General-purpose AI. What providers and deployers must do.

A general-purpose AI model is one with significant generality that can perform a wide range of distinct tasks and can be integrated into a variety of downstream systems or applications (Art. 3(63) AI Act). In practice this covers all major foundation models: GPT-4, Claude, Gemini, Llama, Mistral, Cohere, and similar large language and multimodal models. The Act distinguishes between (a) baseline GPAI obligations under Art. 53 (model card, training data summary, copyright policy, EU declaration) and (b) GPAI with systemic risk under Art. 55 (additional model evaluation, adversarial testing, incident reporting, cybersecurity).

Two pathways. (1) Quantitative threshold (Art. 51(2)): a GPAI model is presumed to have systemic risk when the cumulative training compute exceeds 10^25 floating-point operations (FLOPs). As of 2026 only the very largest models cross this — GPT-4 class and above. (2) Qualitative designation (Art. 51(1)(a)): the Commission can designate a GPAI as systemic risk based on impact on the EU market, even below the FLOP threshold. The list of designated systemic-risk models is published in the EU AI Database and updated periodically.

Baseline GPAI (Art. 53): publish a model card, publish a sufficiently detailed summary of training data, implement a copyright policy compliant with the EU Copyright Directive (in particular Art. 4(3) opt-out mechanism), provide documentation to downstream integrators, designate an EU representative if outside the EU. Systemic-risk GPAI (Art. 55): additionally — perform model evaluation including adversarial testing, assess and mitigate systemic risks, document and report serious incidents to the AI Office and competent authorities, ensure adequate cybersecurity for the model and its physical infrastructure.

The Code of Practice (Art. 56 AI Act) is an industry self-regulation framework that GPAI providers can sign up to in order to demonstrate compliance with Art. 53 and 55 obligations. Drafted by the AI Office in collaboration with model providers, civil society, and academia, with a final version expected mid-2026. Signing the Code is voluntary but provides regulatory clarity — non-signers must demonstrate compliance through alternative documented means. Major providers (OpenAI, Anthropic, Google, Microsoft, Meta) have publicly engaged with the drafting process.

Direct GPAI obligations apply to model providers, not deployers. But deployers using GPAI in their own AI systems become providers of those downstream systems — and inherit AI Act obligations for those. Practical implications: (1) verify your GPAI provider's Art. 53 documentation (model card, training data summary, copyright policy) and store copies, (2) for systemic-risk GPAI, request their Art. 55 incident reports and risk evaluations, (3) document your own use case in the AI BOM and your AIMS, (4) for high-risk downstream applications, complete your own AI Act conformity assessment using the GPAI provider's documentation as supporting evidence.

GPAI obligations under Art. 51-55 apply from 2 August 2025 — earlier than the high-risk obligations (Aug 2026). Models placed on the market before that date have until 2 August 2027 to comply (Art. 111). The AI Office (within the European Commission) leads enforcement, with national authorities cooperating. The first wave of GPAI model evaluations and code-of-practice negotiations is happening now (2025-2026). Penalties for GPAI non-compliance under Art. 101: up to EUR 15 million or 3 percent of global annual turnover.