Article 53 of the EU AI Act imposes four obligations on every provider of a general-purpose AI model: maintain technical documentation, supply information to downstream providers, adopt a copyright compliance policy, and publish a summary of training content. These obligations have applied since August 2, 2025.
EU AI Act Article 53: The Four Core Obligations for GPAI Model Providers
What Article 53 Covers
Article 53 sits at the heart of Chapter V of Regulation (EU) 2024/1689, the EU AI Act. While most of the regulation addresses AI systems, Chapter V regulates the models underneath them — general-purpose AI (GPAI) models such as large language models, image generators, and multimodal foundation systems. Article 53 lists the baseline obligations that apply to every provider of a GPAI model placed on the EU market, regardless of whether the model presents systemic risk.
The obligations took effect on August 2, 2025, twelve months after the regulation entered into force. They apply in addition to — not instead of — the stricter requirements in Article 55 that apply only to GPAI models classified as presenting systemic risk under Article 51. Models placed on the market before August 2, 2025 benefit from a transition period and must comply by August 2, 2027 under Article 111(3).
Obligation 1: Technical Documentation (Article 53(1)(a))
Providers must draw up and keep up to date technical documentation of the model, including its training and testing process and the results of its evaluation. The minimum content is set out in Annex XI. It includes a general description of the model — the tasks it is intended to perform, the types of AI systems into which it can be integrated, applicable acceptable use policies, release date and distribution methods, architecture and number of parameters, input and output modalities, and licence terms.
Annex XI also requires a description of the training process: the methodologies and techniques used, the key design choices and assumptions, what the model is optimising for, information on the data used for training, testing and validation (including type, provenance and curation methodologies), the computational resources used measured in floating point operations, and known or estimated energy consumption. This documentation is not public. It must be provided, upon request, to the AI Office and to national competent authorities.
Obligation 2: Information for Downstream Providers (Article 53(1)(b))
Providers must prepare and make available documentation to providers of AI systems who intend to integrate the GPAI model into their own products — so-called downstream providers. The minimum content is listed in Annex XII. The purpose is twofold: to enable downstream providers to understand the capabilities and limitations of the model, and to enable them to comply with their own obligations under the regulation, for example when their system qualifies as high-risk.
Annex XII information covers the model description plus technical details on how the model can be integrated: instructions for use, infrastructure requirements, modalities, and information on the data used where relevant. Providers may protect trade secrets and confidential business information, but they cannot use confidentiality as a reason to withhold the categories of information Annex XII requires.
Obligation 3: Copyright Policy (Article 53(1)(c))
Every provider must put in place a policy to comply with Union law on copyright and related rights. The policy must, in particular, identify and respect reservations of rights expressed by rightsholders under Article 4(3) of Directive (EU) 2019/790 — the text and data mining opt-out. In practice, this means honouring machine-readable signals such as robots.txt entries and other recognised opt-out protocols when crawling and assembling training corpora. Recital 106 makes clear that this expectation applies regardless of where the training actually took place: a provider cannot avoid the copyright policy obligation by training outside the EU and then placing the model on the EU market.
Obligation 4: Public Training Data Summary (Article 53(1)(d))
Providers must draw up and make publicly available a sufficiently detailed summary of the content used for training the model. The summary must follow the template published by the AI Office in July 2025. Unlike the technical documentation, this summary is public-facing. It does not require disclosure of every dataset or document, but it must give rightsholders and the public meaningful insight into the broad categories and main sources of training content.
Who Must Comply
The obligations fall on providers of GPAI models: entities that develop a model, or have one developed, and place it on the EU market under their own name or trademark, whether for payment or free of charge. This includes providers established outside the EU. Under Article 54, third-country providers must appoint an authorised representative established in the Union before placing a GPAI model on the EU market — although this requirement does not apply to providers of qualifying open-source models without systemic risk.
There is an important partial exemption in Article 53(2). Providers of models released under a free and open-source licence — where the parameters, including weights, the architecture, and usage information are made publicly available — are exempt from the technical documentation and downstream information obligations. However, the copyright policy and the training data summary apply to all GPAI providers, including open-source ones, and the exemption disappears entirely if the model is classified as presenting systemic risk.
Practical Compliance Steps
A workable Article 53 programme typically follows this sequence:
- Confirm whether your model meets the GPAI definition in Article 3(63) and whether you are the provider placing it on the EU market.
- Map your documentation against Annex XI field by field and close the gaps, paying particular attention to training data provenance and compute estimates.
- Prepare an Annex XII information package for downstream customers, and decide how it will be delivered — model card, developer documentation portal, or contractual annex.
- Adopt a written copyright policy covering crawl-time opt-out compliance, licensing arrangements, and complaint handling, and assign an owner for it.
- Complete the AI Office training data summary template and publish it on your website alongside the model release.
- Decide whether to adhere to the GPAI Code of Practice published in July 2025, which Article 53(4) recognises as a way to demonstrate compliance until a harmonised standard is published.
Relationship with Article 55 and the Code of Practice
Article 53 is the floor, not the ceiling. If a model qualifies as a GPAI model with systemic risk — presumed where cumulative training compute exceeds 10 to the power of 25 floating point operations, or following a Commission designation — Article 55 adds further duties: state-of-the-art model evaluations including adversarial testing, assessment and mitigation of systemic risks at Union level, serious incident tracking and reporting, and adequate cybersecurity protection. Providers below that threshold can concentrate on the four Article 53 duties.
The GPAI Code of Practice, finalised in July 2025, translates Article 53 into operational commitments through its transparency and copyright chapters. Signing the Code is voluntary, but Article 53(4) recognises adherence as a means of demonstrating compliance until harmonised standards exist, and the Commission has indicated that signatories benefit from a more predictable supervisory relationship with the AI Office. Providers that choose not to sign must still meet the same legal obligations and should expect to explain their alternative compliance approach.
Common Pitfalls
Three failure patterns appear repeatedly in early compliance reviews. First, treating a marketing-grade model card as Annex XI documentation: the annex requires specifics on training methodology, data provenance, compute and energy that most public model cards omit. Second, neglecting the downstream information duty because customers have not asked: Article 53(1)(b) requires the information to be available to downstream providers proactively, and enterprise customers building high-risk systems will increasingly demand it contractually. Third, publishing a training summary that does not follow the AI Office template — a freestyle data statement, however sincere, does not satisfy Article 53(1)(d).
A Concrete Example
Consider a mid-sized European company releasing a 13-billion-parameter language model through an API and a paid enterprise licence. It is a GPAI provider, and because the model is monetised it cannot rely on the open-source exemption. Before launch, it assembles Annex XI documentation internally, publishes developer documentation aligned with Annex XII, adopts a copyright policy that respects robots.txt and other opt-out signals for future crawls, and publishes the training content summary using the AI Office template. Because its training compute is far below 10 to the power of 25 FLOPs, Article 55 systemic-risk duties do not apply.
Action Plan
If you provide a GPAI model to EU customers, treat August 2, 2025 as the date your obligations began and August 2, 2026 as the date Commission fining powers under Article 101 become applicable. Start with a gap assessment against Annex XI and Annex XII, publish the training summary, formalise the copyright policy, and document every step. Providers that already maintain serious model cards and data governance records usually find that most of the raw material exists — the work lies in structuring it to match the regulation.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.