The definition — Article 3(63)
An AI model qualifies as GPAI if it satisfies all three conjunctive elements: trained with a large amount of data, self-supervised at scale, displays significant generality with a wide range of distinct tasks. The legal definition is intentionally broad because the regulator wanted to catch frontier-scale models without naming any architecture.
What this excludes: narrow task-specific models (single-task classifiers, specialist forecasting models), small-scale academic models without significant generality, and models distributed exclusively for the personal-research carve-out under Article 2(8).
Tier 1: every GPAI provider — Articles 53 and 54
From Fontvera's obligations corpus (regulation = 'AI Act' AND article_number IN ('53', '54')), the seven Article 53 obligations and ten Article 54 obligations resolve to:
- Technical documentation of the model (Article 53(1)(a)) — training and testing process, evaluation results, content from Annex XI, kept up to date and made available to the AI Office and competent authorities on request.
- Downstream-information pack (Article 53(1)(b)) — sufficient information for AI system providers integrating the GPAI to understand its capabilities, limitations and intended use, and comply with their own obligations.
- Copyright policy (Article 53(1)(c)) — written policy to identify and comply with reservations of rights expressed under Article 4(3) of the DSM Directive (text and data mining opt-outs).
- Training-data summary (Article 53(1)(d)) — sufficiently detailed summary of content used for training, made publicly available, following a template provided by the AI Office.
- Cooperation with the Commission and national authorities (Article 53(3)).
- Authorised representative for non-EU providers (Article 54) — written mandate, EU-located, full obligation set on the representative including notice of mandate termination if the provider is non-compliant.
Tier 2: systemic-risk GPAI — Article 55
A model becomes systemic-risk under Article 51 if either:
- Its cumulative training compute exceeds 10²⁵ floating-point operations (FLOPS), presumed to be a high-impact-capability indicator (Article 51(2)). The threshold is reviewable by the Commission via delegated act.
- The Commission designates the model based on capabilities, reach, the number of registered EU business users, scalability, or scientific knowledge (Article 51(1)(b)).
Six obligations attach in Article 55 — every one in addition to Tier 1:
- Model evaluation in line with state-of-the-art protocols, including conducting and documenting adversarial testing to identify and mitigate systemic risks.
- Systemic risk assessment and mitigation at Union level — risks stemming from development, placing on the market, or use of the model.
- Incident tracking and reporting — track, document and report serious incidents and possible corrective measures to the AI Office and national competent authorities without undue delay.
- Cybersecurity — adequate level of cybersecurity protection for the model and the physical infrastructure of the model.
- Demonstration of alternative compliance if not adhering to an approved code of practice or harmonised European standard — burden of proof on the provider.
- Confidentiality of trade secrets obtained pursuant to the Article in line with Article 78 confidentiality obligations.
Source: Articles 51–55 of Regulation (EU) 2024/1689.
The open-source carve-out — and where it ends
Article 53(2) exempts open-source GPAI providers from the technical documentation duty in Article 53(1)(a) and the downstream-information duty in Article 53(1)(b), provided the model is released under a free and open-source licence with weights and architecture publicly available. The copyright policy at Article 53(1)(c) and the training-data summary at Article 53(1)(d) remain mandatory regardless of licence.
The hard ceiling: Article 53(2) does not apply to systemic-risk GPAI. A 50B-parameter open-weights model trained at frontier scale, once classified systemic-risk under Article 51, owes the full Article 55 obligation set. The licence does not protect against the ten-to-the-twenty-fifth threshold.
Fine-tuning — when does the fine-tuner become a provider?
Recital 109 and Article 25(1) interact here. A fine-tuner that substantially modifies the model — changing its capabilities, intended purpose, or making it suitable for use in high-risk Annex III categories — becomes a new provider for the modified model and inherits the full obligation set. Light fine-tuning for specific downstream tasks does not, in general, trigger new GPAI obligations, but the fine-tuner is still bound by the downstream-information requirements its base provider passed along under Article 53(1)(b).
The boundary is not crisp in primary text. The AI Office is mandated under Article 56 to draw up and approve codes of practice that will articulate practical thresholds — most published draft language treats fine-tuning compute above 1% of base-model compute as material.
Downstream provider duties — what GPAI obligations push to integrators
An AI system provider integrating a GPAI does not automatically inherit Article 53–55 obligations. But:
- Article 53(1)(b) requires the GPAI provider to hand the integrator sufficient documentation to enable the integrator's own compliance.
- If the resulting AI system is high-risk under Annex III, the integrator owes the Article 16 provider duties — risk management, technical documentation, post-market monitoring — in their own right.
- If the integrator deploys the high-risk system, Article 26 deployer duties apply.
The AI Act treats GPAI as horizontal; downstream high-risk obligations are vertical. Both can apply to the same model when integrated.
Real numbers Fontvera tracks
- 29 GPAI obligations across Articles 51–55 in Fontvera's structured corpus: 4 under Article 51, 2 under Article 52, 7 under Article 53, 10 under Article 54, 6 under Article 55.
- 743 AI Act obligations total — GPAI sits as one of three primary obligation clusters alongside Annex III high-risk and Article 5 prohibitions.
- 312,758 current EU regulatory documents — including AI Office working drafts on the GPAI Code of Practice and the training-data summary template — feed the GPAI graph.
Penalty exposure
All Article 53–55 obligations sit in Article 99(2) — Tier 2 — €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. Article 99(7) factor 4 (cooperation and mitigation) is decisive in practice; for systemic-risk GPAI providers, the AI Office can also issue requests for information, conduct evaluations, and require risk mitigation measures under Article 75 — non-cooperation here exposes the provider to Article 99(3) tier 3 penalties (€7.5M / 1.5%) on top.
What good looks like before 2 August 2026
- Calculate cumulative training compute with documented methodology. The 10²⁵ FLOPS threshold is the line that determines whether you owe Article 53–54 or also Article 55.
- Publish the training-data summary now (the obligation has been live since 2 August 2025). The AI Office template is the format expected; deviation requires alternative-compliance demonstration under Article 53(5).
- If open-source, audit the architecture publication — weights public is necessary, architecture description sufficient, and the carve-out evaporates if the model crosses Article 51 systemic-risk classification.
- Draft the downstream-information pack for AI system integrators in line with Annex XI Section 2 — failure to deliver here exposes you to Article 99(2) and exposes integrators to their own provider duties without the documentation they need.
- Track adversarial-testing protocols for systemic-risk models. The standard expected is the state-of-the-art at the time of evaluation, not the standard at first release.
Run your free AI Act compliance diagnostic
If your team builds, fine-tunes or distributes a GPAI model, the diagnostic returns whether Article 51 systemic-risk applies and which Article 53/54/55 obligations attach.