What is a General-Purpose AI (GPAI) model under the EU AI Act?
- GPAI models are broad, adaptable models (such as foundation models) regulated separately from the four risk tiers.
- Baseline obligations include technical documentation, downstream information, a copyright policy, and a training-content summary.
- Systemic-risk GPAI models face extra duties such as evaluation, adversarial testing, and incident reporting.
- GPAI obligations took effect August 2025, with full compliance for pre-existing models by August 2027.
- Current as of June 2026. This is general information, not legal advice.
How GPAI is defined
GPAI models are distinguished by their generality: they are not built for one narrow purpose but can be adapted to many. Because they sit upstream of so many products, the Act places obligations on the GPAI provider rather than leaving everything to the downstream developers who build on them.
The baseline obligations
Providers of GPAI models must, among other things:
- Maintain technical documentation of the model, including its training and testing.
- Provide information and documentation to downstream providers who integrate the model, so they can meet their own obligations.
- Put in place a policy to comply with EU copyright law.
- Publish a sufficiently detailed summary of the content used to train the model, using the template provided by the AI Office.
These obligations took effect on 2 August 2025. Free and open-source GPAI models are exempt from some of these requirements, though they must still meet the copyright and training-summary duties.
Systemic-risk models
A GPAI model can be classified as posing systemic risk, for example where it is trained using computing power above a defined threshold. Providers of systemic-risk models face additional obligations, including model evaluation and adversarial testing, assessing and mitigating systemic risks, reporting serious incidents, and ensuring adequate cybersecurity. These rules apply even to open-source models that cross the systemic-risk threshold.
The Code of Practice
To help providers show compliance, the EU published a General-Purpose AI Code of Practice. It gives a practical route to meeting the GPAI obligations and is a useful reference point for providers working out what good looks like.
What it means for you
If you build a GPAI model, the obligations apply to you directly and have been in force since August 2025 (with a longer transition for models already on the market before that date, who must be in full compliance by 2 August 2027). If you build products on top of someone else's GPAI model, you are usually a downstream provider or deployer: your obligations come from how you use the model and what you build, and you rely on the GPAI provider's documentation to meet them.
Key terms
- GPAI
- General-purpose AI: a model trained on broad data and adaptable to many downstream tasks.
- Foundation model
- A large model that serves as a base for many downstream AI products and applications.
- Systemic risk
- A classification for GPAI models whose scale or capability triggers additional obligations.
- Training-content summary
- A sufficiently detailed public summary of the content used to train a GPAI model.
- Code of Practice
- The EU's practical guidance for GPAI providers on meeting their obligations under the Act.