Quick answer

GPAI compliance in 2026 means confirming your provider status, completing the four Article 53 duties — technical documentation, downstream information, copyright policy and training data summary — adding Article 55 duties if your model has systemic risk, and being audit-ready before Commission fining powers apply from August 2, 2026.

Updated June 2026 · MmowW AI Compliance

EU AI Act GPAI Compliance Checklist 2026: Every Obligation in One Place

Why 2026 Is the Pressure Year

The general-purpose AI rules of Regulation (EU) 2024/1689 became applicable on August 2, 2025, but 2026 is when the regime acquires teeth: from August 2, 2026 the Commission can impose fines on GPAI model providers under Article 101 — up to 3 percent of total worldwide annual turnover or 15 million euros, whichever is higher. Providers therefore have a defined window to convert good intentions into inspectable records. This checklist consolidates every GPAI obligation as it stands in mid-2026, in the order a compliance programme should address them.

Step 1: Classify — Are You a GPAI Provider?

Step 2: Determine Your Tier

Step 3: The Four Article 53 Duties

Step 4: Systemic-Risk Additions (Article 55)

Step 5: Decide Your Code of Practice Position

The GPAI Code of Practice, published July 10, 2025 with transparency, copyright, and safety and security chapters, is the recognised route for demonstrating compliance under Article 53(4) until harmonised standards arrive. Signatories gain a structured template — including the Model Documentation Form — and a more predictable supervisory relationship. Non-signatories carry the same obligations and should document an equivalent alternative approach. Either way, record the decision and its rationale.

Step 6: Check Your Transition Position

Step 7: Prepare for Supervision

The 2026-2027 Calendar

Evidence Quality: What Audit-Ready Means

Each checklist item should terminate in an artefact that a stranger could inspect: a dated classification memo, a versioned Annex XI file, a published summary URL, crawl logs demonstrating opt-out compliance, evaluation reports with methodology sections, an incident register even if empty. Three qualities separate strong files from weak ones. Traceability: every figure — compute, dataset sizes, benchmark scores — should be reconstructible from primary records such as experiment trackers and pipeline manifests. Consistency: the public summary, the technical documentation and external statements must agree; supervisors look for deltas first because deltas are cheap to find. Currency: each artefact carries a review date and an owner, because an accurate document about last year's model is a liability, not an asset. Providers who cannot meet this bar across all items should prioritise the publicly visible artefacts — the training summary and copyright contact point — since those generate complaints, then work inward toward the regulator-facing files.

A Concrete Example

A scale-up with one commercial model (API, EU customers, 4 times 10^24 FLOPs) and one open-weights research model runs the checklist in a quarter. Classification: both are GPAI models; the company is provider of both; no systemic risk. Tier: no notification duty; compute records archived. Article 53: Annex XI files completed from experiment tracking; an Annex XII package added to the developer portal; copyright policy formalised around existing crawler controls; two training summaries published on the template. Open-source check: the research model qualifies for the documentation exemption — licence verified, no monetisation — so only the copyright policy and summary apply to it. Code of Practice: signed. Supervision dry run: a simulated Article 91 request is answered internally in eight working days, and the gaps it exposed — unowned energy-consumption figures, an outdated acceptable-use policy — are fixed before anyone outside the company ever asks.

Action Plan

Run the seven steps in order; they are sequenced so that each produces the inputs the next consumes. Assign one owner for the programme and one per artefact, put the calendar dates in the corporate compliance diary, and repeat the whole loop at every significant model release. GPAI compliance in 2026 is no longer a forecasting exercise — every template, guideline and deadline is published — and the differentiator between providers is now execution, not interpretation.

One final discipline: keep the checklist itself versioned. Guidance evolves — the Commission updates its GPAI guidelines, the AI Office refines templates, harmonised standards will eventually displace the Code of Practice as the conformity benchmark — and a checklist frozen in 2025 quietly accumulates wrong answers. Assign a quarterly review of the regulatory sources behind each step, and log what changed. The cost is an afternoon; the alternative is rediscovering a moved deadline through an enforcement letter. Keep the change log next to the checklist itself, so each quarterly pass starts from what moved rather than from scratch.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.