· 9 min read · Compliance & Law
What providers of general-purpose and frontier AI models must document, disclose, and monitor under the EU AI Act.
What Counts as General-Purpose AI
A general-purpose AI model is one trained on a broad range of data that can be adapted to many different tasks, which describes most large language and multimodal models. The EU AI Act treats these models as a distinct category because the same base model can be built into many downstream systems, so obligations attach to the model provider as well as to the deployers who use it. A subset of these models is treated as carrying systemic risk, presumed when the training compute crosses a very high threshold measured in floating-point operations, and this subset carries heavier duties.
The Core GPAI Obligations
Technical Documentation
A provider must prepare and keep up to date technical documentation of the model, covering its design, training and testing, so that the AI Office and downstream providers can understand what the model is and how it behaves.
Information for Downstream Providers
A provider must give the teams that build systems on top of the model the information they need to meet their own obligations, including the model's capabilities and limitations.
Copyright Policy
A provider must put in place a policy to respect European Union copyright law, including the ability to honour a rightsholder's reservation of rights from text and data mining.
Public Summary of Training Content
A provider must publish a sufficiently detailed summary of the content used to train the model, following the template provided by the AI Office. This is one of the most closely watched transparency duties in the Act.
Additional Duties for Systemic-Risk Models
A model with systemic risk carries further obligations: model evaluation including adversarial testing, assessment and mitigation of systemic risks, reporting of serious incidents to the AI Office, and an adequate level of cybersecurity for the model and its physical infrastructure.
The GPAI Code of Practice
Because the harmonised standards that will eventually define detailed compliance are still being developed, the European Commission and the AI Office worked with stakeholders to publish a GPAI Code of Practice. Signing and following the Code is voluntary, and it gives providers a recognised way to show they are meeting the Act's requirements in the interim. It is a practical bridge between the text of the law and the day-to-day evidence a provider needs to produce.
Timelines That Matter
The EU AI Act entered into force in August 2024 and applies in stages. The bans on certain prohibited practices took effect in February 2025. The obligations for general-purpose AI models began to apply from August 2025. Most high-risk system obligations follow from August 2026, with some transitional periods running later. Providers should map their model or system to the stage that applies to it rather than treating the Act as a single deadline.
How Bidda Maps GPAI Obligations
Bidda represents the EU AI Act obligations as source-verified nodes, with crosswalks to ISO/IEC 42001 and the NIST AI Risk Management Framework so a provider can reuse one body of evidence across frameworks. Because parallel rules are emerging elsewhere, such as the California frontier AI transparency law, the registry lets a provider compare the European obligations against other jurisdictions from a single reference point, with every claim traceable to its primary source.
Frequently Asked Questions
What is general-purpose AI under the EU AI Act?A general-purpose AI model is one trained on a broad range of data that can be adapted to many tasks, which covers most large language and multimodal models. The Act places obligations on the provider of such a model in Chapter V, separate from the obligations on the deployers who build systems on top of it.
When did the GPAI obligations start to apply?The obligations for general-purpose AI models began to apply from August 2025, following the Act's entry into force in August 2024 and the earlier application of the prohibited-practice bans in February 2025. Most high-risk system obligations follow from August 2026.
What is the GPAI Code of Practice?It is a voluntary tool developed by the European Commission and the AI Office with stakeholders, giving providers of general-purpose AI models a recognised way to demonstrate compliance with the Act while the detailed harmonised standards are still being finalised.
What extra obligations apply to systemic-risk models?A general-purpose model presumed to carry systemic risk, based on a very high training-compute threshold, must carry out model evaluation including adversarial testing, assess and mitigate systemic risks, report serious incidents to the AI Office, and maintain an adequate level of cybersecurity for the model and its infrastructure.