← Back to blog

What Is a GPAI Model? Articles 51–55 of the EU AI Act Explained

General-purpose AI models like GPT-4 and Claude face specific EU AI Act obligations distinct from the high-risk AI regime. This explainer breaks down what GPAI means, which models are covered, and what providers must do.

19 May 2026DILAIG

When the EU AI Act was finalised, legislators faced a problem that did not exist when early drafts were written: how to regulate large language models and other general-purpose AI systems that can perform an enormous range of tasks across countless contexts. The result was a dedicated GPAI (General-Purpose AI) chapter — Articles 51 to 55 of Regulation (EU) 2024/1689 — which creates obligations specifically for the developers of these foundational models, separate from and in addition to the high-risk AI framework.

Understanding the GPAI chapter is essential for any organisation developing or using large-scale AI models. This article explains the key concepts, who is covered, and what the obligations are.

Defining "General-Purpose AI Model"

Article 3(63) of the AI Act defines a general-purpose AI model as an AI model that is trained on large amounts of data using self-supervised learning at scale, displays significant generality, and is capable of competently performing a wide range of distinct tasks.

Three elements matter in this definition:

Training scale and self-supervised learning. Large language models (LLMs) trained on internet-scale text corpora fit squarely within this definition. Models trained on narrow, purpose-specific datasets for a single task do not.

Significant generality. A model that can be used in multiple different downstream applications — text generation, summarisation, translation, code generation, reasoning — exhibits significant generality. A model that performs only one function, regardless of its size, is not a GPAI model under the Act.

Distinct tasks. The model must be capable of competently performing multiple qualitatively different tasks, not just variations of a single task.

Practically: GPT-4, Claude, Gemini, Llama, Mistral, and comparable large-scale models are GPAI models. A highly capable but single-purpose model (a credit scoring model, a medical imaging classifier) is not.

Distinguishing GPAI Models from GPAI Systems

The AI Act makes a distinction between a GPAI model and a GPAI system. A GPAI model is the underlying model — the trained weights and architecture. A GPAI system is a system built on top of a GPAI model that is placed on the market and made available to end users.

This matters because obligations differ by role. Developers of the underlying GPAI model have obligations under Articles 53–55. Deployers who build applications on top of GPAI models through APIs also have obligations — but primarily under the high-risk AI provisions if their application qualifies as high-risk, or under Article 50 transparency obligations.

The Two Tiers of GPAI Model Obligations

The AI Act creates a two-tier system for GPAI obligations based on whether the model is considered to pose "systemic risk."

Tier 1: All GPAI Models (Article 53)

All providers of GPAI models placed on the EU market must:

  1. Draw up and maintain technical documentation describing the model architecture, training approach, training data characteristics (including volume and provenance), fine-tuning procedures, evaluation results, and intended use cases. The European AI Office specifies the required format.

  2. Draw up, maintain, and make available information and documentation to providers downstream who integrate the GPAI model into their own AI systems. This downstream documentation must be sufficient to enable downstream providers to comply with their own AI Act obligations.

  3. Establish a policy to comply with EU copyright law. GPAI training on copyright-protected content requires either a text and data mining exception under EU copyright law or a licence. Providers must maintain a policy addressing how they comply with copyright obligations in relation to training data.

  4. Publish a summary about the content used for training in sufficient detail to allow rights holders to exercise their rights under EU copyright law. This summary must be made publicly available.

These four obligations apply to all GPAI models — even those not classified as posing systemic risk. They apply from August 2025 (earlier than the general August 2026 high-risk deadline).

Tier 2: GPAI Models with Systemic Risk (Articles 51, 54–55)

A GPAI model poses systemic risk if it meets the threshold defined in Article 51 — currently, a model trained using computational resources exceeding 10^25 floating point operations (FLOPs). This threshold may be adjusted by the European Commission by delegated act as AI capabilities evolve.

Additionally, the European AI Office may classify a model as posing systemic risk based on a qualitative assessment of its capabilities, even if it falls below the FLOPs threshold.

As of mid-2026, models in this category include the largest versions of GPT-4, Claude Opus-level models, and Gemini Ultra-tier systems. Smaller open-weight models like Llama 3 70B are below the threshold.

Additional obligations for systemic risk GPAI models:

  1. Adversarial testing and red-teaming. Providers must perform model evaluation including adversarial testing to identify and mitigate systemic risks. Results must be provided to the European AI Office on request.

  2. Incident and near-miss reporting. Providers must report serious incidents and the corrective measures taken to the European AI Office. This is a post-market surveillance obligation running continuously after the model is released.

  3. Cybersecurity measures. Providers must put in place cybersecurity protections appropriate for the model's capabilities and deployment scale.

  4. Energy efficiency reporting. Providers must report the energy consumption of the model. This obligation reflects the AI Act's integration with EU climate and sustainability objectives.

The European AI Office

The GPAI chapter established the European AI Office as a new body within the European Commission. The AI Office has direct supervisory authority over GPAI model providers — unlike the rest of the AI Act, which is enforced by national market surveillance authorities.

The AI Office can:

  • Request technical documentation from GPAI model providers
  • Commission independent evaluations of GPAI models
  • Investigate systemic risk incidents
  • Issue warnings and take remedial action
  • Impose fines up to €15 million or 3% of global annual turnover for non-compliance with GPAI obligations, and up to €35 million or 7% for providing false information

The GPAI Code of Practice

Article 56 of the AI Act mandates the development of a Code of Practice for GPAI models to provide detailed guidance on how providers can demonstrate compliance with Articles 53–55. The European AI Office facilitates the code development with participation from AI providers, civil society, and researchers.

The first version of the GPAI Code of Practice was published by the AI Office in early 2025, with further iterations under development. Signing the Code of Practice and following it creates a rebuttable presumption of conformity with the underlying regulation — similar to how harmonised standards work for high-risk AI.

Providers who do not sign the Code of Practice must still comply with Articles 53–55, but without the benefit of the presumption of conformity.

Implications for Organisations Using GPAI Models

If you are not a GPAI model developer but you integrate GPAI models into your applications via APIs, the GPAI obligations in Articles 53–55 fall primarily on the model developer, not on you. However:

  • You may become a "provider" under the AI Act if you create a GPAI system (not just model) and place it on the EU market.
  • If your application using a GPAI model qualifies as high-risk AI under Annex III, all high-risk AI obligations apply to you as provider of the downstream system.
  • You are entitled to receive documentation from the GPAI model developer under Article 53(1)(b) to enable your own compliance. If your GPAI API provider cannot supply this, that is itself a compliance gap on their side.

How DilAIg Helps

DilAIg's compliance audit covers the full AI Act obligation landscape, including the GPAI provisions. Whether you are a GPAI model developer or an organisation building applications on top of GPAI models, DilAIg generates the documentation needed for your specific role.

Start your free audit at dilaig.com and identify your GPAI-related obligations.

FAQ: GPAI Models Under the EU AI Act

Q: Does open-source GPAI model release change the obligations? Partially. Article 53(2) provides that providers who release GPAI model weights publicly under open-source licences benefit from reduced documentation obligations — specifically, they only need to comply with requirements 3 and 4 (copyright policy and training summary), unless the model poses systemic risk. Models posing systemic risk must comply with all obligations regardless of whether the weights are open-sourced.

Q: What counts as "placing a GPAI model on the EU market"? Providing access to a GPAI model via API to users in the EU constitutes placing it on the EU market, even if the provider is based outside the EU. The territorial scope follows users, not servers.

Q: Can a fine-tuned version of a GPAI model avoid GPAI obligations? Fine-tuning does not change the underlying model's classification as a GPAI model. The entity that performs fine-tuning and places the model on the market becomes a provider of a new AI model — with its own obligations. The original GPAI provider's obligations regarding the base model are not transferred by fine-tuning.

Q: How does the 10^25 FLOPs threshold work in practice? The threshold refers to the total floating-point operations used during training — a measure of the computational resources deployed. For context, GPT-4 is estimated to have been trained using between 10^24 and 10^25 FLOPs. Models exceeding 10^25 FLOPs are classified as posing systemic risk. Providers must self-assess and declare to the AI Office if their model meets this threshold.

Key Takeaways

  • GPAI models are defined by their training scale, generality, and multi-task capability — not by size alone.
  • All GPAI models on the EU market face four core obligations: technical documentation, downstream provider information, copyright policy, and training summary publication.
  • Models exceeding 10^25 FLOPs (or otherwise classified as high-risk by the AI Office) face four additional obligations: adversarial testing, incident reporting, cybersecurity measures, and energy reporting.
  • The European AI Office — not national authorities — has direct supervisory jurisdiction over GPAI model providers.
  • Downstream API users are not GPAI providers, but may have high-risk AI obligations if their application qualifies as high-risk.

Further Reading

Is your AI system compliant?

Free audit in 20 minutes.

Start the audit