GovCompass
Knowledge base
Guide

GPAI Integration as a Deployer: ChatGPT, Copilot, and EU AI Act

Updated: June 2026 — full revision to Validai quality standard

Introduction: GPAI Is Everywhere

General purpose AI (GPAI) models — ChatGPT, Microsoft Copilot, Google Gemini, Claude, and others — have become embedded in the daily workflows of most Dutch organisations. Staff use them for drafting, analysis, code generation, customer service, and dozens of other applications. Many organisations have Microsoft 365 Copilot integrated enterprise-wide, or use OpenAI's API for custom applications.

Understanding what the EU AI Act requires of deployers using GPAI is essential — and reassuringly, the obligations are generally lighter than for high-risk AI systems. But they are not zero.

The Regulatory Position of GPAI Models

GPAI models are regulated primarily through Art. 52–55 of the EU AI Act, which creates obligations for model providers (OpenAI, Microsoft, Google, Anthropic). As a deployer of GPAI tools, you benefit from your provider's compliance with these obligations but are not directly subject to Art. 52–55 obligations yourself.

However, two frameworks do apply to GPAI deployers:

1. Art. 50 Transparency Obligations

Art. 50 applies to deployers who use GPAI systems in consumer-facing applications. Key requirements (in force from 2 August 2026):

  • Chatbot disclosure: AI-powered chatbots must identify themselves as AI systems to users (unless obviously artificial)
  • AI-generated content labelling: Content substantially generated by AI must be labelled as AI-generated when it could be mistaken for human-created content
  • Deepfake labelling: AI-generated images, audio, and video that depicts real or realistic-looking content must carry a clear disclosure

2. High-Risk Use Case Analysis

This is the critical deployer obligation for GPAI: even if the underlying GPAI model is not itself classified as high-risk, the way you deploy it may create a high-risk AI system. Specific deployment contexts that likely trigger high-risk classification:

  • Using ChatGPT as the sole or primary basis for hiring decisions
  • Using Copilot to generate credit risk assessments without human review
  • Using GPAI for medical diagnosis assistance without qualified oversight
  • Using GPAI to screen benefit applicants in the public sector

For each GPAI integration in your organisation: assess the specific use case against the Annex III categories. If the use case falls within a high-risk category, the full Art. 26 deployer obligations apply — even though the model itself is a GPAI.

Practical Checklist for GPAI Deployers

  1. Map every GPAI tool in use across your organisation (including departmental use of consumer tools)
  2. For each deployment context, assess whether the specific use case creates a high-risk AI system
  3. For consumer-facing GPAI applications: prepare Art. 50 disclosure mechanisms ahead of August 2026
  4. Verify your GPAI provider's Art. 52–55 compliance (request their EU AI Act compliance documentation)
  5. Implement acceptable use policies for employee use of GPAI tools that prevent unauthorised high-risk deployments

FAQ

Q: We use Microsoft 365 Copilot enterprise-wide. Are we compliant by default because Microsoft is responsible?
A: Microsoft bears provider-level obligations under Art. 52–55 for the Copilot model. However, you as deployer are responsible for how Copilot is used in your organisation. If staff use Copilot for high-risk decisions without oversight, that is your compliance responsibility, not Microsoft's.

Q: Our marketing team uses ChatGPT to draft blog posts. Do we need to label these?
A: Under Art. 50 (applicable from August 2026), if the content is substantially AI-generated and could be mistaken for human-authored content, labelling is required. Content substantially edited and augmented by a human author is less clearly required to be labelled. Develop a clear policy for your team before August 2026.