GPAI: obligations for general-purpose AI models under the EU AI Act

The EU AI Act has a separate category for general-purpose AI, GPAI for short. These are the broadly applicable models that form the basis for countless applications: the large language models behind tools like GPT, Claude, and Gemini, but also image generators and other foundation models. Since 2 August 2025, specific obligations apply to providers of these models. Anyone who provides such a model, or embeds it in their own product, needs to know what the regulation expects.

Why a separate category?

GPAI models do not fit well into the risk-based system that characterizes the rest of the AI Act. A language model is in itself neither high-risk nor low-risk: it depends entirely on the use. The same model can write a recipe or support medical triage. That is why the legislator created a separate set of obligations focused on the model itself, independent of the application.

The baseline obligations

Providers of GPAI models must draw up and maintain technical documentation so that regulators and customers understand what the model is, how it was trained, and what its capabilities and limitations are. In addition, they must make information available to parties that integrate the model into their own systems, so that those parties can in turn meet their obligations.

A third pillar concerns copyright. Providers must have a policy to respect EU copyright law, including the ability for rightsholders to object to the use of their work for training. And they must publish a sufficiently detailed summary of the data used for training. That transparency about training data is one of the most discussed parts of the regime.

Models with systemic risk

Additional requirements apply to the most capable models. A GPAI model with what is called systemic risk, typically the most capable models deployed at scale, must among other things conduct model evaluations, assess and mitigate systemic risks, report serious incidents, and ensure an adequate level of cybersecurity. This category is intended for the models whose impact, if they fail or are misused, is greatest.

The GPAI Code of Practice

To help providers meet these requirements, a GPAI Code of Practice was finalized in July 2025, drawn up by independent experts. This code of conduct is voluntary and consists of three parts: transparency, copyright, and safety and security. Signatories can use the code to demonstrate that they meet their obligations. It is not a replacement for the law, but a practical route to making compliance demonstrable.

What does this mean for organizations?

Most organizations do not build foundation models themselves. Yet GPAI does affect them. Anyone who integrates a GPAI model into their own product in many cases becomes a provider of an AI system with its own obligations, and depends on the information the model provider supplies. It pays to check, when selecting an AI vendor, whether it meets the GPAI requirements and whether it provides the documentation you need to be compliant yourself.

There is also the link to your own governance. An organization implementing ISO 42001 includes its dependence on GPAI vendors in its supplier assessment and risk analysis. The question is not only whether the model works well, but also whether the provider is transparent and compliant, because that partly determines whether you can be.

How Secure Audit can help

We help organizations assess the AI supply chain, determine their own position under the AI Act, and translate the information from GPAI providers into their own compliance and governance requirements. Contact us for an AI Act position assessment.