ROMEOADVANCED ACADEMY

Lesson 5 of 5 · The EU AI Act for Non-Lawyers

Lesson 5

GPAI, the timeline, and what to do this week

The rules for foundation-model providers. The dates that are already in force and the ones still to come. And a 30-day personal compliance checklist you can use whatever your role.

35 minutesReading, calendar, and checklistNo tools required

By the end of this lesson, you will:

  • Understand the separate rules that govern general-purpose AI models, including the "systemic risk" tier.
  • Know the staggered enforcement timeline — what is already in force and what is coming.
  • Have a concrete, signed 30-day plan for your own organisation's AI Act compliance.

General-purpose AI models (GPAI)

Sitting on top of the four-tier risk pyramid is a separate regulatory pillar for general-purpose AI models — the foundation models that underpin many specific AI systems. GPAI rules came into force on 2 August 2025. They apply to model providers, not to systems built on top of the models, and they have two levels.

Baseline GPAI obligations

Every provider of a general-purpose AI model placed on the EU market must:

  • Draw up and maintain technical documentation of the model, including its training and testing process.
  • Provide information and documentation to downstream providers who integrate the model into their systems.
  • Put in place a policy to comply with EU copyright law (including respect for opt-outs in the text and data-mining exception).
  • Publish a sufficiently detailed summary of the content used to train the model.

The provision on training-data summaries is the one that has had the loudest reception. The European AI Office is responsible for a template; providers are expected to use it.

Providers of free, open-source GPAI models get a partial carve-out from the documentation and downstream-information duties, provided the parameters, model architecture, and information on use are publicly available — but the copyright and training-data-summary duties still apply.

GPAI with systemic risk

A subset of GPAI models — those judged to have "systemic risk" — face heavier obligations. The Act presumes systemic risk when the cumulative compute used for training exceeds 10^25 floating-point operations (FLOPs); the European Commission can also designate models as systemic-risk by other criteria. Systemic-risk providers must additionally:

  • Conduct model evaluations including adversarial testing.
  • Assess and mitigate systemic risks.
  • Report serious incidents and corrective measures to the AI Office.
  • Ensure adequate cybersecurity protection of the model and its physical infrastructure.

In practice, the largest commercial models from OpenAI, Anthropic, Google, Meta, and several Chinese labs fall into this category. The 10^25 FLOPs threshold catches roughly the frontier of current commercial models; the Commission has indicated it will adjust the threshold as compute trends evolve.

The Code of Practice

For practical implementation, providers can sign the General-Purpose AI Code of Practice, drafted under the supervision of the AI Office in 2024–2025. Signing the Code is voluntary but is treated by the Act as a presumption of compliance with the corresponding obligations. Many of the major model providers have signed it.

The timeline

The Act entered into force on 1 August 2024, but its substantive provisions take effect on a staggered timeline. Here is what has already happened and what is coming. (Always double-check against the official text for any specific compliance decision.)

Enforcement dates

1 August 2024  — Act enters into force.

2 February 2025 — Prohibited practices (Lesson 2, Tier 1) take effect.
                 AI literacy obligations for providers and deployers take effect.

2 August 2025  — GPAI provisions take effect.
                 Governance bodies (national authorities, AI Office, AI Board) operational.
                 Penalties regime fully active.

2 August 2026  — High-risk system obligations under Annex III take effect for new systems.
                 Most provider duties from Lesson 3 become enforceable.
                 Deployer duties from Lesson 4 become enforceable.

2 August 2027  — High-risk system obligations for systems regulated under Annex I
                 product-safety regimes take effect.
                 GPAI models placed on the market before August 2025 must comply.

So as of today (mid-2026): the prohibitions are in force, the AI literacy duties are in force, the GPAI rules are in force, and the rest of the high-risk regime is about to take effect. Most of the substantive provider and deployer duties from Lessons 3 and 4 become enforceable on 2 August 2026. If you are reading this in the run-up to that date, the next two months are when most organisations should be closing remaining gaps.

The AI Office, the AI Board, national authorities

Three governance bodies enforce the Act in practice. The European AI Office, based in the European Commission, is the central body for GPAI rules and for cross-border issues. The European Artificial Intelligence Board brings together representatives of Member States to coordinate national enforcement. Each Member State designates one or more national competent authorities, typically split between a "market surveillance authority" (which enforces) and a "notifying authority" (which oversees conformity-assessment bodies).

For most practical purposes, your relevant national authority is the body you would interact with first. The Commission publishes a directory; check it.

What to do this week

A 30-day personal compliance checklist. Pick the items that apply to your role; ignore the rest.

Week 1 — Map and triage

□ List every AI system your organisation builds, buys, or uses. Use the
   employment, education, services, biometrics categories from Lesson 2 as
   prompts. Don't forget the small ones — Copilot-style assistants, the
   chatbots on your customer-facing site, internal-only tools.

□ For each, assign a role: provider / deployer / both. If you operate
   foundation models, also: GPAI provider.

□ For each, assign a tier: prohibited / high-risk / limited-risk / minimal.
   Where uncertain, flag for review.

□ Identify any prohibited use immediately. If something on the list looks
   like one of the eight prohibited practices, stop using it (or get
   urgent legal advice).

Week 2 — Provider gaps (if you are one)

□ For each high-risk system you provide, work through the nine obligations
   from Lesson 3. Score each as Done / In progress / Not started.

□ Identify the highest-priority gap. If your conformity assessment is not
   done, that is almost always the bottleneck.

□ Schedule a working session with engineering and legal to draft the
   technical documentation outline (Annex IV).

□ If you build on top of a GPAI model, request the downstream
   documentation pack from your model provider. They must supply it.

Week 3 — Deployer gaps (if you are one)

□ For each high-risk system you deploy, walk the seven deployer duties
   from Lesson 4.

□ Check whether Article 27 (FRIA) applies to your organisation. If yes,
   ensure a FRIA exists for each in-scope deployment.

□ Audit your human-oversight set-up. Are the people doing the oversight
   trained, authorised, and resourced?

□ Where you have re-branded, materially modified, or repurposed a
   high-risk system: assess whether you have become a provider. If yes,
   escalate.

Week 4 — Build the standing capability

□ Designate an AI-Act owner in your organisation — typically Legal,
   Compliance, or DPO, with a named technical counterpart.

□ Add the AI Act to your risk register and review cadence.

□ Build the post-market monitoring and incident-reporting workflow.
   Pre-draft the templates so you are not writing them at 2am after
   an incident.

□ Run AI-literacy training for all staff who deploy or use the systems.
   AI-literacy duties (Article 4) are already in force, applying broadly.

□ Diary the next review — quarterly, at minimum.

Aside · The compliance posture that scales

Most organisations who do AI Act compliance well treat it as a programme, not a project. The first wave is intensive — discovery, classification, gap analysis, remediation. After that, it should resemble your existing GDPR or ISO 27001 operating rhythm: a register, owners, periodic reviews, an incident playbook, a training schedule. If your AI Act work feels permanent and frantic, you are still in the project phase; if it feels like background hygiene, you are in the programme phase. The aim is the second.

Useful sources

Two resources to bookmark and revisit.

  • The EUR-Lex consolidated text of the Act — the official source. Articles, recitals, and annexes are all there. eur-lex.europa.eu
  • The European AI Office page on the European Commission's site — guidance, templates, and the latest on the Code of Practice. Search "European AI Office".

For specific questions, the unofficial EU AI Act Explorer (artificialintelligenceact.eu) is well-organised and frequently updated, though not authoritative. Use it as a navigator, then verify against EUR-Lex before relying on a clause.

What we covered

Five lessons. Why the Act exists and who it affects. The four risk tiers in detail. The provider's nine duties. The deployer's seven. The GPAI pillar, the timeline, and a 30-day plan for your own organisation. You should now be able to read the Act, understand what it is asking of you, and know which questions are yours to answer and which to send to a lawyer.

Self-check

  1. What is the difference between a baseline GPAI model and a systemic-risk GPAI model?
  2. When do most high-risk obligations actually become enforceable?
  3. What is the Code of Practice for, and what does signing it mean?
  4. What is the first thing on your 30-day plan that you have not yet started?