GPAI compliance in 2026 means confirming your provider status, completing the four Article 53 duties — technical documentation, downstream information, copyright policy and training data summary — adding Article 55 duties if your model has systemic risk, and being audit-ready before Commission fining powers apply from August 2, 2026.
EU AI Act GPAI Compliance Checklist 2026: Every Obligation in One Place
Why 2026 Is the Pressure Year
The general-purpose AI rules of Regulation (EU) 2024/1689 became applicable on August 2, 2025, but 2026 is when the regime acquires teeth: from August 2, 2026 the Commission can impose fines on GPAI model providers under Article 101 — up to 3 percent of total worldwide annual turnover or 15 million euros, whichever is higher. Providers therefore have a defined window to convert good intentions into inspectable records. This checklist consolidates every GPAI obligation as it stands in mid-2026, in the order a compliance programme should address them.
Step 1: Classify — Are You a GPAI Provider?
- Apply Article 3(63): does the model display significant generality and competently perform a wide range of distinct tasks? The Commission's 2025 guidelines treat training compute above 10^23 FLOPs plus generative capability for language, image or video as indicative.
- Identify the provider entity: who develops the model or has it developed, and places it on the EU market under its own name — including via API, open weights, or models embedded in products reaching EU users.
- Check the modification rule: if you fine-tuned someone else's model, you become a provider only where modification compute exceeds roughly one third of the original training compute; document the comparison either way.
- If established outside the EU, appoint an authorised representative in the Union under Article 54 (waived for qualifying open-source models without systemic risk).
- Record the analysis per model, signed and dated.
Step 2: Determine Your Tier
- Compute check: if cumulative training compute exceeds 10^25 FLOPs, the model is presumed to have systemic risk under Article 51(2).
- Notification: meeting the threshold — or knowing it will be met — triggers notification to the Commission within two weeks under Article 52, with optional rebuttal arguments.
- Designation watch: below the threshold, monitor exposure to designation against the Annex XIII criteria — parameters, dataset size, benchmarks, modalities, business and end-user reach.
- Open-source check: a genuinely free and open-source release with public weights, architecture and usage information, and no monetisation, is exempt from the documentation duties below — unless systemic risk applies.
Step 3: The Four Article 53 Duties
- Technical documentation (Annex XI): model description, tasks and integration types, architecture and parameters, training methodology and design rationale, data type, provenance and curation, compute in FLOPs, energy consumption. Keep current; deliverable to the AI Office on request.
- Downstream information (Annex XII): an integration package for AI system providers — capabilities, limitations, acceptable use, technical integration requirements, instructions for use. Make it actually available, with version-change notices.
- Copyright policy (Article 53(1)(c)): a documented policy covering EU copyright compliance, with identification of and respect for text and data mining opt-outs under Article 4(3) of Directive (EU) 2019/790, including robots.txt and adopted machine-readable protocols, plus output-side safeguards and a rightsholder contact point.
- Training data summary (Article 53(1)(d)): published, using the AI Office template of July 2025 — general information, data source list including main scraped domains, and processing measures. Versioned per model family.
Step 4: Systemic-Risk Additions (Article 55)
- Model evaluation with standardised, state-of-the-art protocols, including documented adversarial testing and red-teaming across the systemic-risk areas.
- Union-level systemic risk assessment and mitigation across the model lifecycle, with a written framework, acceptance criteria and decision gates.
- Serious incident process: intake channels, severity triage against Article 3(49), reporting to the AI Office without undue delay with staged follow-ups, corrective-measure playbooks.
- Cybersecurity: weight protection, access governance, insider-threat controls, interface hardening against extraction, physical infrastructure security, and adversarial assurance.
- Annex XI Section 2: evaluation strategies, results and adversarial testing documented in the technical file.
Step 5: Decide Your Code of Practice Position
The GPAI Code of Practice, published July 10, 2025 with transparency, copyright, and safety and security chapters, is the recognised route for demonstrating compliance under Article 53(4) until harmonised standards arrive. Signatories gain a structured template — including the Model Documentation Form — and a more predictable supervisory relationship. Non-signatories carry the same obligations and should document an equivalent alternative approach. Either way, record the decision and its rationale.
Step 6: Check Your Transition Position
- Models placed on the EU market on or after August 2, 2025: full compliance was due at release.
- Models placed on the market before August 2, 2025: Article 111(3) allows until August 2, 2027 — but a significant modification or new release restarts the analysis at the new date.
- Where historical training data information is genuinely unretrievable for legacy models, disclose the best available information and state the limitation in the training summary.
Step 7: Prepare for Supervision
- Know your supervisor: the AI Office within the Commission holds exclusive supervisory powers over GPAI model providers — information requests (Article 91), model evaluations including via independent experts (Article 92), requests for measures up to restriction, withdrawal or recall (Article 93).
- Dry-run an information request: can you deliver the Annex XI file, evaluation records and copyright evidence within a realistic deadline?
- Align public statements: marketing capability claims, the training summary, the documentation and benchmark submissions must not contradict each other.
- Watch the scientific panel: its qualified alerts under Article 90 can initiate supervision, and its methodologies foreshadow how Article 92 evaluations will be run.
The 2026-2027 Calendar
- August 2, 2025: Chapter V obligations applicable; Code of Practice and AI Office template in force as compliance instruments.
- August 2, 2026: Article 101 fining powers over GPAI providers apply; Article 50 transparency duties for AI systems and the bulk of the high-risk regime also apply, affecting downstream customers who will demand documentation.
- August 2, 2027: end of the transition for pre-August-2025 models; high-risk rules extend to regulated products under Annex I.
Evidence Quality: What Audit-Ready Means
Each checklist item should terminate in an artefact that a stranger could inspect: a dated classification memo, a versioned Annex XI file, a published summary URL, crawl logs demonstrating opt-out compliance, evaluation reports with methodology sections, an incident register even if empty. Three qualities separate strong files from weak ones. Traceability: every figure — compute, dataset sizes, benchmark scores — should be reconstructible from primary records such as experiment trackers and pipeline manifests. Consistency: the public summary, the technical documentation and external statements must agree; supervisors look for deltas first because deltas are cheap to find. Currency: each artefact carries a review date and an owner, because an accurate document about last year's model is a liability, not an asset. Providers who cannot meet this bar across all items should prioritise the publicly visible artefacts — the training summary and copyright contact point — since those generate complaints, then work inward toward the regulator-facing files.
A Concrete Example
A scale-up with one commercial model (API, EU customers, 4 times 10^24 FLOPs) and one open-weights research model runs the checklist in a quarter. Classification: both are GPAI models; the company is provider of both; no systemic risk. Tier: no notification duty; compute records archived. Article 53: Annex XI files completed from experiment tracking; an Annex XII package added to the developer portal; copyright policy formalised around existing crawler controls; two training summaries published on the template. Open-source check: the research model qualifies for the documentation exemption — licence verified, no monetisation — so only the copyright policy and summary apply to it. Code of Practice: signed. Supervision dry run: a simulated Article 91 request is answered internally in eight working days, and the gaps it exposed — unowned energy-consumption figures, an outdated acceptable-use policy — are fixed before anyone outside the company ever asks.
Action Plan
Run the seven steps in order; they are sequenced so that each produces the inputs the next consumes. Assign one owner for the programme and one per artefact, put the calendar dates in the corporate compliance diary, and repeat the whole loop at every significant model release. GPAI compliance in 2026 is no longer a forecasting exercise — every template, guideline and deadline is published — and the differentiator between providers is now execution, not interpretation.
One final discipline: keep the checklist itself versioned. Guidance evolves — the Commission updates its GPAI guidelines, the AI Office refines templates, harmonised standards will eventually displace the Code of Practice as the conformity benchmark — and a checklist frozen in 2025 quietly accumulates wrong answers. Assign a quarterly review of the regulatory sources behind each step, and log what changed. The cost is an afternoon; the alternative is rediscovering a moved deadline through an enforcement letter. Keep the change log next to the checklist itself, so each quarterly pass starts from what moved rather than from scratch.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.