The EU AI Act's GPAI Rules

The EU AI Act's GPAI Rules

The model-layer obligations are already binding.

Verdict: the EU AI Act's general-purpose-AI obligations are binding now on model providers (since 2 August 2025), and the transparency and deployer duties your team owns turn binding 2 August 2026. If you only call an API you're a deployer; fine-tuning can make you an accidental provider inheriting documentation and copyright duties. Act before August.

The Weights Desk · 4 min read

Verdict: binding now upstream, binding in weeks for your layer

The general-purpose-AI model rules are already live. The obligations on GPAI model providers became applicable on 2 August 2025, and the AI-literacy duty on anyone deploying AI has applied since 2 February 2025, per the European Commission's framework (s1). If you build on top of a foundation model, most of the model-layer weight sits on your provider, not you. The piece you own — transparency disclosure, plus the full deployer regime if your product is high-risk — turns binding on 2 August 2026 (s1). That is weeks out. Skip the wait. Run the classification audit now and treat 2 August as a hard date, not a soft one.

Deployer or accidental provider? Know the line

This is the line that decides your exposure, and most teams misjudge it. Call the model through an API and prompt it — you are a deployer, and your job is mostly transparency and record-keeping. Fine-tune it, or otherwise modify it substantially, and the Act's logic can flip you into a provider of a general-purpose model, inheriting the documentation and copyright duties the regulation puts on model makers (s1, s2). Retrieval, system prompts, and orchestration generally stay on the deployer side of the line. Changing the weights is what pulls you across it. Decide which side you are on before you scale, because the answer sets your paperwork for years.

What a provider owes — and what leaks onto you

The Commission states the provider duties plainly: maintain technical documentation, give downstream integrators the information they need to build safely, publish a sufficiently detailed summary of the content used for training, and run a copyright policy that respects EU text-and-data-mining opt-outs (s1). Systemic-risk models — the Act presumes systemic risk above a compute threshold near 10^25 floating-point operations — add adversarial testing, risk mitigation, and incident reporting (s1, s2). You do not author these documents; you collect them from your vendor, which makes their paperwork a dependency you can be audited on. Honest caveat: the far end of the calendar is soft. The framework now dates some high-risk categories to December 2027 and August 2028 (s1), and technical standards and codes of practice are still landing — so do not over-build for rules that are not final. The GPAI and transparency layer is fixed. Ship against that.

Do I have to comply with the EU AI Act if I only use a foundation model through an API?
Mostly as a deployer, not a provider. Your duties center on transparency — disclosing AI interaction and labeling synthetic content — and record-keeping, with the core deployer obligations binding from 2 August 2026 (s1).
When can building on a foundation model make me a 'provider' under the Act?
When you substantially modify the model — typically fine-tuning that changes its capabilities — you can inherit provider duties like technical documentation and a copyright policy. Prompting, RAG, and system instructions generally don't cross that line (s1, s2).
What's already binding versus still coming?
GPAI model-provider obligations and AI literacy are binding now (since August 2025 and February 2025). The transparency and high-risk deployer duties turn binding 2 August 2026, with some high-risk categories dated later, to December 2027 and August 2028 (s1).
  1. Regulatory framework on Artificial Intelligence — European Commission
  2. Regulation (EU) 2024/1689 (Artificial Intelligence Act) — EUR-Lex, Official Journal of the European Union