Key facts
- GPAI provider obligations are separate from high-risk AI system obligations.
- Core requirements: technical documentation and respecting copyright in training data.
- Models with systemic risk face additional safety, security and reporting duties.
- Adhering to the GPAI Code of Practice is a recognised way to demonstrate compliance.
- Most organisations are GPAI deployers, not providers, and are not directly subject to these obligations.
Core obligations for all GPAI providers
All GPAI providers must maintain technical documentation describing the model's capabilities, limitations and training process, and must implement a policy to respect EU copyright law in relation to the data used to train the model.
Additional obligations for systemic-risk models
A small number of the most capable GPAI models are classed as presenting systemic risk. Providers of these models face additional obligations: model evaluation, adversarial testing, tracking and reporting serious incidents, and ensuring adequate cybersecurity protection.
How the Code of Practice helps
Adhering to the voluntary GPAI Code of Practice gives providers a recognised, pre-agreed way to demonstrate compliance with these obligations, reducing the burden of proving compliance through bespoke means.
Relevance to most organisations
Most businesses are deployers of tools built on GPAI models, not GPAI providers themselves, and are not directly subject to these specific obligations — though understanding them helps when assessing a supplier's compliance posture during due diligence.
Frequently asked questions
What are the core obligations for GPAI providers?
Maintaining technical documentation and respecting copyright law in relation to training data.
What additional obligations apply to systemic-risk GPAI models?
Model evaluation, adversarial testing, incident tracking and reporting, and adequate cybersecurity protection.
How can a GPAI provider demonstrate compliance?
By adhering to the voluntary GPAI Code of Practice, among other means.
Do most businesses need to meet GPAI provider obligations?
No — most businesses are deployers of GPAI-based tools, not providers of the underlying models.
Why should a deployer care about GPAI provider obligations?
Understanding them helps when assessing a supplier's compliance posture during vendor due diligence.
Related pages
Sources
Last updated 19 June 2026.