In November 2025, the European Commission enacted the “Guidelines on the scope of the obligations for providers of general-purpose AI models established by Regulation (EU) 2024/1689 (AI Act)”, with the aim of explaining how the Commission interprets the AI Act rules for general-purpose AI models, especially the obligations that began applying from 2 August 2025. The guidelines are non-binding, but they describe the Commission’s intended approach to supervision and enforcement.
EU - European Commission – Guidelines on the scope of the obligations for providers of general-purpose AI models established by Regulation (EU) 2024/1689 (AI Act)
Anno 2025
The guidelines clarify who must comply with the AI Act’s general-purpose AI model rules, which models are covered, when a model has systemic risk, how open-source exceptions work, and how the Commission will enforce the rules. It is mainly aimed at AI model developers, downstream integrators, open-source model publishers, and companies outside the EU that make models available in the Union. The document focuses on four topics: (1) what counts as a general-purpose AI model, (2) who is the provider placing it on the EU market, (3) which open-source models benefit from exceptions, and (4) how compliance will be enforced. It also confirms that providers must prepare documentation for regulators and downstream providers, adopt a policy to comply with EU copyright law, and publish a summary of the content used for training.
1. What counts as a general-purpose AI model
According to the definition given by the AI Act, A model is treated as a general-purpose AI model if it displays significant generality, can competently perform a wide range of distinct tasks, and can be integrated into many downstream systems or applications. The Commission gives an indicative criterion: a model is likely to be a general-purpose AI model if it uses more than 10²³ FLOP of training compute and can generate language, whether text or speech, or can generate text-to-image or text-to-video outputs. However, this is not an absolute rule. A model above the threshold may fall outside scope if it only performs a narrow task, such as speech transcription, speech synthesis, image upscaling, image inpainting, chess, weather modelling, or sound-effect generation. Conversely, a model below the threshold could still be in scope if it genuinely has broad capabilities.
The notion of the lifecycle of a model also plays a fundamental role for the obligation of providers of general-purpose AI models, because obligations such as documentation, copyright compliance policies, public training-content summaries, and systemic-risk assessment must be maintained throughout the lifecycle of the model. The guidelines define the model lifecycle broadly, as beginning at the start of the large pre-training run. Later development by the same provider, such as fine-tuning, distillation, quantisation, or merging, is generally treated as part of the same model lifecycle rather than as a new model.
The guidelines explain that a general-purpose AI model is presumed to have systemic risk if it is trained using more than 10²⁵ FLOP of cumulative compute. The Commission may also designate a model as systemic-risk based on other criteria, even if the compute threshold is not the only relevant factor. Providers of such models must comply with additional obligations, including:
- Risk assessment: continuously assess and mitigate systemic risks;
- Model evaluation: conduct evaluations, including adversarial testing where relevant;
- Incident reporting: report serious incidents;
- Cybersecurity: ensure adequate cybersecurity protection for the model and infrastructure;
- Notification: notify the Commission when the systemic-risk threshold is met or expected to be met.
Moreover, the guidelines provide an Annex describing how providers should estimate training compute to determine whether thresholds are met. It distinguishes between:
- Hardware-based approach, estimating compute from number of GPUs or hardware units, duration of use, peak theoretical performance, and utilisation;
- Architecture-based approach, estimating compute from the model architecture and number of operations during training
For dense transformer language models, the guidelines give the approximation: C ≈ 6 × P × D, where P is the number of model parameters and D is the number of training tokens.
The guidelines also describe how providers can contest classification as systemic-risk by presenting arguments that demonstrate their model does not or will not have high-impact capabilities, especially in cases where this feature is presumed by the EU Regulation.
2. Who is the provider of GPAI models
The guidelines state that a provider is the actor that develops, or has developed, a general-purpose AI model and places it on the EU market under its own name or trademark. Providers outside the EU are also covered if they place a general-purpose AI model on the EU market, and they generally need an authorised representative in the Union. The guidelines interpret the concept of “placing on the market” broadly. A model can be placed on the EU market through a software library, API, direct download, public repository, cloud service, physical copy, installation on customer infrastructure, integration into a chatbot, integration into a mobile app, or use in internal processes that are essential to providing a product or service to third parties or affect people’s rights in the EU. A model integrated into an AI system can also be treated as placed on the market when that system is made available in the EU. This prevents upstream model providers from avoiding obligations simply because the model reaches EU users through a downstream system.
The Commission does not treat every modification as creating a new provider obligation. Instead, the downstream modifier becomes a provider when the modification significantly changes the model’s generality, capabilities, or systemic risk. The guidelines give an indicative threshold: a downstream modifier is likely to become the provider if the compute used for modification is greater than one third of the training compute of the original model. If the original compute is unknown and cannot be estimated, replacement thresholds are used: one third of 10²⁵ FLOP for systemic-risk models, or one third of 10²³ FLOP for other general-purpose AI models. If the original model is already a systemic-risk model and the downstream actor modifies it enough to become the provider, the modified model is presumed to be a systemic-risk model too.
3. Open-source exceptions
The guidelines explain the scope of exceptions provided for some models released under free and open-source licences. If the conditions are met and the model is not a systemic-risk model, the provider is exempt from some transparency-related obligations and from the obligation for third-country providers to appoint an authorised representative. However, open-source providers are not exempt from having a policy to comply with EU copyright law and publishing a summary of the content used for training. The relevant exceptions apply only if the model is released under a licence that allows access, use, modification, and distribution; if the model is not monetised in the relevant sense; and if its parameters, including weights, architecture information, and usage information, are publicly available.
The Commission gives also detailed guidance on what counts as monetisation and its impact on the open-source status of the GPAI model. The concept of monetisation includes paid commercial licences, required paid support, paid access through a hosting platform, or access that depends on processing personal data for commercial or financial gain. By contrast, optional paid services that do not affect free access or usability of the model may still be compatible with the open-source exception. The document also states that transactions between microenterprises are not treated as monetisation for this purpose.
4. How compliance will be enforced
The guidelines state that the Commission has exclusive competence to enforce Chapter V obligations for providers of general-purpose AI models and its implementation is entrusted to the European Artificial Intelligence Office. The Commission’s powers include requesting information, conducting model evaluations, requiring mitigation measures, requesting model recall from the market, and imposing fines. Fines for breaches of general-purpose AI model obligations may reach 3% of global annual turnover or EUR 15 million, whichever is higher, starting from 2 August 2026.
The obligations for providers of general-purpose AI models apply from 2 August 2025. For models placed on the market before that date, providers must take the necessary steps to comply by 2 August 2027. The Commission also states that older model providers are not required to conduct retraining or unlearning where that is impossible, unavailable, or disproportionately burdensome, but they must disclose and justify such limitations in their copyright policy and training-content summary.
Finally, the guidelines clarify that only the Court of Justice of the EU can give an authoritative interpretation of the AI Act.
The guidelines are available at the following link and in the download box.
Marta Fasan, UNITN
Pubblicato il: Mercoledì, 19 Novembre 2025 - Ultima modifica: Mercoledì, 13 Maggio 2026
