3.4 — General-Purpose AI (GPAI) and Foundation Models
General-Purpose AI (GPAI) models receive dedicated rules under the EU AI Act, recognizing that foundation models and large language models present unique challenges that do not fit neatly into the risk-based classification of AI systems. GPAI rules create a two-tier system: baseline obligations for all GPAI models, and additional obligations for models posing systemic risk.
A GPAI model is defined as an AI model — including when trained with large amounts of data using self-supervision at scale — that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market. This covers large language models, multimodal models, and other foundation models.
| Obligation | All GPAI Models | Systemic Risk Models |
|---|---|---|
| Technical Documentation | Required — including model architecture, training methodology, evaluation results | Required — enhanced detail including safety evaluations |
| EU Copyright Law Compliance | Required — must comply with text and data mining rules, respect opt-outs | Required |
| Training Data Summary | Required — publish sufficiently detailed summary of training content | Required |
| Model Evaluation (Red-Teaming) | Not required | Required — standardized model evaluation including adversarial testing |
| Systemic Risk Assessment | Not required | Required — identify, assess, and mitigate systemic risks |
| Incident Reporting | Not required | Required — report serious incidents to the AI Office |
| Cybersecurity Protections | Not required | Required — ensure adequate level of cybersecurity protection |
| Codes of Practice | May follow to demonstrate compliance | May follow; presumption of conformity if followed |
| Open-Source Exemptions | Exempted from some requirements (tech docs, copyright summary) unless systemic risk | No exemptions — full obligations apply regardless of licensing |
The systemic risk threshold is set at 10^25 FLOPs (floating-point operations) of cumulative compute used for training. Models at or above this threshold are presumed to have systemic risk. The AI Office can also designate models below this threshold as having systemic risk based on other criteria such as the number of registered end users, the model's impact on the internal market, or its reach.
The AI Office (established within the European Commission) oversees GPAI compliance. Codes of practice are being developed in collaboration with GPAI providers and other stakeholders to provide detailed guidance on how to meet GPAI obligations. The first codes were expected by May 2025.
Free and open-source GPAI models have partial exemptions: they are not required to provide full technical documentation or a detailed training data summary, unless they pose systemic risk. However, all GPAI models — including open-source — must comply with copyright rules and prohibited practice restrictions.
Remember the systemic risk compute threshold: 10^25 FLOPs (10 to the power of 25). This is a frequently tested number. Also: open-source exemptions do NOT apply to systemic risk models. And: GPAI providers are NOT the same as high-risk AI system providers — GPAI has its own separate regulatory regime under the Act.