Introduction: GPAI Obligations Are Now in Force — Is Your Board Ready?
As of August 2, 2025, the EU AI Act's obligations for General-Purpose AI (GPAI) model providers are enforceable. Full Commission enforcement — including fines — begins August 2, 2026. That's a narrow window.
Many US-based boards assume EU regulation doesn't apply to them. That assumption is wrong. Any organization making GPAI models accessible in the EU market, via API, app store, or third-party integration, falls under the Act's jurisdiction.
This guide gives boards, audit committees, and technology executives a governance-ready framework for GPAI compliance — clear enough to drive decisions, grounded enough to hold under regulatory scrutiny.
TL;DR
- GPAI obligations are in force as of August 2, 2025; enforcement with fines begins August 2026
- Models trained above 10²³ FLOP capable of generating language or images are presumed GPAI models; those above 10²⁵ FLOP face expanded systemic risk obligations, including mandatory safety evaluations
- Non-EU companies with EU market exposure must comply and appoint an authorized EU representative
- The GPAI Code of Practice (July 2025) is voluntary but the Commission's preferred compliance path — major signatories include Amazon, Anthropic, Google, Microsoft, and OpenAI
- Fines reach €15 million or 3% of global annual turnover, whichever is higher
What Qualifies as a GPAI Model Under the EU AI Act
The Core Definition
Article 3(63) of the EU AI Act defines a GPAI model as one that "displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications."
The contrast with narrow AI matters here. A model trained solely to classify insurance claims or route customer service tickets is not a GPAI model. A model that can write code, summarize documents, answer questions, and generate images falls into a different category entirely.
The 10²³ FLOP Threshold
The Commission's July 2025 Guidelines operationalize the definition with a specific threshold: a model trained with computational resources exceeding 10²³ floating point operations (FLOP) and capable of generating language, text-to-image, or text-to-video outputs is presumed to be a GPAI model. That presumption is rebuttable — but it's the starting point for any self-assessment, and the burden of rebuttal sits with the provider.
The Systemic Risk Tier
Cross the 10²³ threshold and you're in scope. Cross 10²⁵ FLOP and the obligations escalate substantially. Models trained above that level are presumed to have "high-impact capabilities" and face a significantly heavier compliance burden.
No official public count of all global providers meeting this threshold exists, but the Commission has confirmed it is actively engaging with providers at this level (including reported discussions with OpenAI and Anthropic).
Downstream Modifiers: When Fine-Tuning Makes You a Provider
Organizations that fine-tune or adapt an existing GPAI model assume full provider obligations only if the modification uses more than one-third of the original model's training compute — a threshold drawn directly from the Commission's FAQ on the July 2025 Guidelines.
In practice, enterprises integrating foundation models like GPT-4 or Gemini into products typically won't cross that line through standard fine-tuning. Even so, the determination should not be assumed. It should be formally assessed and documented, and that assessment belongs in your AI governance record.
Key GPAI Compliance Obligations: What Providers Must Do
Obligations split into two tiers: those applying to all GPAI providers, and additional requirements for providers of systemic risk models. The distinction matters for governance accountability — different thresholds trigger different board-level oversight responsibilities.
Transparency and Technical Documentation
Article 53 requires all GPAI providers to maintain detailed technical documentation and provide downstream users with information about capabilities and limitations.
Required documentation includes:
- Model architecture, parameter count, and modality
- Training, testing, and validation data — including curation methodologies
- Computational resources used and known or estimated energy consumption
- Results of model evaluations
Free and open-source GPAI models (where weights, architecture, and usage information are publicly available) are partially exempt from these documentation obligations — unless the model carries systemic risk, in which case no exemption applies.
Copyright Compliance Policy
Article 53(1)(c) requires providers to maintain a formal policy covering EU copyright law, including respecting machine-readable rights reservations such as those expressed via robots.txt under Article 4(3) of Directive (EU) 2019/790.
Alongside this, Article 53(1)(d) requires a publicly available summary of training content, prepared using the Commission's mandatory Template published July 24, 2025. This is a public-facing obligation with a prescribed format — not discretionary documentation a provider can customize or delay.
Systemic Risk Obligations (High-Impact Models Only)
Article 55 imposes four additional requirements on providers of models above the 10²⁵ FLOP threshold:
- Model evaluations using standardized protocols, including red-teaming and adversarial testing protocols
- Formal risk assessment and mitigation for systemic risks at EU level
- Incident reporting of serious incidents to the AI Office and national competent authorities promptly — the AI Office does not treat this as an open-ended window
- Cybersecurity protections covering both the model infrastructure and its physical environment
Two timing obligations attach to these requirements. Providers must notify the European Commission within two weeks of meeting the 10²⁵ FLOP threshold.
The retroactivity risk deserves board attention: if a provider contests systemic risk classification and the Commission rejects those arguments, Article 55 obligations apply from the moment the threshold was met — not from when the contest was resolved. Delayed notification does not pause the compliance clock.
The GPAI Code of Practice: A Strategic Compliance Path
The final GPAI Code of Practice, published July 10, 2025, is voluntary. It is also the Commission's clearly preferred compliance path — and the difference between signing and not signing carries real strategic weight.
What Signing Gets You
According to official Commission materials, signatories benefit from:
- Greater legal certainty and reduced administrative burden
- Focused enforcement monitoring of Code adherence rather than broad scrutiny
- Good-faith treatment during the first year from August 2025 for providers actively implementing their commitments
Non-signatories must demonstrate compliance through alternative means, provide a gap analysis comparing their measures to the Code, and can expect more information requests and model evaluations from the Commission.
What the Code Covers
The Code has three chapters:
| Chapter | Applies To | Key Requirements |
|---|---|---|
| Transparency | All GPAI providers | Standardized Model Documentation Form, retained for 10 years |
| Copyright | All GPAI providers | Web crawler conduct, technical safeguards against infringing outputs |
| Safety and Security | Systemic risk providers only | Safety and Security Framework, incident tracking, whistleblower protections |
Who Has and Hasn't Signed
Knowing which vendors signed — and which didn't — directly affects what your board should request from them.
Signatories include: Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI, OpenAI, and dozens of European AI companies.
Notable non-signatory: Meta declined, with its chief global affairs officer citing legal uncertainties and measures that exceed the Act's scope.
For boards, this is a strategic posture decision. Signing signals good-faith engagement and shapes how the Commission approaches your organization. It doesn't guarantee compliance, but it reduces friction. Not signing is viable — expect more friction in the form of additional documentation, gap analyses, and a higher likelihood of Commission scrutiny.
What boards should request from AI model vendors:
- Confirmation of Code signatory status (or documented alternative compliance path)
- Copy of or reference to their Model Documentation Form
- Evidence of copyright policy and training data summary publication
- For systemic risk vendors: incident reporting procedures and red-teaming protocols
Enforcement Timeline and Penalties
Here are the dates that matter, without ambiguity:
| Date | What Happens |
|---|---|
| August 2, 2025 | GPAI obligations in force for new models |
| August 2, 2026 | Commission begins enforcement, including fines |
| August 2, 2027 | Compliance deadline for models placed on market before August 2, 2025 |
Penalty exposure: Fines reach €15 million or 3% of global annual turnover, whichever is higher, for non-compliance with GPAI provider obligations.
The Extraterritorial Question
Article 2 applies the regulation to any provider placing a GPAI model on the EU market, regardless of where the provider is established. US companies distributing via API, app stores, or third-party integrations are subject to these obligations.
Article 54 requires non-EU providers to appoint an authorized EU representative before placing a model on the EU market — a requirement that functions similarly to GDPR's Article 27 representative obligation and carries the same practical weight.
Enforcement Posture
During the first year, the Commission has indicated it will prioritize guidance over immediate penalties for Code adherents acting in good faith. That posture ends on August 2, 2026. The official FAQ is explicit: from that date, the Commission will enforce full compliance with all obligations, including through fines.
Translating GPAI Obligations Into Board-Level Governance
Compliance documentation doesn't govern itself. What turns legal obligations into actual organizational accountability is a governance structure with clear decision rights, credible reporting, and named owners.
Establishing Decision Rights
Boards need to define which AI model deployment and modification decisions require board visibility versus management authority. Practically, that means establishing escalation thresholds — triggers that bring a decision up from management to executives to the board. For GPAI purposes, relevant triggers include:
- Approaching the 10²³ or 10²⁵ FLOP threshold through model development or acquisition
- A serious incident requiring reporting to the AI Office
- A key AI model vendor failing to demonstrate a credible compliance path
- A fine-tuning modification that may approach the one-third compute threshold
Board Oversight Mechanics
A functional AI governance structure for boards navigating GPAI obligations should include:
- An AI governance dashboard showing stable trend metrics — not activity counts. Key metrics should include compliance posture, vendor status, incident history, and threshold proximity, each with defined thresholds and trends
- Regular credible reporting on AI compliance posture — structured like board-level risk reporting, not legal memos
- A documented 90-day compliance action plan with named owners and measurable outcomes, reviewed quarterly
Tyson Martin's board advisory practice is built around exactly this structure: decision rights and escalation thresholds clarified, a stable dashboard that shows trend rather than trivia, and 90-day plans with owners and a clear definition of done. His AI Governance Starter Pack is a fixed-fee 30-day sprint that delivers an AI risk assessment, a decision-rights map, a one-page board-level AI policy, and a facilitated board briefing — giving organizations a defensible starting posture within a defined timeframe.
When to Bring in External Governance Support
For boards navigating GPAI obligations alongside other regulatory demands, the governance gap is often less about information and more about structured accountability. An advisor or fractional CISO with AI governance depth can build the compliance framework, structure vendor assessments, brief the board in plain English, and hold management accountable — without requiring permanent headcount.
Any external engagement should be evaluated against one question: does it produce oversight that holds under regulatory scrutiny? The standard is concrete — a governance dashboard, a documented escalation ladder, a vendor evidence file, and a named owner for each obligation.
Frequently Asked Questions
Does the EU AI Act apply to US companies that aren't based in Europe?
Yes. Article 2 applies the regulation to any provider placing a GPAI model on the EU market, regardless of where the provider is based. US companies distributing via API, app stores, or third-party integrations are fully subject to GPAI obligations.
What is the difference between a GPAI model and a GPAI model with systemic risk?
All GPAI models exceed the 10²³ FLOP threshold and carry baseline obligations: technical documentation, copyright policy, and a public training data summary. Systemic risk models exceed 10²⁵ FLOP and face a heavier compliance burden — mandatory model evaluations, formal risk assessments, incident reporting to the AI Office, and cybersecurity protections.
What are the penalties for non-compliance with GPAI obligations?
Fines can reach €15 million or 3% of global annual turnover, whichever is higher. Enforcement with fines begins August 2, 2026 — giving organizations a narrow window to establish compliance before real regulatory exposure materializes.
Does signing the GPAI Code of Practice guarantee compliance with the EU AI Act?
No. The Code is voluntary and not legally binding, though it is the Commission's preferred compliance path. Signing creates a presumption of compliance but does not eliminate all obligations or provide immunity from fines.
What is an authorized representative and does my company need one?
Any non-EU GPAI provider must appoint a legally designated EU representative before placing their model on the EU market. The representative must verify and maintain access to technical documentation for the AI Office and national authorities — functioning similarly to GDPR's Article 27 representative requirement.
When do GPAI model providers need to be fully compliant?
Models placed on the market after August 2, 2025 must comply immediately. Models placed on the market before August 2, 2025 have until August 2, 2027 to comply. Regardless of model date, Commission enforcement actions begin August 2026.
