Art. 55 EU AI Act: obligations for systemic-risk GPAI providers
Art. 55 sets the additional obligations that apply only to providers of general-purpose AI models with systemic risk, on top of the baseline Art. 53 obligations. These providers must evaluate the model using state-of-the-art protocols including adversarial testing, assess and mitigate systemic risks at Union level, report serious incidents to the AI Office without undue delay, and ensure an adequate level of cybersecurity for the model and its physical infrastructure. This is the regime for the small group of frontier models.
The four additional obligations
Art. 55 applies on top of, not instead of, Art. 53. A providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → whose model is classified as systemic risksystemic riskEU AI Act category for the most capable general-purpose models (presumed above a training-compute threshold), triggering extra duties: evaluations, adversarial testing, incident reporting, cybersecurity.Open full entry → under Art. 51 carries the baseline obligations and these four additional ones.
Model evaluation and adversarial testing. The provider must perform model evaluation in accordance with standardized protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks. This is the obligation to actively probe the model for dangerous capabilities and failure modes, not merely to document what it does in normal use.
Systemic-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → assessment and mitigation. The provider must assess and mitigate possible systemic risks at Union level, including their sources, that may arise from the development, placing on the market, or use of the model. This is a continuous risk-management duty operating at the level of society and the Union market, not only at the level of an individual deployment.
Serious-incident reporting. The provider must keep track of, document, and report, without undue delay, to the AI Office and as appropriate to national competent authorities, relevant information about serious incidents and the corrective measures taken to address them.
Cybersecurity. The provider must ensure an adequate level of cybersecurity protection for the model and for the physical infrastructure of the model, recognizing that a frontier modelfrontier modelA general-purpose model at the leading edge of capability, often the focus of systemic-risk concerns.Open full entry → is itself a high-value target.
How compliance is demonstrated
Because harmonized standards for these obligations did not exist when they took effect, the AI Office coordinated the safety and security chapter of the General-Purpose AIgeneral-purpose AIA model trained on broad data that can be adapted to many downstream tasks; the AI Act sets specific obligations for it, with extra duties when it poses systemic risk.Open full entry → Code of Practice to give operational meaning to terms such as state-of-the-art evaluation. The Code translates the Art. 55 obligations into concrete measures: red-teaming, capability evaluations against benchmarks, jailbreakjailbreakA prompt or technique that bypasses an AI system's safety guardrails to make it produce restricted output.Open full entry →-resistance testing, misuse-potential analysis, and a structured risk-management process triggered at major deployment decisions. The Code is voluntary. A provider can use it to demonstrate compliance, but a provider that does not sign it must show that it meets the Art. 55 obligations by other adequate means. Adherence to the Code is not conclusive evidenceevidenceThe concrete proof that a control is designed, implemented, and working: a test report, an audit trail, an impact assessment, a monitoring log. Each link in the governance chain produces an artifact, and together they are what an organization hands to its own board, a regulator, a customer, or an affected person to show, not say, that a system is governed. Its absence is itself the failure: a risk register without test results, or a mitigation claimed without validation, is a governance gap, not a paperwork one. The closing link of the governance chain. See control, governance.Open full entry → of compliance, and compliance with the Act is mandatory whether or not a provider relies on the Code.
Timing and enforcement
The Art. 55 obligations became applicable on 2 August 2025. The Commission's enforcement powers over GPAI providers, including formal requests for information, the ability to require mitigation measures, and administrative fines, begin on 2 August 2026. The gap between the two dates is a deliberate transitional period during which providers are legally bound while the AI Office builds up its supervisory capacity and the Code is operationalized. The Digital Omnibus agreed in May 2026 reinforced the AI Office's central supervisory role over general-purpose AI but did not postpone these obligations: unlike the high-risk system deadlines, the GPAI obligations have applied since August 2025 and remain in force.
Why it matters
Most organizations will never be subject to Art. 55 directly, because training a model above the systemic-risk threshold is far beyond the reach of all but a handful of providers. The relevance is structural. The foundation models that ordinary organizations build on are provided by exactly the companies Art. 55 binds, which means those models are subject by law to systematic safety evaluation, adversarial testing, and incident reporting. Art. 55 is the provision that places a safety obligation at the top of the value chainvalue chainThe sequence of actors from model development through provision to deployment and use, along which responsibilities and AI-Act obligations move.Open full entry →, where the most capable models are made.
In the GovCompass-7
Art. 55 reaches across several pillars. Its core is the security and robustnesssecurity and robustnessThe principle that an AI system resists attack, manipulation and adversarial or unexpected input. The vectors include data poisoning, model extraction, membership inference and prompt injection; the controls are ML security testing and a hardened data-and-model pipeline.Open full entry → and safety and reliability pillars, through the adversarial testing, risk mitigation, and cybersecurity duties. The incident-reporting duty connects to accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry →, and the model-evaluation obligation supports transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → about what the most capable models can do.