Art. 53 EU AI Act: baseline obligations for GPAI providers

The four baseline obligations

Art. 53 applies to every providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → of a general-purpose AI modelgeneral-purpose AI modelEU AI Act term for a model displaying significant generality and capable of many distinct tasks, typically integrated into downstream systems; carries its own obligation set, with extra duties for models posing systemic risk.Open full entry →. It sets four obligations that exist independently of the systemic-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → classification, and that form the foundation on which the additional Art. 55 obligations build for the small group of systemic-risk models.

Technical documentationtechnical documentationRecords a provider must compile and keep for a high-risk AI system to demonstrate conformity, covering its design, data, testing, risk management and monitoring.Open full entry →. The provider must draw up and keep up to date the technical documentation of the model, covering its training and testing process and the results of its evaluation, in line with Annex XI. This documentation must be made available to the AI Office and national competent authorities on request.

Downstream information. The provider must make information and documentation available to downstream providers who intend to integrate the general-purpose AIgeneral-purpose AIA model trained on broad data that can be adapted to many downstream tasks; the AI Act sets specific obligations for it, with extra duties when it poses systemic risk.Open full entry → model into their own AI systems, in line with Annex XII. This lets a downstream providerdownstream providerA provider that builds an AI system on top of another party's model, often a general-purpose model, and takes on obligations for the system it ships.Open full entry → understand the model's capabilities and limitations well enough to meet its own obligations under the Act. It is the mechanism that carries model-level information down the value chainvalue chainThe sequence of actors from model development through provision to deployment and use, along which responsibilities and AI-Act obligations move.Open full entry →.

Copyright policy. The provider must put in place a policy to comply with Union law on copyright and related rights, in particular to identify and respect reservations of rights expressed by rightsholders.

Public training-content summary. The provider must draw up and make publicly available a sufficiently detailed summary of the content used to train the model, using the template provided by the AI Office.

The open-source position

The Act provides a limited exemption for certain free and open-source GPAI models from some of these obligations, specifically the technical-documentation and downstream-information duties, where the model's parameters and usage information are made publicly available under a free and open license. This exemption does not extend to the copyright policy or the training-content summary, and crucially it does not apply at all where the model has systemic risksystemic riskEU AI Act category for the most capable general-purpose models (presumed above a training-compute threshold), triggering extra duties: evaluations, adversarial testing, incident reporting, cybersecurity.Open full entry →. A systemic-risk model carries the full obligations regardless of how openly it is released.

Timing and the Code of Practice

The Art. 53 obligations became applicable on 2 August 2025. To help providers operationalize them during the period before harmonized standards exist, the AI Office coordinated a General-Purpose AI Code of Practice, published on 10 July 2025. The Code is a voluntary tool: a provider can use it to demonstrate compliance with Art. 53 and 55, but adherence is not itself the legal obligation, and not signing the Code does not exempt a provider from the Act. A provider that does not rely on the Code must demonstrate compliance by other adequate means.

Why it matters

For the organizations that build on foundation models rather than train them, Art. 53 is the reason the model information they need exists at all. The downstream-information duty and the public training-content summary are what let a deploying organization understand the model underneath its system, which it needs in order to meet its own obligations, particularly where its system is high-risk.

In the GovCompass-7

Art. 53 sits primarily in the transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → and explainabilityexplainabilityThe ability to give a meaningful reason for a specific output of an AI system to the people it affects — distinct from transparency, which is disclosure that and how AI is used.Open full entry → and accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry → pillars: it is about documenting the model and making the right information available to the right parties down the value chain.

Continue reading

• Art. 51 EU AI Act: classifying a GPAI model as systemic risk
• Art. 55 EU AI Act: obligations for systemic-risk GPAI providers
• GPAI integration as a deployer: ChatGPT, Copilot, and the EU AI Act