EU AI Act GPAI Rules: What AI Startups Must Know in 2026
The EU AI Act's General Purpose AI chapter is already enforceable — and it applies to companies that build, fine-tune, or distribute foundation models, not just the hyperscalers. Here's what the rules actually require and who they catch.
Who the GPAI Chapter Actually Targets
The EU AI Act's Chapter V on General Purpose AI is aimed primarily at the companies that train and release the underlying models — not at every startup that calls an API. The Act defines a GPAI model provider as an entity that trains a model and makes it available to others, either as an API, downloadable weights, or integrated into a product that third parties can then build on.
If you are a startup that calls OpenAI, Anthropic, or Google's APIs to power your features, you are generally a deployer of GPAI — not a GPAI provider. The compliance obligations that fall on OpenAI, Anthropic, and Google as GPAI providers are theirs to meet. Your obligations come from the AI system you build on top.
The catch: if you fine-tune a foundation model and distribute the resulting model for others to use — even open-source — you become a GPAI provider yourself and inherit the full set of documentation and transparency obligations.
The Two Tiers of GPAI Obligation
The Act splits GPAI models into two groups with different compliance burdens:
All GPAI Model Providers
Both tiers must do this
- ☐Maintain technical documentation of the model (training data, architecture, capabilities, limitations)
- ☐Publish a summary of training data — including sources — sufficient for copyright compliance
- ☐Implement a copyright takedown policy for requests from rights holders
- ☐Make technical documentation available to downstream providers who integrate the model
- ☐Register the model in the EU GPAI model database (once operational)
Systemic-Risk GPAI Models (Add These)
Models above 10²⁵ FLOPs training compute
- ☐Conduct and document model-level adversarial testing (red-teaming)
- ☐Report serious incidents and near-misses to the European AI Office
- ☐Implement technical safeguards against the highest systemic risks
- ☐Cooperate with the AI Office on ongoing capability evaluation
- ☐Maintain enhanced cybersecurity standards for model and infrastructure
The Copyright Summary Requirement Is the Sneaky One
Every GPAI model provider must publish a summary of the content used to train the model "with sufficient detail to enable right holders to exercise their rights under EU copyright law." This requirement is already live. It exists because the Act recognizes that large-scale training on scraped web data creates copyright exposure — and it requires transparency so that rights holders can decide whether to pursue claims.
The practical implication: if you've trained or fine-tuned a model on a curated dataset and you plan to make that model available to others, you need a training data summary that lists the major sources, data categories, and any opt-outs or exclusions you applied. The AI Office is developing templates, but waiting for the template is not a strategy — "we scraped the web" is not going to be sufficient detail.
Open Source Doesn't Mean Off the Hook
One of the most common misconceptions is that releasing a model as open source exempts it from GPAI obligations. It doesn't — at least not fully. Open-source GPAI model providers benefit from a partial carve-out: they are exempt from the transparency and documentation obligations for downstream users only if the model's weights are publicly released under a free and open-source license.
However, the copyright training data summary and copyright policy requirements apply to open-source providers as well. And systemic-risk models are not exempt from any obligations regardless of their license terms.
If you're releasing a fine-tuned Llama or Mistral derivative, you need to think about your training data provenance — not just your model license.
What the GPAI Code of Practice Means for You
The European AI Office convened a GPAI Code of Practice process in 2025, bringing together model providers, researchers, and civil society to develop the specific technical standards GPAI providers must meet. Participation in the Code of Practice creates a presumption of compliance — regulators treat adherence as fulfilling the Act's requirements.
For large frontier model providers, signing the Code is nearly mandatory as a practical matter. For startups that only fine-tune or build on top of these models, the Code doesn't apply directly — but understanding what it requires from your upstream model providers helps you know what documentation to request from them as a downstream integrator.
What Startups That Use GPAI Models Need to Do
If you integrate a GPAI model into your product — calling the API or embedding a model into your application — your obligations come from the AI system you deploy, not the GPAI chapter. But there are knock-on effects from GPAI compliance that matter to you as a downstream user:
Request the technical documentation
GPAI providers must share their technical documentation with downstream system providers. If you're building a regulated application (hiring, credit, health) on top of a GPAI model, you'll need this documentation to complete your own high-risk AI system conformity assessment. Ask your model vendor for it now — before you're in a procurement or regulatory conversation.
Understand your risk classification from upstream capabilities
If the GPAI model you rely on has been designated systemic risk by the AI Office, that doesn't automatically make your product high-risk — but the system-level risks the model poses affect your own risk assessment. A model flagged for generating deceptive synthetic media creates different risk dynamics for your product than a model flagged for general reasoning capability.
Watch for model version changes
GPAI providers must document significant modifications to their models. When your vendor releases a new model version, your high-risk AI system documentation may need to be updated. Build a process to track when your upstream model changes materially — it's not just a product decision, it's a compliance event.
Preserve your own transparency chain
Downstream deployers must still tell users when they are interacting with AI. Even if your model vendor is a fully compliant GPAI provider, the end-user-facing transparency obligations are yours. Your vendor's compliance doesn't substitute for yours.
Frequently Asked Questions
We fine-tuned Llama for our own internal product. Are we a GPAI provider?
Probably not. If you fine-tune a model for use solely within your own product — and you don't make the fine-tuned model itself available to third parties — you are a system deployer, not a GPAI model provider. The GPAI obligations attach to distributing the underlying model, not to using a model to build a product. However, your product may still be a high-risk AI system depending on what it does.
We're releasing an open-source fine-tune for the research community. What obligations apply?
You'd be a GPAI model provider with partial open-source relief. You'd still need to publish a copyright training data summary and implement a copyright takedown policy. You'd be partially exempt from the downstream-user documentation requirements if you release under a free open-source license. Systemic risk obligations don't apply unless your model crosses the compute threshold — which open-source fine-tunes typically don't.
We're an EU-based startup that only calls OpenAI via API. What GPAI rules apply to us?
None directly — OpenAI is the GPAI provider; you are the downstream system deployer. Your obligations come from what your AI system does (risk tier, transparency disclosures, deployment documentation). The practical question is whether your system is high-risk based on its use case, not based on which model powers it.
How does the AI Office enforce GPAI obligations?
The European AI Office is the central supervisor for GPAI models across the EU — unlike high-risk AI systems, which are supervised by member-state national competent authorities. The AI Office can conduct evaluations, request model access, demand documentation, and impose fines of up to €15M or 3% of global turnover for non-compliant GPAI providers. Enforcement focus is currently on the largest systemic-risk models.
Know Whether You're a Provider or a Deployer
The most important GPAI compliance question for any AI startup is whether you are building on top of GPAI models or distributing them. Building on top means your compliance burden is about your system, not the underlying model. Distributing — even open-source — means you've taken on the provider obligations and need training data documentation now.
Most AI startups are deployers, not providers, and that's the easier compliance path. But the line blurs fast when you fine-tune and release. Get that classification right before you ship — the obligations are very different on each side of it.