Navigating the EU's AI Act: Key Guidelines for General-Purpose AI Providers

According to Article 3(36) of the AI Act, GPAI models are defined as systems trained with significant computational resources and data capable of generating a wide range of content, including text, images, audio, and video. These models are not tailored to a single task but can be adapted for diverse applications, making them central to the AI value chain.

The guidelines put forward a threshold for determining whether an AI model is a GPAI model, based on the amount of computational resources used to train the model measured in FLOP which means how many math calculations it can do every second.

‍

The guidelines make clear that the obligations apply to any provider placing GPAI models on the EU market, regardless of whether they are physically established in the EU. This extraterritorial scope reflects the EU’s ambition to shape global AI governance.

The AI Act introduces a tiered framework of obligations based on the risk and impact of AI systems. For GPAI providers, the guidelines serve as a clearer indication of the core responsibilities. As Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy remarked:

“With today's guidelines, the Commission supports the smooth and effective application of the AI Act. By providing legal certainty on the scope of the AI Act obligations for general-purpose AI providers, we are helping AI actors, from start-ups to major developers, to innovate with confidence, while ensuring their models are safe, transparent, and aligned with European values.” 

GPAI providers must observe the following core responsibilities:

• Transparency: Providers must disclose that users are interacting with AI and ensure that AI-generated content is clearly labelled. This includes watermarking or other technical means to identify synthetic content.
• Technical Documentation: Providers must maintain detailed documentation on the model’s architecture, training data, and performance metrics. This is essential for downstream deployers to assess compliance with the AI Act.
• Copyright Compliance: Providers must implement policies to respect EU copyright law, including mechanisms to identify and remove infringing content from training datasets.
• Systemic Risk Mitigation: For GPAI models deemed to pose systemic risks—due to their scale, capabilities, or potential for misuse—providers must conduct risk assessments and implement mitigation strategies. This includes monitoring for harmful outputs and ensuring human oversight.

‍

The guidelines also address and clarify further the treatment of open-source GPAI models under the AI Act. While open-source distribution does not automatically exempt a provider from obligations, models released under open licences may benefit from reduced requirements if they meet certain transparency and safety conditions.

This nuanced approach aims to balance innovation and accountability, recognising the value of open-source contributions while safeguarding against misuse.

‍

The publication of these guidelines signals a shift from legal principle to practice. Providers must now move swiftly to align their operations with the AI Act’s requirements. This includes:

• Reviewing and updating technical documentation.
• Implementing robust transparency and labelling mechanisms.
• Preparing for potential audits and enforcement actions.
• Engaging with the General-Purpose AI Code of Practice, a voluntary framework that can serve as a compliance benchmark.

For non-EU providers, the message is clear: if your model is accessible in the EU, you are within scope. This underscores the importance of cross-border legal readiness and proactive engagement with EU regulators.

‍

With the clockticking, GPAI providers would do well to prepare for compliance by:

1. Conducting a compliance gap analysis against the AI Act and the new guidelines.
2. Establishing internal governance structures to oversee AI risk management.
3. Engaging legal and technical experts to ensure documentation and transparency obligations are met.
4. Monitoring developments around the Code of Practice and consider early adoption.
5. Communicating with downstream deployers to clarify shared responsibilities.

The EU’s AI Act represents a bold experiment in regulating frontier technologies. These new guidelines provide much-needed clarity for GPAI providers and mark a pivotal moment in the global conversation on trustworthy AI.

‍

Our technology lawyers combine their technical knowledge with legal expertise, to serve clients holistically in the adoption and implementation of AI systems. We firmly believe in the opportunities and benefits that AI creates. We guide first movers in the AI industry to adopt AI confidently and in a compliant manner. 

Reach out to us to adopt AI confidently in your business. 

‍