73 days left until August 2, 2026 — the GPAI enforcement date.
If you're asking whether you qualify as a GPAI provider under the EU AI Act, you're not alone in finding the definition confusing. Most companies using AI tools are not GPAI providers. But if you've built, fine-tuned, or deployed a general-purpose AI model — even internally — you may be. The definition is broader than most legal teams realize, and the Act's language is not written to make this easy.
Work through the 8 questions below. Each one takes 30 seconds. By the end, you'll know your classification and what you need to have ready before August 2.
What is a GPAI provider?
Under Article 3(63) of the EU AI Act, a general-purpose AI (GPAI) model is an AI model trained on large amounts of data using self-supervision at scale, capable of serving many different purposes — and made available for other organizations or developers to use.
A GPAI provider is the company or individual that develops or fine-tunes that model and places it on the EU market (or makes it accessible to users in the EU).
If you're only using a GPAI model someone else built, you're a deployer, not a provider. Deployers have separate obligations under the EU AI Act — the high-risk AI system rules — but not the GPAI-specific ones in Chapter V.
The 8-question self-test
Work through these in order. You can stop as soon as you hit a "no" that clearly doesn't apply to you.
Question 1: Did your organization train or fine-tune an AI model?
This includes:
- Training a model from scratch on your own data
- Fine-tuning a base model (GPT, Llama, Mistral, etc.) on proprietary data
- Continued pretraining of an open-source model
No → You're using models others built. You're a deployer, not a provider. Stop here — GPAI provider obligations don't apply. See the EU AI Act August 2026 compliance checklist for deployer obligations.
Yes → Continue to Question 2.
Question 2: Is the model capable of serving multiple different tasks?
A GPAI model is "general-purpose" — it can do more than one thing. Examples: text generation, code completion, summarization, question-answering, classification.
A model that only classifies images into two categories, or only detects a single specific pattern, is likely a narrow AI system, not a GPAI model.
No → Your model is purpose-specific. GPAI provider rules don't apply, but you may still be a high-risk AI system provider. Stop here.
Yes → Continue to Question 3.
Question 3: Do you make the model available to others — inside or outside your organization?
"Making available" means other people or systems can use it. This includes:
- Providing API access to customers or partners
- Publishing the model weights (open-source release)
- Integrating the model into a product used by others
- Licensing the model to other businesses
Internal use only — where the model only runs inside your own systems and no one outside can access it, even via a product you sell — is a gray area, but the EU AI Act's recitals suggest this leans toward deployer, not provider.
No → Internal-use-only model. You're likely a deployer, not a GPAI provider. Stop here.
Yes → Continue to Question 4.
Question 4: Are any users or downstream businesses located in the EU, or does the model affect people in the EU?
The EU AI Act applies when:
- Your model is available to EU-based organizations or developers
- EU citizens interact with a product that uses your model
- The model processes data of people located in the EU
No → No EU market access. EU AI Act may not apply. Stop here, but monitor — indirect EU reach through customers can be sufficient.
Yes → Continue to Question 5.
Question 5: Are you making the model available under an open-source license?
Open-source GPAI providers face reduced obligations under Article 53(2), but they're not fully exempt.
Yes (open-source) → You have limited obligations: mainly copyright transparency and a basic technical summary. Skip to the Open-source GPAI obligations section. But first, answer Question 6 to check if you're still subject to full obligations despite open-source status.
No (proprietary) → Continue to Question 6.
Question 6: Does your model have training compute above 10²⁵ FLOPs?
This is the systemic risk threshold under Annex XIII. Models trained with more than 10²⁵ floating-point operations are presumed to pose systemic risk and face the heaviest obligations.
For reference:
- GPT-4 class models: estimated ~2×10²⁴ FLOPs (below threshold)
- Models trained on 10,000+ H100-equivalent GPU-days: likely above threshold
- Most fine-tuned models: well below threshold
If you don't know your training compute, you're almost certainly below this threshold. The organizations that cross it are training frontier models, not fine-tuning Llama on their support tickets.
Yes → You're a systemic risk GPAI provider. This applies regardless of open-source status. Continue to Question 7.
No → You're a standard GPAI provider. Skip to Question 8.
Question 7 (systemic risk only): Has your model been independently evaluated or red-teamed?
This is required for systemic risk GPAI providers before August 2, 2026. The evaluation must assess:
- Adversarial robustness
- Capability for generating CSAM, CBRN-enabling content, or critical infrastructure attacks
- Risks to fundamental rights at scale
Yes → Document the methodology and results. You'll need this for the EU AI Office.
No → Start now. Third-party red-teaming takes 4–8 weeks to arrange, and August 2 is 73 days away.
Question 8: Do you have technical documentation ready?
All GPAI providers (standard and systemic risk, proprietary and open-source) must maintain technical documentation covering:
- Model architecture description
- Training data categories and sources
- Training compute (approximate)
- Intended purposes
- Copyright compliance approach for training data
Yes → You're in reasonable shape. Review the GPAI compliance checklist to confirm all six obligations are met.
No → This is a clear gap. Technical documentation is non-negotiable for any GPAI provider.
Your results
| Your answers | Classification | Obligations |
|---|---|---|
| Stopped at Q1 (no training) | Deployer | High-risk deployer obligations if applicable |
| Stopped at Q2 (narrow model) | Narrow AI provider | Possible high-risk system obligations |
| Stopped at Q3 (internal only) | Likely deployer | Monitor; limited GPAI exposure |
| Stopped at Q4 (no EU reach) | Non-EU GPAI provider | EU AI Act likely doesn't apply now |
| Q5 yes + Q6 no | Open-source GPAI provider | Reduced obligations (below) |
| Q5 no + Q6 no | Standard GPAI provider | Full Article 53 obligations |
| Q6 yes | Systemic risk GPAI provider | Full obligations + Annex XIII |
Open-source GPAI obligations
If you answered yes to Question 5 and no to Question 6, you face reduced obligations under Article 53(2):
- Copyright transparency — publish a sufficiently detailed summary of training data used, including sources
- Basic technical documentation — architecture, training approach, intended purposes
- Acceptable use policy — document what the model should not be used for
You do NOT need to comply with the full copyright compliance regime (Article 53(1)(c)) or provide downstream operator documentation as extensively as proprietary providers.
Standard GPAI provider obligations (Article 53)
If you're a standard GPAI provider (proprietary, below systemic risk threshold):
- Technical documentation (Article 53(1)(a)) — model card covering architecture, training data, compute, intended purposes, and limitations
- Information for downstream operators (Article 53(1)(b)) — capabilities, limitations, known misuse risks, safety measures
- Copyright compliance (Article 53(1)(c)) — policy for complying with EU copyright law, including Article 4 TDM opt-outs
- Training data summary (Article 53(1)(d)) — sufficiently detailed summary of training data used, publicly available
- Cooperation with EU AI Office — respond to audits and requests
Deadline: August 2, 2026. All five must be in place.
Systemic risk additions (Annex XIII)
If you're above the 10²⁵ FLOPs threshold:
- Adversarial testing / red-teaming (Article 55(1)(a)) — before deployment, and after significant model updates
- Incident reporting (Article 55(1)(b)) — serious incidents to the EU AI Office without undue delay (implementing measures set specific timeframes, aligned with GDPR's 72-hour breach window)
- Cybersecurity measures (Article 55(1)(c)) — document cybersecurity protections for model weights and training infrastructure
- Energy efficiency reporting (Article 55(1)(d)) — document energy consumption
What to do now
If you've confirmed you're a GPAI provider, the EU AI Act GPAI compliance checklist walks through each obligation with specific deliverables and who should own them.
If you're a GPAI deployer (using models built by others), the EU AI Act August 2026 compliance checklist covers your obligations for high-risk AI system deployment.
For internal governance — who owns compliance, how to run vendor reviews, how to document AI systems — the AI governance guide for small teams covers the operational setup.
The August 2 deadline is firm. The EU AI Office has confirmed no extension.
