| The EU AI Act, which entered into force in August 2024, is introducing step-by-step new requirements for providers and operators of AI systems. Since 2 August 2025: From this date, the key provisions for General Purpose AI (GPAI) models apply. Providers of all new GPAI models, as well as existing models that continue to be used or placed on the market, must implement the obligations set forth by the AI Act. Transitional Deadline: For GPAI models already on the market before this date, transitional rules apply until 2 August 2027, provided these models are not fundamentally changed. Key TermsWhat are GPAI models? GPAI models are AI systems that can be used flexibly for multiple general purposes, and are not limited to specific, clearly defined use cases. Well-known examples include large language models or multimodal AI, such as chatbots or generative systems (e.g. GPT-5, CoPilot, etc.). Who is a Provider? Who is a Deployer? Provider: Develops or has a GPAI model developed and places it on the market or puts it into operation under its own name or trademark. Deployer: Uses a GPAI model independently, e.g. within a company, regardless of whether they developed it themselves or obtained it from a third-party provider.Obligations for Providers of GPAI Models The requirements for providers can be summarized as follows:Technical Documentation: Providers must create and keep up-to-date comprehensive technical documentation detailing the model architecture, training data, methods, evaluation results, intended purposes, and make this documentation available to authorities and operators. Transparency and Information Obligations: Clear, understandable user instructions, risk notices, and details on training content must be communicated to downstream operators or system integrators. Copyright Compliance: Providers need to demonstrate compliance with EU copyright requirements concerning the content used for model training and document the respective measures. Publication of a Summary of Training Content: Providers must publish a summary of the content used for training the AI model. Appointment of an Authorized Representative: Providers established in third countries must appoint an authorized representative established in the EU. Additional Requirements for Systemic Risk: GPAI models with particularly high computing power or reach (“systemic risk”) are subject to further compliance requirements, including setting up a risk management system, model evaluations, penetration testing, incident monitoring, notification obligations, and enhanced cybersecurity measures.To support practical implementation of these obligations, the European Commission has published a Code of Practice (“GPAI Code of Practice”). Recommendations for Deployers of GPAI Models Even though explicit obligations mainly affect providers, deployers face significant indirect responsibilities, particularly when GPAI models are used, adapted, or integrated into enterprise systems. Recommended steps for operators:Procurement and Review of Information Actively request all technical documentation, user instructions, and compliance evidence from the provider. Review the risks, limitations, and intended use cases specified by the provider, and document their receipt as well as your internal assessment. Implement Your Own Risk Management Independently assess the risks of using GPAI models in your operational context, especially regarding critical business processes, decision-making, or HR applications. Document your risk assessment (including with regard to data protection impact assessments under the GDPR) and consult external experts if needed. Ensure Responsibility and Purpose Limitation Use GPAI models only as intended and documented by the provider to avoid adopting the role of provider or being reclassified from a regulatory perspective. Train relevant staff on the capabilities and limitations of the model. Establish Monitoring Implement internal monitoring to identify malfunctions, unwanted outputs, or risks at an early stage. Don’t Forget Data Protection and IT Security: Ensure that your GPAI models, applications, and processes harmonize with your existing data protection measures and IT security policies.We are happy to support you with your GPAI compliance! |