The EU AI Act and Generative AI: Who Is Responsible for What?

Generative AI — large language models that produce text, images, code, and audio — has reshaped the AI landscape faster than any previous technology wave. It has also reshaped the EU AI Act compliance picture in ways that were not fully anticipated when the regulation's drafting began. Understanding who is responsible for what under the AI Act when it comes to ChatGPT, Mistral, Claude, and similar systems requires disentangling several layers of responsibility.

This article maps the EU AI Act obligations across the generative AI value chain: from foundational model developers to platform providers to enterprise deployers.

The Generative AI Value Chain

Generative AI does not typically reach end users as a single product. It travels through a multi-layer value chain:

Layer 1 — Foundation model developer: OpenAI (GPT-4, ChatGPT), Anthropic (Claude), Google (Gemini), Mistral AI (Mistral/Mixtral), Meta (Llama). These organisations train the underlying model and make it available either directly or via API.

Layer 2 — Platform and system providers: Organisations that take the foundational model and build a specific product or system on top of it — a customer service chatbot, a document analysis tool, a coding assistant, a legal research platform. They may use the model's API and add their own prompting, fine-tuning, guardrails, and interface.

Layer 3 — Enterprise deployers: Organisations that deploy a third-party AI product (a chatbot platform, an AI writing tool, a customer interaction system) in their own operations.

Layer 4 — End users: Individual consumers or employees who interact with the system.

The AI Act assigns obligations at each layer, but in different ways.

Layer 1: Foundation Model Developers — GPAI Obligations

ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), Mistral, and Llama (Meta) all meet the definition of a general-purpose AI model under Article 3(63) of the AI Act. They are trained at scale on vast datasets, display significant generality, and perform multiple distinct tasks.

This means their developers face the GPAI obligations under Articles 53–55, which have applied since August 2025.

For all GPAI model developers:

Technical documentation covering architecture, training data, performance evaluation, and intended use cases
Information to downstream providers (APIs users) enabling their compliance
Copyright compliance policy for training data
Published summary of training data content

For developers of models with systemic risk (exceeding 10^25 FLOPs training compute):

Adversarial testing and red-teaming with results available to the EU AI Office
Incident and near-miss reporting to the EU AI Office
Cybersecurity measures appropriate to model capabilities
Energy efficiency reporting

As of mid-2026, OpenAI, Google, and Anthropic have all engaged with the GPAI Code of Practice process. Mistral AI, as a European company with both open and closed model offerings, navigates a more complex position — its open-weight models benefit from Article 53(2) reduced obligations, while its closed API products face the full GPAI obligation set.

Meta's Llama models, released under open-source-style licences, benefit from the open-weight model exception for the reduced documentation obligations, provided they do not meet the systemic risk threshold.

Layer 2: Platform and System Providers — The Most Complex Position

Organisations that build products and systems on top of generative AI foundation models occupy the most legally complex position in the EU AI Act framework.

They are not GPAI model developers — they did not train the foundational model and are not responsible for the GPAI obligations.

But they may be providers of high-risk AI systems. If the system they build using the foundation model falls within Annex III high-risk categories, they are the provider of that high-risk AI system and face the full suite of Articles 9–17 provider obligations.

Consider a company that builds a CV screening tool using the GPT API. The tool uses the foundation model's capabilities to analyse CVs and rank candidates. The company is:

Not responsible for OpenAI's GPAI obligations
Fully responsible as the provider of a high-risk AI system in the employment category (Annex III §4) — risk management, technical documentation, conformity assessment, CE marking, EU database registration, and all other high-risk obligations apply

This layered responsibility is one of the most misunderstood aspects of the EU AI Act for generative AI. Using an API does not transfer the downstream provider's compliance obligations to the foundation model developer.

Article 25 reinforces this clearly: when downstream providers substantially modify a GPAI model or build a system that qualifies as high-risk, they bear provider obligations for that system.

Layer 3: Enterprise Deployers — Article 26 Obligations

Enterprises that deploy AI systems built on generative models are deployers in the AI Act framework, subject to Article 26 obligations if the system is high-risk, or Article 50 transparency obligations if the system is limited-risk (e.g., a customer-facing chatbot).

For high-risk deployers:

Use the system in accordance with the provider's instructions for use
Assign a human oversight person with appropriate authority
Monitor for unexpected or anomalous outputs
Notify the provider of issues discovered
Conduct a FRIA if the deployer is a public body or public interest service provider
Inform affected individuals when AI is used in decisions about them

For chatbots and AI interaction systems (Article 50): Any AI system deployed for direct interaction with humans must disclose that it is AI. This applies to customer service chatbots, virtual assistants, and AI-powered support tools built on generative models. The obligation is on the deployer (the company operating the chatbot) not only on the foundation model developer.

The Transparency Obligation for Deepfakes and Synthetic Content

Article 50(4) imposes a specific obligation relevant to generative AI: providers and deployers of AI systems that generate synthetic audio, video, image, or text content must ensure the output is labelled as AI-generated. This applies to text-to-image tools, AI voice generators, synthetic video platforms, and AI writing assistants deployed for mass content generation.

The labelling must be machine-readable (metadata) and, in some cases, human-readable. The European AI Office is developing technical standards for AI-generated content labelling.

Responsibility When Things Go Wrong

One of the most practically important questions for generative AI is: who is liable when a generative AI system produces harmful outputs?

The AI Act itself focuses on compliance obligations, not civil liability — the AI Liability Directive, still under development as of mid-2026, addresses civil liability more directly. However, the AI Act's enforcement structure is clear:

If a foundation model developer fails to meet GPAI obligations, the AI Office can take action against them
If a platform provider builds a high-risk system without completing conformity assessment, national market surveillance authorities can act against the platform provider
If an enterprise deployer uses a system in violation of Article 26, national authorities can act against the deployer

Importantly, a deployer cannot escape liability by pointing to the foundation model — if the deployer's system is high-risk, the deployer is responsible for ensuring the system they deploy is compliant. Due diligence requires verifying that the foundation model provider has met their GPAI obligations and that the intermediate system provider has completed any required conformity assessment.

Open-Weight Models: A Special Case

Mistral's open-weight models, Meta's Llama models, and other open-source generative AI systems create a specific compliance challenge. When open-weight models are released publicly, any organisation can download and deploy them. This means:

The original developer may have reduced GPAI obligations under Article 53(2)
Any organisation that fine-tunes and deploys the model becomes a provider of the resulting AI system
If the resulting system falls within Annex III, that organisation must complete a conformity assessment as provider

Fine-tuning an open-weight Llama model to build a hiring AI tool, for example, makes your organisation the provider of that high-risk AI system. The existence of an open-weight foundation model does not reduce your compliance obligations as the entity deploying it.

How DilAIg Helps

Whether you are an enterprise deployer building on a generative AI API, a platform provider creating a downstream AI product, or a compliance officer trying to understand your organisation's position in the generative AI value chain, DilAIg's audit process maps your specific obligations and generates the required documentation.

Start your free audit at dilaig.com and clarify your generative AI compliance position.

FAQ: EU AI Act and Generative AI

Q: Does ChatGPT comply with the EU AI Act? OpenAI has engaged with the GPAI Code of Practice process and has published information about its compliance approach. Achieving full legal compliance with all GPAI obligations requires meeting the four core Article 53 requirements plus — given GPT-4's training scale — the five additional systemic risk obligations. Whether any specific version of ChatGPT or the underlying models fully satisfy all obligations is a question for OpenAI's public disclosures and the EU AI Office's ongoing supervisory process.

Q: Can a small company use ChatGPT's API without any EU AI Act compliance obligations? Not without any obligations. If you use the ChatGPT API to build a system you deploy to others or use in your own operations:

If the resulting system is high-risk (Annex III), you are a provider of a high-risk AI system with full Articles 9–17 obligations
If the system interacts directly with customers, the Article 50 AI disclosure obligation applies to you as deployer
Purely internal use with no third-party deployment and no Annex III use case has the lowest compliance burden, but does not mean zero obligations

Q: Is Mistral AI's compliance position different from OpenAI's or Anthropic's? Yes. Mistral has both open-weight models (reduced GPAI obligations under Article 53(2)) and closed API models (full GPAI obligations). Its position as a European company (headquartered in Paris) means it operates under French national market surveillance jurisdiction for its domestic activities, but the EU AI Office has jurisdiction for GPAI obligations across all EU-based providers.

Q: What about AI-generated images used in marketing? If you are using an AI image generator (Midjourney, DALL-E, Stable Diffusion) for commercial marketing content, the Article 50(4) labelling obligation applies to the synthetic images where they could reasonably be mistaken for real photographs. This is a deployer obligation — your organisation is responsible for labelling the AI-generated content you publish.

Key Takeaways

ChatGPT, Claude, Gemini, Mistral, and Llama are GPAI models subject to Articles 53–55, with the largest (GPT-4-scale and above) facing additional systemic risk obligations.
Platform providers who build high-risk AI applications on top of GPAI APIs are providers of those high-risk systems and must complete conformity assessment — they cannot rely on the foundation model developer's GPAI compliance.
Enterprise deployers using generative AI tools face Article 26 deployer obligations for high-risk systems and Article 50 transparency obligations for chatbots and customer-facing AI.
Fine-tuning and deploying open-weight models creates provider obligations for the deploying organisation.
AI-generated content deployed for public or commercial use must be labelled under Article 50(4).