General-purpose AI (GPAI)

General-purpose AI (GPAI)

General-purpose AI (GPAI) is a category in the EU AI Act for models that can perform a wide range of tasks and be built into many different downstream systems. Large language models and other foundation models are the clearest examples. Because one such model can power countless applications, the Act regulates the model itself, separately from the specific high-risk uses it might end up in.

This was a deliberate design choice. Rather than wait to see how each application uses a model, the Act places obligations on the people who develop and supply the model, so that information and safeguards flow down to everyone who builds on top of it.

What counts as GPAI

The Act defines a GPAI model as one trained on a large amount of data, showing significant generality, and capable of competently performing a wide range of distinct tasks, regardless of how it is released. That captures large language models, image generators, and similar foundation models, whether offered through an API, released as downloadable weights, or embedded in a product.

The scope is the model, not the application. A company that takes a GPAI model and builds, say, a hiring tool is a downstream provider of that high-risk system and carries its own obligations. The model's original developer is the GPAI provider. The two sets of duties stack rather than replace each other.

The systemic-risk tier

Not all GPAI is treated the same. The Act creates a higher tier for GPAI models with systemic risk, meaning models capable enough that problems with them could ripple across the market or society.

A model is presumed to pose systemic risk if the cumulative compute used to train it exceeds 10^25 floating point operations (FLOPs). This compute threshold is a proxy for capability. A model can also be designated as systemic-risk by the European Commission based on other criteria, even if it sits below the threshold.

Models in this tier carry extra obligations beyond the baseline, because the consequences of getting them wrong are larger.

Baseline provider obligations

Every GPAI provider, regardless of tier, has to meet a baseline set of duties.

Technical documentation. Providers must prepare and keep up to date documentation describing the model, including its training and testing process and evaluation results, available to the AI Office and national authorities on request.

Information for downstream providers. They must give the developers who build on the model enough information to understand its capabilities and limitations and to meet their own obligations. You cannot comply with the Act for your application if the model underneath it is a black box to you.

Copyright policy. Providers must put in place a policy to respect EU copyright law, including reservations of rights for text and data mining.

Training data summary. They must publish a sufficiently detailed summary of the content used to train the model, following a template provided by the AI Office.

Additional obligations for systemic-risk models

Providers of GPAI with systemic risk take on more.

They must evaluate the model using standardized protocols, including adversarial testing and red teaming, to identify and mitigate systemic risks. They must assess and mitigate possible systemic risks at the EU level, including their sources. They must track, document, and report serious incidents and possible corrective measures to the AI Office. And they must make sure an adequate level of cybersecurity protection for the model and its physical infrastructure.

These duties recognize that a flaw in a widely used frontier model is not just one company's problem.

The August 2025 GPAI obligations

The EU AI Act applies in phases. The obligations for GPAI providers became applicable on 2 August 2025. From that date, providers placing GPAI models on the EU market are expected to meet the documentation, transparency, copyright, and, where relevant, systemic-risk duties described above.

To help providers show compliance, the AI Office facilitated a GPAI Code of Practice. Signing and following the Code is a voluntary way to demonstrate adherence to the obligations, though it is not the only route. Models already on the market before that date were given additional time to come into compliance.

Why GPAI rules matter for governance teams

Even if your organization does not train foundation models, GPAI rules shape your obligations. If you build on a GPAI model, the documentation and information the provider supplies is what lets you complete your own risk assessment, transparency disclosures, and technical file. Choosing a provider that takes these duties seriously is a procurement and due-diligence question.

If you do develop or substantially modify a GPAI model, you may step into the provider role yourself, including the systemic-risk tier if your training compute crosses the threshold. Either way, the practical work is keeping documentation current, tracking which models you rely on, and recording how you assessed them.

FAQ

What makes a model general-purpose under the EU AI Act?

It is trained on a large amount of data, shows significant generality, and can competently perform a wide range of distinct tasks, regardless of how it is released. Large language models and image generators are typical examples. The classification attaches to the model itself, not to any single application built on it.

What is the compute threshold for systemic risk?

A GPAI model is presumed to pose systemic risk when the cumulative compute used to train it exceeds 10^25 floating point operations (FLOPs). The threshold is a proxy for capability. The European Commission can also designate a model as systemic-risk on other grounds, and the threshold can be adjusted over time.

When did GPAI obligations start applying?

The obligations for GPAI providers became applicable on 2 August 2025. From that date providers are expected to meet the documentation, transparency, and copyright duties, plus the additional systemic-risk duties where they apply. Models already on the market before then were given extra time to comply.

What are the baseline obligations for a GPAI provider?

Maintain technical documentation, give downstream developers enough information to understand and safely build on the model, put in place a policy to comply with EU copyright law, and publish a sufficiently detailed summary of the training content using the AI Office template. These apply to every GPAI provider regardless of tier.

Do GPAI rules affect companies that only use these models?

Yes, indirectly but importantly. The documentation and information a GPAI provider supplies is what lets a downstream builder complete their own risk assessment, transparency, and technical file. So provider compliance feeds your compliance, which makes it a procurement and due-diligence concern even if you never train a model.

What is the GPAI Code of Practice?

It is a voluntary framework the AI Office facilitated to help GPAI providers show they meet their obligations. Signing and following it is one way to demonstrate compliance, though providers can comply by other means. It does not change the underlying legal duties, it offers a recognized path for satisfying them.

Summary

General-purpose AI (GPAI) is the EU AI Act category for broadly capable models, such as large language models, that can be built into many downstream systems, and the Act regulates the model itself rather than only its uses. Every GPAI provider must maintain technical documentation, inform downstream developers, follow a copyright policy, and publish a training-data summary. Models that pose systemic risk, presumed above a training-compute threshold of 10^25 FLOPs, carry extra duties around evaluation, risk mitigation, incident reporting, and cybersecurity. These obligations became applicable on 2 August 2025, and they matter even to organizations that only build on GPAI, because the provider's documentation is what enables downstream compliance.