GPAI Provider Obligations from Aug 2, 2026: What Really Applies

April 27, 2026· Category: EU AI Act· As of: 2026-05-02· Reading time: ~7 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

GPAI Provider obligations from Aug 2, 2026 — Art. 53-55 EU AI Act
Baseline obligations: technical documentation (Annex XI), training-data summary, copyright policy
Systemic-risk models (above 10^25 FLOPs cumulative training compute): plus security audits and adversarial testing
Code of Practice serves as compliance presumption — signed by approximately 90% of GPAI Providers
Fines: up to 15M EUR / 3% global revenue
SMEs are usually Deployers, not Providers — relevant only with significant fine-tuning or rebranding

1. Who qualifies as a GPAI Provider?

Art. 3(63) EU AI Act: a GPAI model is trained on a broad data basis, displays significant generality, and can be integrated into a variety of downstream systems. The Provider is whoever develops the model OR substantially adapts it (fine-tuning that materially changes the intended purpose).

Examples:

OpenAI with GPT-4: yes, GPAI Provider
Anthropic with Claude: yes
Mistral AI: yes
Aleph Alpha with Luminous: yes
SAP with Joule (wrapper on GPT/Claude): no, Deployer only
SME with Custom GPT on Azure: no, Deployer only

2. Art. 53: baseline obligations

All GPAI Providers (without systemic risk) must satisfy:

Technical documentation per Annex XI: architecture, training data, training compute, evaluation results
Information for downstream Providers: capabilities, limitations, suitable use cases
Copyright policy: compliance with Directive 2019/790, opt-out mechanisms for training data
Training-data summary: public document with data-source overview (template from the AI Office)

3. Art. 55: systemic-risk models

Additional obligations for models with cumulative training compute above 10^25 FLOPs:

Model evaluation with adversarial testing (red-teaming)
Risk assessment and mitigation of systemic risks (bias, cybersecurity, disinformation spread)
Tracking and reporting: serious incidents to the EU AI Office within 14 days
Cybersecurity protection for model weights

4. Code of Practice

As of April 2026: final version published by the EU AI Office in April 2025, continuously extended. Signatories as of March 2026: OpenAI, Anthropic, Google, Microsoft, Meta, Mistral, Aleph Alpha, Cohere, plus SAP as a downstream Provider. Roughly 90% of GPAI model coverage. The Code is a "compliance presumption" — adherence implies legal compliance.

5. EU AI Office and AISB

EU AI Office (Brussels, part of DG CNECT): central supervisor for GPAI
AI Scientific Board (AISB): independent expert advisory body
Powers: investigations (Art. 92), sanctions (Art. 101)
2025-2026 priorities: Code of Practice expansion, GPAI model registry, incident-reporting system

6. SME practical implications

Most SMEs are not GPAI Providers. They use GPAI models as Deployers. Provider status arises only with: own model training (rare in SMEs), substantial fine-tuning (e.g., a medical language model based on Llama), or white-label rebranding with own marketing. When in doubt, get legal clarification — the fine risk is 15M EUR / 3%.

Summary

GPAI obligations apply to a small number of large AI Providers, with a clear escalation for systemic-risk models. SMEs typically remain Deployers. Document your role explicitly in vendor contracts and re-assess after any fine-tuning project that changes the intended purpose.

View EU AI Act Kit →

Frequently Asked Questions

Am I a GPAI provider?

Yes, if you provide an AI model with general purpose (language, image, code). No, if you merely USE GPAI tools. SMEs are usually only deployers.

What is a 'systemic-risk' model?

Models with cumulative training compute >10^25 FLOPs (Art. 51) — e.g. GPT-4, Claude 3 Opus, Gemini 1.5. As of 04/2026: ~25 models worldwide.

What is the GPAI Code of Practice?

A voluntary code of conduct coordinated by the EU AI Office. Finalized 04/2025, signed by 90% of GPAI providers. Includes training data documentation, security measures, and bias testing.

Fines for GPAI providers?

Art. 101: up to EUR 15 million or 3% of global turnover for GPAI violations. Plus EU AI Office investigations (Art. 92).

What do I have to do as an SME downstream provider?

If you merely wrap an existing GPAI model (e.g. white-label ChatGPT): provider status arises only with substantial modification. If in doubt: consult a lawyer, as the risk of fines is high.

When do the obligations apply?

Art. 53/55 in force since 02.08.2025. NOT affected by the Digital Omnibus proposal (19.11.2025). The Code of Practice is already applicable as a 'compliance presumption' in 2025.

Sources

Regulation (EU) 2024/1689 — EU AI Act (Art. 51-55 GPAI) (As of: 2026-05-02)
AI Act Article 51 — GPAI threshold (As of: 2026-05-02)
European Commission — GPAI Code of Practice (As of: 2026-05-02)