isofy

← Blog

EU AI Act GPAI Rules Explained: What Foundation Model Providers Must Do

EU AI Act 10 min read 2026-03-18

Written by S.M

Reviewed by Mel M.

Why GPAI Rules Matter

The EU AI Act introduced a dedicated regime for general purpose AI models, often called foundation models. This matters even if your company does not build end user applications directly. If you provide a general purpose model or place one on the EU market, you may have direct obligations.

Baseline GPAI Provider Obligations

For general purpose models, providers are expected to maintain technical documentation and provide information needed by downstream integrators. The framework also includes obligations around copyright related compliance and transparency on training data summaries.

In practice, this means model providers need structured documentation discipline, not only model cards for marketing.

Systemic Risk Layer for the Most Capable Models

When a general purpose model reaches systemic risk thresholds, obligations increase. Providers are expected to run deeper evaluations, address risk through testing and mitigation, support incident reporting, and maintain cybersecurity safeguards proportionate to model capability and impact.

This tier is designed to address broad societal and market risk, not only single application errors.

What Application Companies Should Ask Their Model Vendors

Even when you are not the base model provider, your own compliance depends on vendor evidence. You should request:

Contract and Procurement Implications

Procurement language needs to evolve. Contracts should include obligations to provide compliance documentation, support regulator inquiries, and notify material risk changes. If this is missing, legal and delivery teams inherit unmanaged exposure.

Building an Internal GPAI Governance Track

Create a separate governance lane for foundation model use. That lane should include vendor onboarding checks, approval criteria by risk level, and periodic reassessment of model suitability for each business process.

Final Takeaway

The EU AI Act GPAI framework shifts model governance from informal trust to evidence based accountability. Providers and adopters that build documentation and monitoring discipline now will be better positioned for regulatory scrutiny and enterprise scale adoption.