On 2 August 2025, twelve months after the EU AI Act entered into force, obligations for providers of general-purpose AI (GPAI) models began to apply. The same period saw the European Commission finalise a voluntary GPAI Code of Practice intended to help providers demonstrate compliance ahead of harmonised standards. This is a factual explainer of those developments, not legal guidance.
What GPAI obligations cover
The GPAI provisions sit in Articles 53 to 55 of the Regulation. As described in published Commission materials, providers of general-purpose AI models are expected to:
- Draw up and keep up-to-date technical documentation of the model, including its training and testing.
- Provide information and documentation to downstream providers who integrate the model into their own systems.
- Put in place a policy to comply with EU copyright law.
- Publish a sufficiently detailed summary of the content used for training, following a Commission template.
Models deemed to carry systemic risk face additional obligations, including model evaluation, systemic-risk assessment and mitigation, incident reporting and cybersecurity protection. For how GPAI fits the Act’s overall structure, see our pillar page on the EU AI Act.
The Code of Practice
To bridge the gap between obligations applying and formal European standards being adopted, the Commission supported development of a voluntary General-Purpose AI Code of Practice. It is organised into three chapters:
- Transparency — documentation practices, including a model-documentation form.
- Copyright — measures supporting a compliant copyright policy.
- Safety and Security — measures for providers of models with systemic risk.
The Code is explicitly voluntary. Signing it does not create new legal obligations, but the Commission has indicated it will focus enforcement on monitoring adherence for signatories and may treat commitments as a relevant factor. A provider can also choose to demonstrate compliance by other means, but doing so may require more individual engagement with the regulator to show how its practices meet the Act’s requirements. In effect, the Code offers a documented, pre-agreed route to demonstrating conformity, which is why much of the early attention focused on which major providers chose to sign. Provisions on transparency and disclosure connect to broader debates captured in our coverage under generative-AI disclosure.
The phased enforcement timeline
Several dates matter here, and they are distinct:
- 2 August 2025 — GPAI obligations begin applying; new models released from this date are expected to comply.
- 2 August 2026 — the Commission’s enforcement powers in relation to GPAI providers become available.
- 2 August 2027 — providers of models placed on the market before 2 August 2025 are expected to be brought into compliance.
This staggering means the start of obligations and the start of active enforcement are separated by roughly a year, a point several commentators emphasised when the rules began.
How GPAI differs from high-risk systems
GPAI obligations attach to general-purpose models — systems trained on broad data that can be adapted to many tasks — rather than to specific high-risk applications. A downstream developer can build a high-risk system on top of a general-purpose model, which is why the Act layers documentation duties so that information flows along the value chain. Readers unfamiliar with terms such as model, provider and deployer can consult our dictionary.
Relationship to voluntary frameworks
Although the GPAI rules are binding EU law, providers frequently align internal governance with voluntary instruments. The generative-AI-specific guidance within the NIST AI RMF and the management-system approach of ISO/IEC 42001 are commonly cited reference points for documentation, evaluation and risk-management practices, though neither substitutes for the Act’s legal requirements.
The training-data summary template
One of the more closely watched elements is the obligation to publish a sufficiently detailed summary of the content used to train a model. To make this workable, the Commission finalised a template that providers can follow, setting out the categories of information expected. The aim, as described in Commission materials, is to give downstream actors, rights-holders and the public a meaningful overview of training-data sources without requiring disclosure of every dataset in granular detail. The template’s release alongside the start of obligations gave providers a concrete artefact to populate rather than an abstract requirement to interpret.
Models with systemic risk
The Act singles out the most capable general-purpose models as carrying systemic risk, a designation that triggers heightened duties. The Regulation provides for identifying such models, including by reference to the computational resources used in training as an indicator of capability, while also allowing for designation on other grounds. Providers of these models face additional obligations such as performing model evaluations including adversarial testing, assessing and mitigating systemic risks, tracking and reporting serious incidents, and ensuring an adequate level of cybersecurity. This two-tier structure means that not every general-purpose model carries the same burden — the heaviest obligations attach to the frontier of capability.
What observers noted
Legal analysts described the August 2025 milestone as significant because it brought the largest, most general AI models directly within scope, with obligations centred on transparency and copyright rather than outright prohibition. They also noted the practical importance of the training-data summary template and the model-documentation form as the first concrete compliance artefacts. Several commentators emphasised the value chain effect: because downstream developers rely on information passed up from model providers, the GPAI documentation duties were seen as foundational to the workability of the high-risk obligations that follow later in the Act’s timeline.
In summary
From 2 August 2025, GPAI model providers came under documentation, transparency and copyright obligations, supported by a voluntary three-chapter Code of Practice. The official record is maintained by the European Commission. This article summarises those events; organisations should seek qualified advice on how the rules apply to them.
Leave a Reply