Law and Policy of the Media in a Comparative Perspective
You are at:»»EU AI Obligations for GPAI Providers: Compliance, Enforcement & Deadlines (2025–2027)

EU AI Obligations for GPAI Providers: Compliance, Enforcement & Deadlines (2025–2027)

0
By on Comments

A brief strategic overview for legal and business decision-makers

In July 2025, the European Commission introduced a coordinated set of instruments establishing governance expectations for General-Purpose AI (GPAI) providers. These included:

Publication Date Instruments Description  

Key Components of the EU GPAI Code of Practice

 
July 10, 2025 The first General-Purpose AI Code of Practice. Establishes a regulatory framework for GPAI providers. The Code is divided into three chapters; each aligned with specific legal obligations under the EU AI Act:

 

(1) Transparency & (2) Copyright:

→ Applicable to all GPAI model providers.

→Support compliance with Article 53 of the AI Act.

→ Supports GPAI providers in meeting AI Act transparency requirements and ensuring compliance with EU copyright law.

 

(3) Safety and Security:

→ Relevant only to providers of systemic-risk GPAI models.

→ Supports compliance with Article 55 of the AI Act.

→ Outlines state-of-the-art practices for identifying, mitigating, and monitoring high-impact risks associated with advanced models.
July 18, 2025 A Guidance Document supplementing the Code. Clarifies scope, definitions, and implementation details. Especially relevant for interpreting who qualifies as a “provider” and what counts as a “systemic risk” model.
July 24, 2025 A Training Data Disclosure Template. The Commission released a mandatory template for GPAI providers to summarise training data sources, curation practices, and risk mitigation measures.

 

Together, these documents establish a de facto regulatory framework under the EU AI Act’s transitional period and signal the Commission’s approach to pre-enforcement governance. 

  1. The GPAI Code of Practice: Voluntary, But Not Optional

The Code of Practice sets out a structured framework for GPAI model providers. While formally voluntary, it acts as a compliance bridge ahead of the AI Act’s full application (See below for the compliance and enforcement timeline).

The Code of Practice covers a range of obligations tied to transparency, risk management, model evaluation, and post-market monitoring.

  • Entities that sign the Code must actively engage with the AI Office, particularly if their models are deemed to pose a systemic risk.
  • The Code closely reflects provisions of Title III of the AI Act (High-Risk AI System), effectively anticipating legal obligations that will become enforceable from August 2026.

Key considerations: Treat the Code as a quasi-regulatory framework. While non-binding, it establishes a compliance baseline and signals expectations that will underpin future enforcement audits.

To adhere to the Code, GPAI providers must submit the signed form to EU-AIOFFICE-CODE-SIGNATURES@ec.europa.eu

  1. Supplementary Guidance: Expanding the Scope of “Provider”

The Supplementary Guidance released on 18 July 2025 elaborates on key clarifications, definitions, and criteria, especially around the designation of “provider” and “systemic risk.”

Key Clarifications:

  • Broad Definition of “Provider” within the AI value chain: Includes not only original developers, but also entities that place GPAI models on the market or make them available to third parties – even when developed by commission or within a consortium. This qualification depends on the actor’s functional role and must be assessed on a case-by-case basis.
  • Systemic Risk Classification: GPAI models may be deemed systemic risk under Article 51 of the AI Act if they exhibit high-impact capabilities or are designated by the Commission, based on Annex XIII criteria such as scale, autonomy, and deployment reach.

Access the official 18 July 2025 Guidelines on the scope of the obligations for general-purpose AI models established by the AI Act

Key considerations: if you or your client operate as a deployer or integrator in the AI value chain, be aware that such roles may now carry direct regulatory obligations under the AI Act. 

  1. Training Data Disclosure Template: Transparency as Legal Obligation

The Training Data Disclosure Template, published on July 24, 2025, sets out the mandatory publication obligations for in-scope GPAI providers under Article 53(1)(d) of the AI Act. It requires clear public documentation on:

  • The origin and nature of training datasets, including whether data was scraped, licensed, synthetic, or user-provided;
  • Data modalities and curation processes, including filtering and documentation practices;
  • Bias mitigation methods applied during model training;
  • Copyright and IP compliance.

This transparency obligation is legally binding, not optional. It reflects the AI Act’s commitment to model accountability in key legal domains:

  • Intellectual Property: Whether protected content was used lawfully;
  • Data Protection: Whether personal data was included and GDPR compliance is demonstrable;
  • Trade Secrets: Transparency must be balanced with protection of sensitive commercial information.
  1. Enforcement Timeline:

The Commission has defined a three-stage enforcement calendar, which legal teams must now incorporate into compliance timelines.

EU AI Compliance Timeline for General-Purpose AI (GPAI) Models

Date Compliance Timeline
2 August 2025 Compliance starts for new GPAI models placed on the EU market after this date. Providers must begin meeting obligations (e.g. transparency, risk management).
2 August 2026 Enforcement begins. The European Commission can investigate and issue fines for non-compliance.
2 August 2027 GPAI models (released before August 2025) must be fully compliant by this date. The grace period ends.

EU AI Act Enforcement:

Effective 2 August 2026, GPAI providers face fines up to €15M or 3% of global turnover under Article 101 of the AI Act. For broader AI Act breaches, Article 99 enables penalties up to €35M or 7%. Enforcement targets include non-compliance with transparency, refusal of model access, and deployment in prohibited AI practices.

Conclusion

The EU’s GPAI compliance toolkit is not a bureaucratic formality; it constitutes a strategic compliance framework and a clear signal of how enforcement under the AI Act will unfold.
As of 2 August 2025, legal obligations apply to newly placed GPAI models. Waiting until 2026 is no longer a viable position: it exposes organisations to material regulatory risk. For forward-looking legal and compliance teams, early alignment isn’t optional – it’s essential.

 

Share this article!
Download article as PDF
Share.

About Author

Related Posts

Leave A Reply