Quick answer

Documentation requirements for general-purpose AI models.

Updated June 2026 · MmowW AI Compliance

GPAI Model Cards: What the EU AI Act Requires

Overview

Documentation requirements for general-purpose AI models. What must be included in model cards and technical documentation. These obligations take effect on August 2, 2026, alongside Article 50 transparency requirements.

GPAI Model Classification

The EU AI Act introduces a two-tier system for general-purpose AI models. All GPAI models must meet baseline obligations including technical documentation, transparency toward downstream providers, copyright compliance, and an EU-published summary of training data.

Models that pose systemic risk — determined by computational power exceeding 10^25 floating point operations (FLOPs) or by Commission designation — face additional obligations including adversarial testing, incident reporting, cybersecurity measures, and energy consumption reporting.

Baseline Obligations for All GPAI Models

Every GPAI model provider must prepare and maintain technical documentation covering the model's architecture, training methodology, data sources, computational resources, and known limitations. This documentation must be made available to the AI Office upon request.

Providers must share sufficient technical information with downstream AI system providers to enable them to understand the model's capabilities, limitations, and integration requirements. This enables downstream providers to meet their own obligations.

Copyright compliance requires providers to put in place a policy to comply with EU copyright law, particularly the text and data mining opt-out mechanism. Providers must also make publicly available a sufficiently detailed summary of training data content.

Additional Obligations for Systemic Risk Models

GPAI models classified as posing systemic risk must undergo adversarial testing (red teaming) to identify and mitigate risks. Testing must cover foreseeable misuse scenarios, capability boundaries, and potential for harm at scale.

Providers must report serious incidents to the AI Office without undue delay, implement appropriate cybersecurity protections, and track and report the model's energy consumption during training and inference.

Codes of Practice

The AI Office is developing codes of practice for GPAI model providers. Following these codes creates a presumption of conformity with the relevant obligations. Providers who choose not to follow the codes must demonstrate equivalent compliance through alternative means.

Open-Source Considerations

GPAI models released under open-source licences benefit from reduced obligations — primarily limited to the training data summary and copyright compliance policy. However, if an open-source model is classified as posing systemic risk, the full systemic risk obligations apply regardless of the licence.

Enforcement

The EU AI Office has direct enforcement authority over GPAI model providers. Penalties for GPAI violations can reach up to €35 million or 7% of worldwide annual turnover for systemic risk failures, and up to €15 million or 3% for other GPAI obligation violations.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.