Guide
GPAI Provider Obligations: What They Mean for Your Vendor Stack
Articles 51 to 55 of Regulation (EU) 2024/1689 govern general-purpose AI models. Provider obligations went live 2 August 2025; systemic-risk thresholds use a 10²⁵ FLOPs training-compute marker. Deployers do not have direct GPAI obligations, but every vendor product built on a GPAI foundation model carries those obligations downstream — and a vendor whose GPAI sub-supplier is non-compliant transfers regulatory exposure to you.
TL;DR. Articles 51 to 55 of Regulation (EU) 2024/1689 govern general-purpose AI models. Provider obligations went live 2 August 2025; systemic-risk thresholds use a 10²⁵ FLOPs training-compute marker. Deployers do not have direct GPAI obligations, but every vendor product built on a GPAI foundation model carries those obligations downstream — and a vendor whose GPAI sub-supplier is non-compliant transfers regulatory exposure to you.
1. The two-layer structure of GPAI obligations
The EU AI Act treats general-purpose AI as a distinct regulatory object from AI systems. A GPAI model is defined in Article 3(63) as one that displays significant generality, can perform a wide range of distinct tasks, and can be integrated into a variety of downstream systems or applications. A GPAI system (Article 3(66)) is a system based on a GPAI model.
This separation creates a two-layer structure:
| Layer | Object | Article anchor | Who is regulated |
|---|---|---|---|
| Foundation | GPAI model (parameters, capabilities) | Art. 51-55 | The model provider (OpenAI, Anthropic, Google, Meta, Mistral, etc.) |
| Application | GPAI system / AI system | Art. 6, Art. 50, etc. | The system provider (your SaaS vendor) and the deployer (you) |
Most enterprise procurement happens at the application layer. Procurement teams negotiate with the SaaS vendor, not with the GPAI foundation provider. But the GPAI provider's compliance posture is a load-bearing input to the application's compliance — and to yours.
For the broader framing, see the EU AI Act Third-Party Risk pillar.
2. What Article 53 actually requires of GPAI providers
Article 53 obligations on GPAI model providers (live since 2 August 2025) include:
| Obligation | Citation | What it produces |
|---|---|---|
| Technical documentation of model | Art. 53(1)(a) + Annex XI | Model card, training methodology, evaluation results |
| Information provided to downstream providers | Art. 53(1)(b) + Annex XII | Capabilities, limitations, integration guidance |
| Copyright compliance policy | Art. 53(1)(c) | Statement on training-data IP handling, opt-out respect |
| Training-data summary (sufficiently detailed) | Art. 53(1)(d) | Public summary aligned with EU AI Office template |
| EU authorised representative (non-EU providers) | Art. 54 | Designated EU-based contact |
Open-source GPAI providers are partially exempt from Art. 53(1)(a) and (b) under Art. 53(2), provided the model is released under a free and open-source licence and parameters/weights are publicly available — but the copyright policy and training-data summary obligations remain.
Article 53(1)(b) is the load-bearing one for your vendor stack. The downstream-information obligation forces the GPAI provider to make available to your vendor the documentation needed for your vendor to comply with its own obligations — including everything your vendor needs to enable you, the deployer, to comply with Article 26.
3. Systemic-risk GPAI — the higher tier
Article 51 designates a GPAI model as systemic-risk where:
- Its capabilities are equivalent to or exceed those of the most advanced GPAI models (Art. 51(1)(a)), assessed via benchmarks and indicators per the EU AI Office; OR
- The Commission designates it under Art. 51(1)(b) based on technical, scale or impact criteria.
Article 51(2) introduces a presumption: a model trained with total compute greater than 10²⁵ floating-point operations is presumed to have high-impact capabilities. As of writing, this captures most frontier models.
Article 55 imposes additional obligations on systemic-risk GPAI providers:
- Model evaluation per state-of-the-art protocols, including adversarial testing (Art. 55(1)(a))
- Assessment and mitigation of systemic risks (Art. 55(1)(b))
- Tracking and reporting of serious incidents and corrective measures (Art. 55(1)(c))
- Adequate cybersecurity protection (Art. 55(1)(d))
For your vendor stack: a vendor whose system depends on a systemic-risk GPAI inherits a more demanding documentation flow. The Art. 55(1)(c) incident-tracking obligation in particular is what produces the structured incident records your vendor should be able to pass through to you under Art. 26(5).
4. How GPAI obligations propagate to you
The propagation chain has four hops:
- GPAI provider → your vendor (Art. 53(1)(b)). Your vendor receives Annex XII information from the model provider.
- Your vendor's classification (Art. 6, Art. 25). Your vendor decides whether the system based on the GPAI is high-risk (Annex III), limited-risk (Art. 50), or minimal. This classification depends on intended purpose and reasonably foreseeable misuse.
- Your vendor → you (Art. 13, Art. 26). Your vendor must give you instructions for use, accuracy/robustness/cybersecurity information, and the human-oversight measures you must implement.
- Your deployer obligations (Art. 26). You operate the system per instructions, assign oversight, retain logs ≥ 6 months, conduct FRIA where applicable.
Every hop is a potential break point. The most common failure modes:
| Break point | Symptom | Procurement test |
|---|---|---|
| GPAI provider not in EU AI Office register | No Art. 53 documentation surfaced | Ask vendor for the GPAI model card and the public training-data summary |
| Vendor opaque about which GPAI is used | "We use frontier LLMs" without naming | Require named identification per deployment region |
| Vendor classifies its own system as minimal-risk where Annex III applies | Light or absent Article 13 information | Independently classify per Annex III procurement cluster |
| No incident-flow contract clause | Vendor cannot commit to passing through Art. 55(1)(c) reports | Contract clause requiring 72-hour vendor-to-deployer incident relay |
5. The GPAI register and where to verify
Article 71 establishes an EU database for high-risk AI systems. Article 52 separately requires GPAI providers to notify the Commission. The EU AI Office maintains identifiers and information per the implementing acts.
For each GPAI dependency in your vendor stack, the verification list is:
- Model identifier (family, version, parameter scale where disclosed)
- Provider legal entity and EU representative (Art. 54 if non-EU)
- Whether designated systemic-risk under Art. 51
- Public training-data summary URL
- Copyright policy URL
- Evaluation reports under Art. 55(1)(a) where applicable
- Adherence to Code of Practice on GPAI (Art. 56) — voluntary but strongly weighted in supervisory assessment
A vendor who cannot provide the first six items within their Article 13 instructions for use is, in effect, asking you to inherit unverified Art. 53 / Art. 55 exposure.
6. Open-weight, on-prem, and self-hosted GPAI
Three deployment modes change the propagation analysis:
Open-weight model run by your vendor as part of their service
Article 53(2) reduces (does not eliminate) GPAI provider documentation duties. The vendor that downloads weights and integrates them into a service is making a deployment-time integration choice — they typically take on system-provider obligations under Art. 25, and may be treated as the substantive provider for Art. 26 information flow.
Self-hosted GPAI by your organization
If your organization downloads weights and runs the GPAI in-house, you may shift roles: still a deployer toward the original model provider, but a system-provider toward your internal users. Art. 25 substantial-modification rules apply if you fine-tune.
GPAI behind a private API (e.g. private deployment of frontier model)
Common in regulated DACH banks and insurers. The deployment locality changes the Art. 26(4) input-data analysis (less third-country transfer concern under GDPR), but it does not change the Art. 53 documentation flow — that follows the model, not the network path.
For comparison of how generic TPRM platforms handle these distinctions, see the PartnerScope vs Drata comparison.
7. Article 26 deployer obligations driven by GPAI choices
The deployer obligations under Article 26 do not change based on whether the underlying engine is a GPAI. But the practical work-product changes substantially:
| Art. 26 requirement | GPAI-driven specifics |
|---|---|
| 26(1) Use per instructions | GPAI integration usually carries narrower system-card use restrictions than the marketing claims; reconcile carefully |
| 26(2) Human oversight | Output-validation workflow on hallucination is the realistic Art. 14 control surface for GPAI-backed systems |
| 26(4) Input data | Prompt content is input data; PII redaction at the prompt boundary is now in scope |
| 26(5) Logs ≥ 6 months | Conversation logs, prompt/response pairs, system-prompt evolutions |
| 26(7) Worker information | Particularly relevant when GPAI-backed AI is used in employment Annex III(4) contexts |
| 27 FRIA | GPAI capability creep is a foreseeable-misuse vector and must be modelled |
8. Frequently asked questions
Are deployers regulated under Articles 51 to 55? No. Articles 51 to 55 regulate GPAI model providers. Deployers carry obligations under Article 26 plus, where applicable, Article 27, Article 50, and worker-information rules. But the deployer's compliance depends materially on the GPAI provider's compliance through the Article 13 information flow.
What is the 10²⁵ FLOPs threshold and does it move? Article 51(2) presumes high-impact capability above 10²⁵ floating-point operations of total training compute. The Commission can adjust this via delegated acts (Art. 51(3)) as the technological frontier advances. Treat the number as the floor of what is currently caught, not the permanent boundary.
My vendor uses a closed-source frontier model and refuses to disclose the model name. What now? Refusal to identify the underlying GPAI is incompatible with Article 13(3)(b) instructions for use. The vendor cannot give you the information you need to perform Article 26(2) human oversight without you knowing what the system actually is. Treat this as a contract gating issue.
Does the GPAI Code of Practice (Article 56) replace Article 53 obligations? No. The Code of Practice is a co-regulation instrument. Adherence is voluntary but creates a presumption of compliance with parts of Article 53. The legal obligations remain in Article 53 itself.
Where does the 13-dimension scorecard cover GPAI exposure? Dimension 10 (AI use disclosure) and Dimension 11 (EU AI Act risk tier) capture GPAI dependency and tier classification respectively. Every PartnerScope assessment surfaces the named GPAI dependency and flags systemic-risk status where present.
CTA
Run a free 60-second EU AI Act Snapshot at partnerscope.eu to classify your vendor's GPAI dependencies and surface Article 53/55 documentation gaps. Or read the complete pillar guide.
Try PartnerScope
Run a free 60-second EU AI Act Snapshot — classifies your vendor's AI under the Act and produces a starter scorecard before any commitment.