GPAI Compliance Guide — What Enterprise AI Buyers Must Do by August 2026

Every enterprise that has integrated ChatGPT, Claude, Gemini, or any large language model API into a product, workflow, or internal tool has already crossed a threshold. Under the EU AI Act (Regulation 2024/1689), these systems have a formal legal name — General-Purpose AI (GPAI) models — and their providers have been subject to binding obligations since 2 August 2025. If you are a deployer building on top of these APIs, your obligations as a downstream user of a GPAI model are in scope now, not in 2027. With the Act's full general enforcement arriving on 2 August 2026 and fines reaching €35 million or 7% of global turnover, the window for "we'll deal with this later" has closed.

This guide maps every GPAI obligation in the Act, explains what you need to ask your AI vendor, and shows how an automated governance scaffold converts regulatory text into operational practice.

TL;DR

GPAI model providers (OpenAI, Anthropic, Mistral, Google, Meta) have had binding obligations since 2 August 2025 under Article 53 of the EU AI Act.
Enterprises deploying GPAI models must verify provider compliance as part of their own deployer due diligence under Article 26.
Four core GPAI duties apply to all providers: technical documentation, training data transparency, copyright compliance, and downstream information sharing.
Systemic-risk GPAI providers (models exceeding 10²⁵ FLOPs training compute) face additional red-teaming, incident reporting, and cybersecurity obligations.
Non-compliance penalties for GPAI providers reach €15 million or 3% of global annual turnover; providing incorrect information to regulators reaches €7.5 million or 1%. Penalties for high-risk AI deployers under other Act provisions reach €35 million or 7%.
August 2026 is the full general enforcement date — when national market surveillance authorities and the European AI Office are fully operational and enforcement actions can begin.

What Is GPAI Under the EU AI Act?

The EU AI Act formally defines a GPAI model in Article 3(63) as an AI model trained on large amounts of data at scale that displays significant generality and can competently perform a wide range of distinct tasks. The definition is broad by design: it captures any model that is not narrowly trained for a single function and can be integrated into multiple downstream applications.

In practice, this means that the most commercially significant AI APIs available today — OpenAI's GPT series, Anthropic's Claude, Google DeepMind's Gemini, Meta's Llama, Mistral's open-weight models — are all GPAI models within the Act's scope. A model does not need to be multimodal, frontier, or commercially sold to qualify; open-source models made available on the EU market are equally in scope.

For the full definitional entry on GPAI, see the GPAI Glossary Entry.

Foundation Model vs GPAI vs Frontier Model — Disambiguation

These three terms circulate in parallel in compliance discussions, and conflating them leads to scoping errors.

GPAI model is the EU regulatory term (Article 3(63)). It is the legally operative classification. What matters for compliance is whether a model meets this definition, not whether it is marketed as a "foundation model" or described as "frontier."

Foundation model is the ML research and industry term for large pre-trained models that serve as a base for fine-tuning and downstream deployment. The terms overlap substantially — essentially every foundation model of commercial significance is a GPAI model — but the regulatory definition is the controlling one. An organization's legal team should assess models against Article 3(63), not against informal industry taxonomies.

Frontier model is a non-regulatory label for the most capable, most recently released models at the current technical limit. Frontier models typically fall within the systemic risk tier under the Act, but "frontier" is not itself a legal category, and a model does not need to be frontier to be GPAI.

The Four GPAI Obligations: What Every Provider Must Meet

Article 53 of the EU AI Act imposes four baseline obligations on every GPAI model provider that makes a model available on the EU market, regardless of the provider's headquarter location.

Obligation 1: Technical Documentation

Providers must prepare and maintain up-to-date technical documentation of the GPAI model. This documentation must cover the model's general capabilities and limitations, training methodology, type and source of training data, computational resources used, evaluation methodology and results (including on known or reasonably foreseeable risks), and the measures taken to mitigate those risks.

The documentation must be submitted to the European AI Office upon request and maintained throughout the model's operational life. For enterprise deployers, this documentation is the primary evidence base for assessing whether the GPAI model they rely on has met its Article 53 obligations.

Obligation 2: Training Data Transparency

Providers must produce and make available a summary of the content used to train the model. The summary must be detailed enough to enable a reasonable assessment of whether the training data complied with EU copyright law — specifically, the Text and Data Mining Directive (Directive 2019/790) and its opt-out mechanism for rights holders.

This obligation reflects the EU's position that the provenance of training data is not a commercial secret but an accountability requirement. The summaries are intended to enable copyright holders, downstream deployers, and regulators to assess training data practice without requiring disclosure of the full training corpus.

Obligation 3: Copyright Compliance Policy

Providers must implement a policy to comply with EU copyright law, including specifically respecting rights holder opt-outs under the Text and Data Mining Directive. This means establishing and enforcing a process for identifying and honoring opt-outs — a concrete operational requirement, not a policy statement.

For enterprise deployers using GPAI model outputs in commercial products or publications, the copyright compliance posture of the underlying model is directly relevant. If a provider's training data included content that rights holders had excluded, outputs derived from that training may carry copyright risk downstream.

Obligation 4: Downstream Information Sharing

Providers must make available to downstream providers — businesses building applications on top of the GPAI model API — all information necessary for those businesses to comply with their own obligations under the Act. This is the supply-chain transparency obligation: the provider cannot discharge its compliance duties without ensuring the deployer has the information they need to discharge theirs.

In practical terms, this means providers should supply deployers with: documentation describing the model's capabilities and known limitations, guidance on appropriate and inappropriate use cases, information needed to conduct risk assessments, and notice of any model updates or changes that affect compliance postures.

Systemic-Risk GPAI Tier — Additional Obligations

Not all GPAI models are equal under the Act. The regulation identifies a distinct tier of "GPAI models with systemic risk" — models that, given their capabilities and reach, pose risks extending beyond the immediate use case to societal infrastructure, democratic processes, or fundamental rights at EU scale.

The current threshold for systemic risk designation is training with cumulative computational power exceeding 10²⁵ FLOPs. The European Commission has the authority to update this threshold as compute scales, and this is expected.

Providers of systemic-risk GPAI models must, in addition to the four Article 53 obligations:

Conduct adversarial testing and red-teaming. Before and after release, providers must identify and address risks through adversarial testing and state-of-the-art red-teaming. This includes testing for risks to fundamental rights, critical infrastructure, and democratic processes — not only for model quality or factual accuracy.

Report serious incidents to the European AI Office. Providers must notify the European AI Office without undue delay of any serious incidents or near-misses that occur in connection with their systemic-risk GPAI model. The incident reporting obligation creates a direct operational link between providers and the EU regulator.

Implement adequate cybersecurity measures. Providers must put in place cybersecurity protections proportionate to the systemic risks posed by the model, including protections against model extraction, adversarial exploitation, and supply-chain attacks.

Assess and document systemic risks. Providers must evaluate potential systemic risks — including to critical infrastructure, civil discourse, electoral processes, and societal safety — and document mitigation measures. These assessments must be shared with the European AI Office upon request.

The European AI Office, operating within the European Commission (DG CONNECT), has primary supervisory authority over systemic-risk GPAI providers and can conduct investigations, issue information requests, and recommend enforcement actions.

Buyer Checklist: What to Ask Your AI Vendor

As a deployer organization using GPAI APIs, your due diligence obligation under Article 26 requires you to verify that your AI provider has met its applicable obligations. The following questions should be part of every procurement evaluation and vendor review cycle.

On technical documentation:

Has the provider published or made available technical documentation meeting the Article 53(1)(a) and Annex XI requirements?
Is the documentation current for the specific model version you are using?
Will the provider notify you of material changes to the model that affect the documentation?

On training data transparency:

Has the provider published a training data summary per Article 53(1)(d)?
Does the summary include information sufficient to assess Text and Data Mining Directive compliance?
Is the summary maintained for the specific model version and training run you are relying on?

On copyright compliance:

Does the provider have a documented policy for complying with EU copyright law, including opt-out respect?
Is there a process for the provider to notify you of any known copyright compliance issues that may affect model outputs?

On systemic risk (if applicable):

Has the provider's model been designated as systemic-risk by the European AI Office, or does its compute exceed the 10²⁵ FLOPs threshold?
If yes, has the provider conducted adversarial testing per Article 55? What were the results?
What incident reporting processes are in place, and will the provider notify you of reported incidents?

On downstream information:

Has the provider supplied you with all information required for you to comply with your own obligations under the Act?
Is there a formal mechanism for requesting additional compliance information from the provider?

On contract provisions:

Does your contract with the AI provider include data processing terms, copyright compliance representations, audit rights, and change notification obligations?
Does it allocate compliance responsibilities explicitly between provider and deployer?

August 2026 Enforcement Timeline and Non-Compliance Penalties

Understanding the enforcement calendar is essential for prioritizing compliance investment.

Already in force (August 2024): The EU AI Act entered into force. GPAI model providers placed a model on the EU market after this date must comply with Article 53 obligations.

Already in force (February 2025): The prohibited AI practices (Article 5) apply. AI governance structures at the national level (national competent authorities) must be designated.

2 August 2025: GPAI obligations under Title VIII (Articles 51–56) apply to all GPAI model providers. This is the date by which providers releasing models on the EU market must have their Article 53 documentation, training data summaries, and copyright compliance policies operational.

2 August 2026: All remaining provisions of the Act apply, including the full compliance obligations for high-risk AI systems (Annex III). National market surveillance authorities are fully operational. Private enforcement rights under Article 85 (allowing individuals harmed by prohibited AI practices to claim compensation under national law) are activated.

Penalties:

GPAI providers that fail to comply with Title VIII obligations face fines of up to €15 million or 3% of global annual turnover, whichever is higher.
Providers that provide incorrect or misleading information to the European AI Office face fines of up to €7.5 million or 1% of global annual turnover.
For high-risk AI system violations (separately applicable to deployers as well as providers) under Chapters II and III, fines reach €35 million or 7% of global annual turnover for the most serious breaches, including operating prohibited AI systems.
SME penalties apply a proportionate reduction; national supervisory authorities have discretion in applying penalties, with size, cooperation, and prior record as mitigating or aggravating factors.

The Act also provides that the European AI Office may require providers to cease distribution of non-compliant models on the EU market — a commercial impact potentially far larger than the fine itself.

How Knowlee's Governance Scaffold Maps GPAI Obligations to Operational Metadata

Translating regulatory text into operational practice requires more than reading the law — it requires instrumented systems that generate compliance evidence automatically, at runtime, without burdening individual operators with manual documentation tasks.

Knowlee's governance scaffold addresses the GPAI compliance layer in three specific ways.

Model identity tracking. For every AI-assisted process executed through Knowlee, the system records the model identity (provider, model name, version), the timestamp of invocation, the context in which the model was used, and the governance conditions in effect at runtime. When an auditor or regulator asks "which model made this decision, and was it compliant at the time?", Knowlee's audit trail answers that question from structured metadata — not from human memory.

Governance condition logging. Knowlee's job-level metadata records whether human oversight steps were completed, which user performed the review, what decision was taken, and what the AI's output was before and after review. For high-risk processes that invoke GPAI models, this log constitutes the Article 26 deployer compliance evidence: documented human oversight, decision trail, and intervention points.

Provider compliance status. Knowlee evaluates AI providers — including GPAI model providers used in the platform — against their Article 53 compliance posture as part of procurement due diligence. Contractual protections covering copyright compliance representations, technical documentation access, and change notification obligations are in place with Knowlee's model providers. Enterprise customers who need to understand the GPAI model layer underlying their Knowlee deployment receive appropriate technical disclosure to satisfy their own downstream deployer obligations.

The result is that GPAI compliance is not a one-time legal exercise — it is an operational condition maintained at runtime, auditable at any point, and surfaced to compliance teams without requiring manual tracking.

Frequently Asked Questions

Q: Does the GPAI compliance obligation apply to my organization if I am a deployer, not a model provider?

A: Deployers are not directly subject to Article 53 GPAI obligations — those apply to providers. However, deployers have an Article 26 obligation to verify that the AI systems they use (including GPAI model APIs) comply with applicable requirements. If your GPAI model provider has not met its Article 53 obligations, you are deploying on a non-compliant foundation, which creates regulatory exposure and potential liability if the deployment produces harm.

Q: The major AI providers (OpenAI, Anthropic, Google) are headquartered outside the EU. Does the Act still apply to them?

A: Yes. The AI Act applies to any organization that places an AI system or model on the EU market or whose outputs affect people in the EU, regardless of where the organization is headquartered. US, UK, and other non-EU GPAI providers serving EU customers are fully in scope.

Q: We use an open-source LLM that we run on our own infrastructure. Does the provider of that open-source model have GPAI obligations?

A: Providers who release open-source GPAI models under a free and open-source licence benefit from partial exemptions under Article 53(2). They are still required to publish training data summaries and their copyright compliance policy, but certain other documentation obligations are reduced for genuinely open models. If your organization deploys an open-source GPAI model and makes it available to others on the EU market, you may become a GPAI model provider yourself and acquire corresponding obligations.

Q: What happens after the August 2026 general enforcement date? Are there any additional deadlines?

A: August 2026 is the main general applicability date. After that, high-risk AI deployers must register qualifying systems in the EU AI database once the registration portal is operational — expected later in 2026. Ongoing post-market monitoring, incident reporting, and documentation maintenance obligations are continuous from August 2026 onwards.

Q: If my AI vendor tells me they are "AI Act compliant," is that sufficient?

A: No. "AI Act compliant" is not a certification — there is no EU-issued compliance seal for GPAI providers. Compliance is self-declared and demonstrable through documentation. Your due diligence obligation requires you to verify the specific documentation: Article 53 technical documentation, training data summary, and copyright compliance policy. A vendor statement without supporting documentation does not satisfy your deployer obligation under Article 26.

Q: Do GPAI obligations change if the model is accessed via a third-party platform rather than directly via the provider's API?

A: The obligation flows from making the model available on the EU market, not from the channel of access. A third-party platform that integrates a GPAI model and makes it accessible to EU customers is itself placing the model on the market and may acquire provider-level obligations depending on the degree of modification and control. Deployers should assess the compliance posture of any platform intermediary, not assume that the underlying model provider's compliance covers the platform layer.

Next Steps

The August 2026 enforcement deadline is a concrete operational deadline, not a distant regulatory horizon. For enterprise AI buyers, the priority actions are:

Inventory all GPAI model APIs in use across the organization.
Request Article 53 documentation and training data summaries from each provider.
Review and update AI vendor contracts to include copyright compliance representations, change notification provisions, and audit rights.
Assess whether any models in use are in the systemic risk tier, and request red-teaming and incident reporting information from those providers.
Establish governance metadata logging for all GPAI-assisted processes in high-risk categories.

For a comprehensive regulatory compliance checklist covering the full EU AI Act, GDPR, ISO 42001, and sector-specific frameworks, see the AI Compliance Checklist 2026.

To discuss how Knowlee's governance scaffold can operationalize these obligations in your organization's AI workflows, book a consultation.