Demystifying the EU’s AI Act: What the New Guidelines Mean for GPAI Model Providers
In August 2025, the European Commission released a pivotal set of guidelines under the EU Artificial Intelligence Act (AI Act), focusing on General-Purpose AI (GPAI) models. These guidelines aim to clarify the legal and operational responsibilities of providers of such models, especially in light of the AI Act’s enforcement beginning on 2 August 2025.
Why the EU’s AI Guidelines Matter for Model Providers
The AI Act – officially Regulation (EU) 2024/1689 was enacted to ensure AI systems in the EU uphold human rights, safety, transparency, and democratic values. Given that GPAI models serve a wide range of applications and form the backbone of countless AI systems, their regulation is critical. These models are not only versatile but also have the potential to pose systemic risks due to their reach and capabilities.
The guidelines offer clarity on four key fronts:
- Definition and classification of GPAI models
- Obligations of providers placing these models on the EU market
- Exemptions for open-source models
- Enforcement, monitoring, and future reviews
What Makes an AI Model ‘General-Purpose’ Under the EU Act?
Under the AI Act, a GPAI model is one that:
- Is trained on large-scale data using self-supervision
- Can perform a wide array of distinct tasks
- Is deployable across multiple downstream AI systems
However, not all large AI models automatically qualify. The EU sets an indicative threshold based on training compute models using over 10²³ FLOP and capable of generating language, text-to-image, or text-to-video outputs are considered GPAI models. Models used purely for R&D or limited tasks (like weather modeling or speech transcription) are generally excluded.
Systemic Risk: A Special Category
Some GPAI models are classified as having systemic risk meaning their capabilities are so impactful they could affect the EU market or society at scale. A model is presumed to carry systemic risk if it is trained using more than 10²⁵ FLOP or if designated so by the Commission based on various criteria (Annex XIII of the AI Act).
Providers of such models face additional obligations, including:
- Conducting risk assessments
- Reporting serious incidents
- Ensuring robust cybersecurity
- Continuous monitoring across the model’s lifecycle
If a provider disagrees with a model’s classification, they can contest the decision by submitting evidence showing the model does not meet the high-impact capability criteria.
Lifecycle Responsibilities
The guidelines stress a full-lifecycle approach. Providers must:
-Maintain up-to-date documentation
-Ensure copyright compliance
-Publicly disclose training content summaries
-Continuously assess and mitigate risks
This applies from the model’s initial pre-training through deployment and even after-market use.
Who Is Considered a “Provider”?
The term “provider” isn’t limited to developers. It includes any entity that:
- Places a GPAI model on the EU market (even if developed by someone else)
- Offers the model via APIs, software packages, cloud services, or app stores
- Integrates GPAI into larger systems sold in the EU
Even non-EU companies distributing models in the EU are considered providers and must appoint an EU-based authorized representative.
Open-Source Exceptions
There’s a silver lining for open-source developers. GPAI models released under free and open-source licenses may be exempt from some requirements like maintaining documentation and appointing an EU representative if:
- The model is not classified as having systemic risk
- Its parameters, weights, architecture, and usage info are made public
- It is not monetized
Still, systemic risk models remain fully regulated, regardless of open-source status.
Enforcement & What Lies Ahead
The European AI Office, under the Commission’s oversight, is responsible for enforcement. The guidelines are not legally binding, but they reflect the Commission’s official interpretation and enforcement strategy. Providers should not expect leniency based on ignorance or technical ambiguity.
As the AI landscape evolves, the Commission plans to review and update these guidelines, ensuring they remain aligned with technological and societal changes.
Final Thoughts
These guidelines offer much-needed clarity at a crucial time for AI governance in Europe. Whether you’re a tech company, startup, researcher, or developer, understanding your obligations under the AI Act is no longer optional – it’s essential for operating in the EU.
Sources
https://www.pexels.com/photo/an-old-map-of-europe-9494908
Credits- AI & Partners