Many companies build products on top of general-purpose AI (GPAI) models like GPT-5, Claude, or Gemini. The EU AI Act creates a specific compliance framework for these models under Article 53.
Who Are GPAI Providers?
GPAI providers are companies that develop and make available general-purpose AI models — OpenAI (GPT), Anthropic (Claude), Google (Gemini), Meta (Llama), etc.
What About Downstream Builders?
If you build on top of a GPAI model, you are a deployer or provider of the downstream AI system. The GPAI obligations fall on the model provider, but you have separate obligations based on what you build.
Key distinction: if you fine-tune a model, you may become a provider yourself.
Article 53 Requirements for GPAI Providers
- Technical documentation following Annex XI
- Information for downstream providers — capabilities, limitations, intended use
- Copyright compliance policy — respect EU copyright law
- Training data summary — publish a detailed summary of training data
Systemic Risk (Article 55)
GPAI models with systemic risk (trained with >10^25 FLOPs) face additional obligations: - Model evaluation including adversarial testing - Risk assessment and mitigation - Incident tracking and reporting - Adequate cybersecurity protections
What This Means for You
If you're building a SaaS product that uses GPT-5 or Claude under the hood: 1. Your GPAI provider handles their Article 53 obligations 2. You handle your own obligations based on what your system does 3. If your system falls under high-risk (e.g., recruitment, credit scoring), you need full compliance 4. You must understand what your GPAI provider's model does and document it
The compliance burden is shared but not delegated.