GovCompass
Knowledge base
GuideAccountabilityHuman oversight

GPAI integration as a deployer: ChatGPT, Copilot, and EU AI Act

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Deployers using GPAI models like ChatGPT or Copilot are generally not subject to the provider obligations of Art. 52-55, but two frameworks do apply: the Art. 50 transparency obligations and a high-risk use-case analysis. If the way you deploy the GPAI creates a high-risk AI system under Annex III, the full Art. 26 deployer obligations apply.

Updated: June 2026

Introduction: GPAI is everywhere

General purpose AI (GPAI) models, ChatGPT, Microsoft Copilot, Google Gemini, Claude, and others, have become embedded in the daily workflows of most Dutch organisations. Staff use them for drafting, analysis, code generation, customer service, and dozens of other applications. Many organisations have Microsoft 365 Copilot integrated enterprise-wide, or use OpenAI's API for custom applications.

Understanding what the EU AI Act requires of deployers using GPAI is essential, and reassuringly, the obligations are generally lighter than for high-risk AI systems. But they are not zero.

The regulatory position of GPAI models

GPAI models are regulated primarily through Art. 52–55 of the EU AI Act, which creates obligations for model providers (OpenAI, Microsoft, Google, Anthropic). As a deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → of GPAI tools, you benefit from your providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry →'s compliance with these obligations but are not directly subject to Art. 52–55 obligations yourself.

However, two frameworks do apply to GPAI deployers:

1. Art. 50 transparency obligations

Art. 50 applies to deployers who use GPAI systems in consumer-facing applications. Key requirements (in force from 2 August 2026):

  • Chatbot disclosure: AI-powered chatbots must identify themselves as AI systems to users (unless obviously artificial)
  • AI-generated content labelling: Content substantially generated by AI must be labelled as AI-generated when it could be mistaken for human-created content
  • DeepfakedeepfakeAI-generated or manipulated audio, image or video that convincingly depicts real people or events that did not occur; subject to labelling duties under the EU AI Act's transparency tier.Open full entry → labelling: AI-generated images, audio, and video that depicts real or realistic-looking content must carry a clear disclosure

2. high-risk use case analysis

This is the critical deployer obligation for GPAI: even if the underlying GPAI model is not itself classified as high-risk, the way you deploy it may create a high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry →. Specific deployment contexts that likely trigger high-risk classification:

  • Using ChatGPT as the sole or primary basis for hiring decisions
  • Using Copilot to generate credit risk assessments without human review
  • Using GPAI for medical diagnosis assistance without qualified oversight
  • Using GPAI to screen benefit applicants in the public sector

For each GPAI integration in your organisation: assess the specific use case against the Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → categories. If the use case falls within a high-risk category, the full Art. 26 deployer obligations apply, even though the model itself is a GPAI.

Practical checklist for GPAI deployers

  1. Map every GPAI tool in use across your organisation (including departmental use of consumer tools)
  2. For each deployment context, assess whether the specific use case creates a high-risk AI system
  3. For consumer-facing GPAI applications: prepare Art. 50 disclosure mechanisms ahead of August 2026
  4. Verify your GPAI provider's Art. 52–55 compliance (request their EU AI Act compliance documentation)
  5. Implement acceptable use policies for employee use of GPAI tools that prevent unauthorised high-risk deployments

FAQ

Q: We use Microsoft 365 Copilot enterprise-wide. Are we compliant by default because Microsoft is responsible?
A: Microsoft bears provider-level obligations under Art. 52–55 for the Copilot model. However, you as deployer are responsible for how Copilot is used in your organisation. If staff use Copilot for high-risk decisions without oversight, that is your compliance responsibility, not Microsoft's.

Q: Our marketing team uses ChatGPT to draft blog posts. Do we need to label these?
A: Under Art. 50 (applicable from August 2026), if the content is substantially AI-generated and could be mistaken for human-authored content, labelling is required. Content substantially edited and augmented by a human author is less clearly required to be labelled. Develop a clear policy for your team before August 2026.

Legal referencesArt. 50Art. 52Art. 26

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Human oversight

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 26.2 EU AI Act: human oversight of high-risk AI

Reference

Art. 26.2 requires deployers to ensure that the people assigned to oversee a high-risk AI system have the competence, training, and authority to do so effectively. Valid oversight is substantive, not formal: the overseer must understand the system, be trained on its limitations, and hold genuine authority to override its outputs.

Art. 27 EU AI Act: Fundamental Rights Impact Assessment (FRIA)

Reference

Art. 27 requires certain deployers, public bodies and private deployers in defined sectors such as credit and insurance, to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system, examining the impact on fundamental rights and the mitigation measures.

Art. 4 EU AI Act: AI literacy obligations for organisations

Reference

Art. 4 has required organisations since 2 February 2025 to ensure a sufficient level of AI literacy among staff who operate or use AI systems, proportionate to the system and the role. It applies to all AI use, not only high-risk systems, and must be demonstrable.