GPAI Model Obligations: The August 2 Deadline Approaches

eu-ai-act gpai deadlines July 17, 2025 · by Marcus Chen

August 2, 2025 is sixteen days away. That is when the EU AI Act's GPAI provider obligations take effect. The Code of Practice was published on July 10 in its final form. The standardized training-data summary template was finalized June 24. The European Commission's interpretive Q&A document landed July 1. The pieces are now mostly in place. This post is a final pre-deadline checklist.

Who is a GPAI provider?

Article 3(63) defines "general-purpose AI model" as a model trained on a large amount of data using self-supervision at scale, displaying significant generality, and capable of competently performing a wide range of distinct tasks. The Commission Q&A clarifies several edges:

• Models trained primarily for narrow tasks are not GPAI even if foundational. A vision model fine-tuned for medical imaging is not GPAI.
• Open-weights distribution does not change GPAI provider status. The original creator is the provider; redistributors are not.
• Substantial fine-tuning that materially changes the model's general capabilities can create a new GPAI model with the fine-tuner as provider. The threshold for "substantial" remains soft.
• The 10^25 FLOP threshold for systemic-risk classification is presumptive, not exhaustive. The Commission can designate models with lower training compute as systemic-risk based on capability evaluations.

Article 53 obligations: all GPAI providers

Three obligations apply to every GPAI provider placing a model on the EU market:

1. Technical documentation (53(1)(a)). Documentation maintained for two years post-deployment, available to the AI Office on request, covering the items in Annex XI: model architecture, training compute and energy, intended uses, evaluation results, integration guidance, etc. The Code of Practice includes a structured template; following it satisfies the obligation. Most large providers we have advised have this in reasonable shape; documentation completeness is the predictable failure mode for smaller providers.
2. Information for downstream providers (53(1)(b)). A separate documentation package directed at downstream parties integrating the model into their products. The information set is narrower than the Article 53(1)(a) documentation but includes capability and limitation information, data governance attributes, and integration support. The downstream party then uses this to support its own compliance, particularly for high-risk-system deployments under Articles 6-15.
3. Copyright policy (53(1)(c)). A policy demonstrating compliance with EU copyright law, particularly the TDM exception under Articles 3-4 of the CDSM Directive. The substantive obligation here is honoring rightsholders' opt-outs under Article 4(3). Providers must "put in place state-of-the-art technologies" to identify and respect rightsholders' opt-outs — a phrase that is going to spawn extensive litigation about what "state-of-the-art" means.
4. Training-data summary (53(1)(d)). A "sufficiently detailed" public summary of the training data, using the Commission's template. The template asks for, among other things, dataset categories, source types, processing details, and information on whether content has been used despite rightsholders' opt-outs. The template specifies aggregation levels that protect provider trade secrets while providing meaningful disclosure.

For providers headquartered outside the EU, Article 54 requires the appointment of an EU-located authorized representative. The market for these has matured; specialist firms (mostly the same ones that handle product-safety AR appointments) are the standard arrangement.

Article 55: systemic-risk providers

Models exceeding the 10^25 FLOP threshold (or designated by the Commission) face additional obligations:

• State-of-the-art model evaluations, including adversarial testing, before placing on the market.
• Risk assessment and mitigation at the systemic level, addressing risks the model could pose at scale.
• Incident reporting to the AI Office for "serious incidents" within timelines specified in implementing acts.
• Adequate cybersecurity protection of the model and its physical infrastructure.

The Code of Practice covers these obligations in detail. As of last week, fourteen frontier providers have signed the Code, including all the major U.S. labs except one. Signing the Code creates a presumption of compliance with the underlying Article 55 obligations and significantly reduces enforcement risk.

For non-signatories, demonstrating compliance directly is possible but harder. The AI Office has indicated it will treat non-signatory providers more skeptically and will request additional documentation in inquiries. Practically: if your client is a frontier provider, signing the Code is the right call unless there is a specific reason not to.

Pre-deadline checklist

For providers we are advising, the pre-August 2 checklist:

1. Final review of Annex XI technical documentation. Stress-test against the Code of Practice template. Identify and close any gaps.
2. Downstream-provider documentation package. Distinct from internal documentation; review with eyes of a deployer who has never seen the model before.
3. Copyright policy. Confirm rightsholder opt-out implementation. The Commission Q&A explicitly mentions robots.txt directives, machine-readable rights reservation under Article 4(3), and emerging W3C Working Group output on TDM signals. Implementation needs to address all three.
4. Training-data summary. Run through the published template. The aggregation levels are protective but require careful drafting; trade-secret-sensitive information should not appear, and the level of detail needs to track the template precisely.
5. EU authorized representative arrangement. For non-EU providers; should already be in place but worth a final check.
6. For systemic-risk providers: Code signature, evaluation reporting infrastructure, incident-reporting workflow, cybersecurity attestations.

Enforcement timeline

The AI Office has indicated that enforcement will begin August 2 but that the early enforcement focus will be on documentation completeness rather than substantive compliance with novel obligations. We expect:

• Information requests under Article 91 will be the primary early enforcement tool. Providers will need to respond promptly with documentation.
• Cooperation between the AI Office and national data-protection authorities on training-data and copyright issues. The first joint inquiries are likely to land late summer.
• Penalty decisions probably not until 2026, except in cases of obvious non-compliance (e.g., providers operating without any documentation at all).

The 3% of turnover ceiling for GPAI obligation violations is below the Article 5 prohibition penalties but well above the high-risk-system penalty cap. For the largest providers, this is real money.

For non-EU providers serving EU users

The extraterritorial reach we flagged in May 2024 applies in full to GPAI obligations. A provider headquartered outside the EU that places a model on the EU market — including by offering it through a cloud API accessible from the EU — is subject to Article 53. The "use in the EU" hook is not relevant here; the question is market placement. But that question is broad enough that effectively any commercial GPAI provider is in scope.

If your client has been advancing a "we will not formally serve EU users" theory, July is the time to pressure-test that theory. Nominal geofencing without operational backing is unlikely to defeat market-placement liability.