GPAI Compliance: How Our Tool Helps You Document Your Obligations (Articles 51–55)
Since August 2025, GPAI model providers face specific EU AI Act obligations. Find out how DILAIG automates GPAI documentation — technical, copyright, downstream — and cuts weeks off your compliance timeline.
Last updated: July 2026 · Reading time: 7 minutes
The EU AI Act's GPAI obligations came into force on 2 August 2025. If you develop a general-purpose AI model — a large language model, a multimodal foundation model, or any model capable of being integrated into multiple downstream applications — you are affected. And if your model exceeds the systemic risk threshold (10²⁵ FLOPs), your obligations are even more extensive.
The challenge for most teams: the GPAI obligations are spread across several articles (51 to 55), two tiers (standard and systemic risk), technical annexes (XI and XII), and a GPAI Code of Practice whose guidelines continue to evolve. The required documentation is substantial and demands coordination between technical, legal, and data teams.
DILAIG automates most of this work.
What the AI Act requires of GPAI providers
Before talking about the tool, a quick overview of the obligations. The AI Act distinguishes two tiers:
Tier 1: All GPAI providers (Article 53)
Every provider of a GPAI model placed on the EU market must produce and maintain:
- Technical documentation (Annex XI): architecture, training data, methods, evaluation results, known limitations
- Downstream documentation (Annex XII): information sufficient for downstream integrators to understand what your model can and cannot do, enabling them to comply with their own AI Act obligations
- Copyright compliance policy: how you handle rights reservations and opt-outs in training data
- Public training data summary: a sufficiently detailed summary for rights holders to exercise their rights — vague formulations like "public internet data" are insufficient according to the AI Office
Open-source providers are exempt from obligations 1 and 2, unless their model is also classified as posing systemic risk.
Tier 2: Systemic risk models (Articles 51 and 55)
Beyond 10²⁵ FLOPs of training compute, additional obligations apply:
- Adversarial testing and red-teaming following standardised protocols
- Incident monitoring and reporting to the AI Office
- Cybersecurity measures proportionate to identified systemic risks
- Notification to the European Commission within two weeks of reaching or expecting to reach the threshold
What the DILAIG tool does for GPAI providers
1. Automatic classification
The tool starts by qualifying your model: is it a GPAI within the meaning of Article 3(63)? Are you a provider, a distributor, or both? Is your model open source or proprietary?
This classification determines exactly which obligations apply to your situation — no more, no less. Many organisations either overestimate their obligations (thinking open source doesn't exempt them) or underestimate them (thinking that making a model available via API only doesn't trigger downstream documentation requirements).
2. Technical documentation generation (Annex XI)
The tool generates a structured technical documentation template pre-filled from the information you provide. The template is organised according to the Annex XI sections:
- Provider identity and general model information
- Architecture description and design choices
- Training data description (sources, volumes, filters)
- Performance evaluations and benchmarks
- Identified limitations and foreseeable misuse scenarios
- Instructions for appropriate use
You don't write documentation from scratch. You answer structured questions and the tool produces the document compliant with Annex XI.
3. Downstream documentation generation (Annex XII)
Downstream documentation is distinct from internal technical documentation. It is designed to be shared with integrators — companies building applications on top of your model via API or licence.
The tool generates this documentation separately, focusing on what an integrator needs to know to comply with their own AI Act obligations: model capabilities, limitations, discouraged use cases, relevant safety test results.
Intellectual property rights are protected: downstream documentation does not require disclosing your full training pipeline.
4. Copyright compliance policy template
The tool generates a copyright policy template adapted to your situation — based on the nature of your training data (web crawling, licensed datasets, synthetic data, or a combination). The policy must be operational, not merely declaratory: it must describe how you identify and respect rights reservations.
5. Public training data summary template
The public summary is a distinct obligation that is often overlooked. The tool generates a structured template meeting the level of detail the AI Office expects while preserving the confidentiality of proprietary information.
6. Ongoing compliance checklist
GPAI compliance is not a one-time event. Technical documentation must be kept up to date, incidents reported, and for systemic risk models, adversarial testing conducted on an ongoing basis. The tool generates a governance checklist tailored to your obligation level.
How long does it take?
For a Tier 1 GPAI provider with existing internal documentation on their model, generating the full set of required documentation (Annex XI + XII + copyright policy + public summary) takes between 3 and 5 hours with the tool, versus several weeks starting from scratch.
For a Tier 2 provider (systemic risk), the work is more substantial — the tool covers documentation, but adversarial testing and setting up an incident monitoring system require internal or external technical resources.
What the tool does not cover
- The tool generates documentation — it does not conduct the adversarial testing required for systemic risk models
- It does not guarantee automatic compliance with the GPAI Code of Practice (whose guidelines continue to evolve)
- It does not substitute for legal advice in complex cases (co-developed models, open-source models with proprietary components, etc.)
FAQ
My model is accessible only via API, not for download. Am I a GPAI provider under the AI Act? Yes. Making a model available via API is a form of placing it on the market under the regulation. Article 53 obligations apply.
My model is open source. Am I exempt? Providers publishing under free licences are exempt from the technical documentation (Annex XI) and downstream documentation (Annex XII) obligations. The copyright compliance policy and public training data summary obligations still apply. And if your open-source model reaches the systemic risk threshold, all Tier 2 obligations apply as well.
How do I know if my model exceeds the systemic risk threshold? The current threshold is 10²⁵ FLOPs of cumulative training compute. If you're unsure, the tool helps you estimate your position relative to this threshold based on the information you provide about your training infrastructure.
Do the GPAI obligations apply to models developed before August 2025? Yes, for models still placed on the market after that date. If you continue to offer a model via API or licence, the obligations apply.
Get started
→ Start your GPAI compliance audit
Free for initial classification. Full documentation generation is included in paid plans.
See all features → · Pricing →
Further reading
Take action
Is your AI system compliant?
Free audit in 20 minutes. Detailed report, no commitment.
Start the audit →Keep reading
Practical guides, regulatory analysis, DILAIG news.