor known serious incidents involving their models
- Respond when regulators identify risks in downstream applications
- Implement safeguards to prevent obvious foreseeable misuse
Providers are not liable for all downstream harms, but must act responsibly when risks materialise.
What are the compliance timelines?
- 1 July 2026 – General obligations (Articles 13–15) apply to all GPAI providers
- Earlier for high-impact models – Enhanced requirements (Articles 16–17) may apply sooner if the AI Office designates models as high-impact
- Transition period – Models released before 1 July 2026 must comply from release; no retrofit period
Organisations already offering GPAI models must assess their obligations immediately.
What happens if a GPAI provider fails to comply?
[Non-compliance is enforceable by member states' competent authorities][1]. Penalties include:
- Administrative fines – up to 3% of global turnover for failure to cooperate or comply with instructions
- Up to 6% of global turnover for material violations of core transparency and safeguard obligations
- Suspension or restrictions on market access in severe cases
- Liability for downstream harms if provider negligence contributed
Early compliance reduces enforcement risk.
Frequently asked questions
Q: Does my small AI startup have to comply if we release a GPAI model?
A: Yes. [Obligations apply to all GPAI providers regardless of size][1]. However, safeguard and assessment requirements should be proportionate to risk. Consider legal counsel to scope your specific obligations.
Q: Can we comply by publishing only a short model card?
A: No. [Summaries must be detailed enough to support downstream compliance assessment][1]. A minimal model card is unlikely to satisfy requirements. Engage with the AI Office guidance on "sufficient detail."
Q: What if we release a model as open-source?
A: [Open-source release does not exempt providers from core obligations][1]. Transparency summaries, safeguards against misuse, and incident monitoring still apply. Consider licensing restrictions if misuse risk is significant.
Q: Who is a "deployer" responsible for checking our transparency information?
A: Deployers are organisations that use or integrate your GPAI model into products or services. They must understand your summaries to assess risks in their use case. Your duty is to provide clear, sufficient information; theirs is to act on it.
Q: Do we need to conduct red-teaming before release?
A: [Red-teaming is mandatory only for high-impact GPAI models designated by the AI Office][1]. For standard GPAI, document reasonable efforts to identify failure modes. Maintain records.
Q: What should we do if a serious incident occurs?
A: [Report immediately to the competent authority in the member state where harm occurred, then the AI Office if systemic][1]. Document the incident, your response, and mitigation measures. Inform affected deployers and users.
Sources
[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 September 2024 laying down harmonised rules on artificial intelligence (EU AI Act) — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.