Art. 51 EU AI Act: classifying a GPAI model as systemic risk
Art. 51 sets out when a general-purpose AI model is classified as having systemic risk. A model crosses into the systemic-risk category when it has high-impact capabilities, which is presumed once the cumulative compute used to train it exceeds 10^25 floating-point operations (FLOP), or when the Commission designates it as such. Systemic-risk classification triggers the additional obligations of Art. 55 on top of the baseline Art. 53 obligations that apply to every GPAI provider.
What Art. 51 does
The EU AI Act regulates general-purpose AI at the level of the model, not the system. Chapter V creates a tiered regime: every providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → of a general-purpose AI modelgeneral-purpose AI modelEU AI Act term for a model displaying significant generality and capable of many distinct tasks, typically integrated into downstream systems; carries its own obligation set, with extra duties for models posing systemic risk.Open full entry → carries the baseline obligations of Art. 53, and a smaller group whose models reach a higher capability bar carries the additional, heavier obligations of Art. 55. Art. 51 is the gate between the two tiers. It defines when a GPAI model is classified as a general-purpose AI model with systemic risksystemic riskEU AI Act category for the most capable general-purpose models (presumed above a training-compute threshold), triggering extra duties: evaluations, adversarial testing, incident reporting, cybersecurity.Open full entry →.
The two routes into systemic risk
A model is classified as systemic risk by either of two routes.
The first is high-impact capabilities. A model has systemic risk if it has high-impact capabilities, evaluated using appropriate technical tools, methodologies, and benchmarks. Art. 51(2) attaches a presumption to this: a model is presumed to have high-impact capabilities when the cumulative amount of compute used for its training, measured in floating-point operations, exceeds 10^25 FLOP. This compute threshold is the practical trigger that captures the current frontier of the most advanced models.
The second is Commission designation. Independently of the compute presumption, the Commission can designate a model as having systemic risk on the basis of the criteria in Annex XIII, where it has capabilities or impact equivalent to those captured by the threshold. This route lets the regime catch a model that poses systemic risk for reasons other than raw training compute.
The threshold is not fixed
The 10^25 FLOP threshold is a presumption, not an immovable line. Art. 51(3) empowers the Commission to amend the thresholds and to supplement the benchmarks and indicators by delegated act, so that the classification keeps pace with technological change. As training becomes more efficient, the same capability frontier can be reached at lower compute, so the threshold can be lowered over time to continue capturing only the genuinely most capable models. A provider whose model exceeds the compute threshold can also contest the systemic-risk presumption by demonstrating that, despite the compute, the model does not have high-impact capabilities matching the most advanced models.
Why it matters
Systemic-risk classification is consequential because it is the line that separates the baseline GPAI regime from the frontier-model regime. Below the line, a provider carries the Art. 53 obligations: technical documentation, downstream transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry →, a copyright policy, and a public summary of training content. Above the line, the provider additionally carries the Art. 55 obligations: model evaluation and adversarial testing, systemic-risk assessment and mitigation, serious-incident reporting to the AI Office, and cybersecurity protection for the model. For most organisations the practical relevance is indirect: the foundation models they build on are typically provided by the small group of companies whose models cross this threshold, which means those models are subject to systematic safety evaluation by law.
In the GovCompass-7
Art. 51 is primarily an accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry → provision: it determines which party carries which set of model-level obligations. The systemic-risk regime it gates also reaches into the security and robustnesssecurity and robustnessThe principle that an AI system resists attack, manipulation and adversarial or unexpected input. The vectors include data poisoning, model extraction, membership inference and prompt injection; the controls are ML security testing and a hardened data-and-model pipeline.Open full entry → and the safety and reliability pillars, because the Art. 55 obligations it triggers are about evaluating, mitigating, and securing against model-level risk.