If your company has put GPT, Claude or Gemini inside a product of its own — a chatbot, an assistant that drafts reports, a scoring tool that helps decide something about a person — you probably assume the AI Act's obligations on these models are OpenAI's, Google's or Anthropic's problem. Partly true. But there is an exact point where that responsibility jumps to your own company, and most SMEs integrating generative AI into their software have never checked it.
This article explains what a GPAI model (or "foundation model") actually is, what its providers must do since 2 August 2025, what the Code of Practice most large labs have signed covers, and — most importantly for thousands of Spanish and European SMEs — when simply building a product on top of GPT, Claude or Gemini turns you, not the lab that trained the model, into a provider with obligations of your own.
In brief: a GPAI model (Art. 3.63 of the Regulation) is a model with enough generality to perform multiple tasks and be integrated into different systems — GPT, Claude, Gemini, Llama, Mistral. Since 2 August 2025 its providers must document it (Annex XI), inform integrators (Annex XII), have a copyright policy and publish a training content summary (Art. 53). Above 1025 FLOPs a model is presumed to carry "systemic risk" and Article 55 obligations are added. The Code of Practice (10 July 2025) was signed by Google, Microsoft, OpenAI, Anthropic and IBM, not Meta. If you only use these models internally, your duty is Article 4 literacy; if you build and sell a product on top of them, Article 25 can make you the provider of your own system — high-risk if it automates decisions about people. The Digital Omnibus postpones none of this.
Does your product integrate GPT, Claude or Gemini and you're not sure if that makes you a provider? Check the AI Act compliance service.
What exactly is a GPAI model ("foundation model")?
Regulation (EU) 2024/1689 defines the general-purpose AI model in Article 3(63) : a model trained with large amounts of data, typically through self-supervision at scale, displaying significant generality and capable of competently performing a wide range of distinct tasks, that can be integrated into a variety of downstream systems. Recital 97 clarifies why this definition exists: to separate the "model" from the "AI system". GPT, Claude or Gemini are models; your chatbot or your applicant-tracking tool are AI systems built using that model, plus an interface and a concrete purpose.
"Foundation model" is the colloquial term; the Regulation uses "general-purpose AI model" (GPAI). It's the same thing: the GPT family from OpenAI, Claude from Anthropic, Gemini from Google, Llama from Meta or Mistral Large, which tens of thousands of European companies — mostly SMEs — use directly or integrate via API into their own products.
What must GPAI providers do since 2 August 2025?
Chapter V of the Regulation (Articles 51-56) entered into application on 2 August 2025 , a year before the bulk of the AI Act. It falls on the model provider — OpenAI, Google, Anthropic, Meta, Mistral AI — not on whoever simply uses it. Article 53 requires four things of every GPAI provider:
Obligation (Art. 53.1) What it involves
Technical documentation Draw up and maintain documentation per Annex XI: architecture, training process, capabilities, limitations.
Information to integrators Provide those building systems on the model with the Annex XII information: what it can and cannot do, how to integrate it safely.
Copyright policy Have a policy respecting Directive (EU) 2019/790, including the text-and-data-mining opt-out.
Training summary Publish a sufficiently detailed summary of training content, using the template the AI Office set on 24 July 2025.
Two nuances rarely explained. Open-source models — publicly available weights and architecture — are exempt from the first two obligations, not from the copyright policy or the training summary; the exemption disappears for systemic-risk models. And Article 111.3 gives a two-year transitional period to models already on the market before 2 August 2025: full compliance required by 2 August 2027 , not overnight.
What is the GPAI Code of Practice and who has signed it?
A voluntary instrument published in final form by the Commission's AI Office on 10 July 2025 . Its function: a GPAI provider who joins and complies gets a presumption of conformity with Articles 53 and 55 under Art. 53.4, while no harmonised standards exist. It's the shortcut the Commission offers to demonstrate compliance without waiting for a formal technical standard.
Uptake has been uneven. Signatories include Google, Microsoft, OpenAI, Anthropic, Amazon and IBM . Meta announced in July 2025 it would not sign , and xAI joined only the safety chapter. This doesn't change your obligations as an integrator, but a non-signatory provider tends to hand you less complete Annex XII documentation — precisely the documentation you'll need if you later have to justify your own system to the AESIA.
Your SME integrates GPT, Claude or Gemini into its product: when do you take on provider obligations?
The answer has two levels worth keeping separate.
Level 1 — Internal use. If your team uses ChatGPT, Copilot or Gemini to draft, summarise or code, without offering that to external clients, you are simply a deployer . Chapter V obligations belong to OpenAI, Microsoft or Google as providers of the model, not to you. Your real obligation, in force since February 2025, is Art. 4: AI literacy for whoever uses these tools.
Level 2 — You build and sell a product on top of the model. Everything changes. Article 25 governs responsibility along the value chain and sets three scenarios where a distributor, deployer or integrator becomes a provider : (a) you put your own name or trademark on an AI system already on the market; (b) you substantially modify it; or (c) — the one that most affects those integrating GPAI — you change the intended purpose of a general-purpose AI system, not classified as high-risk, so that it becomes so .
That third scenario is exactly what thousands of software SMEs do without knowing it. Taking the Claude or GPT-4o API and wrapping it into a CV-screening tool, a credit-scoring tool or an educational assessment tool is not "using AI": it is creating a high-risk Annex III system, and you — not Anthropic or OpenAI — become its provider, with full conformity assessment, your own technical documentation, EU database registration, human oversight and post-market monitoring. Chapter V obligations remain Anthropic's or OpenAI's, over their model ; yours are over your system , and they add up, they don't replace one another.
The fastest way to know where you stand is to mark what your product does in two minutes with the AI Act risk classifier , free and with no sign-up. If you also need to know which other rules — NIS2, DORA, GDPR — apply to your company, the "which regulation applies to me?" wizard answers it in 10 questions. The full breakdown of roles, with a decision tree, is in provider, deployer, importer: who must do what under the AI Act , and what turns a system into Annex III in AI Act risk classification and Annex III explained .
When is a GPAI model considered to carry "systemic risk"?
Article 51.2 sets a presumption: a model carries systemic risk when cumulative training compute exceeds 1025 FLOPs . It's rebuttable before the Commission, and not the only route: the Commission can also designate a model by high-impact capabilities, regardless of compute, and adjust the threshold by delegated act. Providers must notify the Commission (Art. 52) once they reach or expect to reach that threshold; today only a handful of latest-generation models — OpenAI, Google DeepMind, Anthropic, Meta — sit in that range.
Crossing the threshold, Article 55 adds four obligations on top of Art. 53: model evaluation with documented adversarial testing, systemic risk assessment and mitigation at Union level, serious-incident reporting to the AI Office, and adequate cybersecurity. For your SME this is rarely a direct issue, but it explains why documentation from a systemic-risk model tends to be more complete. Check whether your system inherits any extra obligation with the AI Act risk classifier .
Does the Digital Omnibus affect GPAI obligations?
No. The Digital Omnibus on AI — adopted by the Council on 29 June 2026, signed 8 July 2026 (PE-CONS 30/1/26 REV 1) and still pending publication in the EU Official Journal, expected before 2 August 2026 — postpones Annex III (to December 2027) and Annex I (to August 2028). It does not amend a single article of Chapter V: GPAI provider obligations have been in force unchanged since 2 August 2025.
It does introduce an intermediate category between SME and large company — "small mid-cap", up to 750 employees and €150 million turnover — to which some simplification measures now benefiting only SMEs (Art. 99.6) are extended. But that affects high-risk system compliance, not GPAI obligations themselves: Art. 53 applies equally whether you are OpenAI or a Spanish startup training its own model.
What penalties exist for breaching GPAI obligations?
Article 101 lets the European Commission — not the AESIA — fine GPAI providers up to €15 million or 3% of global turnover , whichever is higher, for breaches, failure to provide required information, or obstructing model evaluations. It's a structural difference: Annex III and Article 50 penalties are applied by the national authority — in Spain, the AESIA — while GPAI penalties are handled directly by the Commission, because models operate at Union scale. Its formal enforcement powers over GPAI providers apply from 2 August 2026, even though the substantive obligations have been in force for a year.
If your company, under Article 25, becomes the provider of a high-risk system built on a GPAI model, the penalties you face are no longer Art. 101's but the general Art. 99 ones: up to €35M or 7% of turnover for prohibited practices, up to €15M or 3% for breaching high-risk obligations, with the lower amount applied automatically if you're an SME. The full sanctions regime, with the AESIA as the competent Spanish authority, is covered in AI Act penalties and the AESIA: sanctions regime and who enforces it in Spain .
Quick checklist: what should your SME do depending on how it uses the GPAI model?
How you use the model Your role What to do
Internal use of ChatGPT, Copilot, Gemini Deployer AI literacy (Art. 4). Nothing more.
API integrated into your own product, no automated decisions about people Deployer / Art. 50 transparency Identify the AI to the user and keep the Annex XII information from the provider.
Product sold to third parties that automates an Annex III decision (HR, credit, insurance, education...) Provider of the system (Art. 25.1.c) Risk classification, own technical documentation, EU registration, human oversight. Start with the classifier.
You train your own GPAI model from scratch Provider of the model Full Art. 53 obligations (and 55 if systemic risk). Consider the Code of Practice.
Book a free 30-minute session to check if your AI-powered product makes you a provider →
Frequently asked questions about GPAI and foundation models in the AI Act
Do I need to do anything if I only use ChatGPT or Copilot internally in my SME?
Very little. If your team uses these tools internally, without offering them to clients or automating decisions about people, you are a deployer and the Chapter V obligations fall on OpenAI or Microsoft as providers, not on you. Your real obligation, in force since February 2025, is AI literacy (Art. 4) for whoever uses the tool.
What happens if I integrate the Claude or GPT-4o API into my own product and sell it to clients?
It depends on what your product does. If it informs or assists without automating an Annex III decision (hiring, credit, insurance, education...), you remain a deployer, with Article 50 transparency obligations. But if your product scores candidates or sets a price automatically, Article 25.1.c makes you the provider of a high-risk system, with obligations independent of whatever Anthropic or OpenAI already complies with for its model.
Is it mandatory for a GPAI provider to sign the Code of Practice?
No, it's voluntary. Published by the Commission's AI Office on 10 July 2025, it grants a presumption of conformity with Articles 53 and 55 while no harmonised standards exist. Google, Microsoft, OpenAI, Anthropic and IBM signed it; Meta announced it would not, and xAI joined only the safety chapter.
When is a GPAI model considered to carry systemic risk?
Article 51.2 presumes systemic risk above 10²⁵ FLOPs of cumulative training compute, rebuttable before the Commission. It can also be declared by Commission decision based on high-impact capabilities. Today only a handful of latest-generation models from OpenAI, Google DeepMind, Anthropic or Meta sit in that range. These models add the Article 55 obligations: adversarial testing, risk mitigation, incident reporting and reinforced cybersecurity.
Does the Digital Omnibus delay GPAI obligations?
No. The Digital Omnibus on AI, signed 8 July 2026 and pending publication in the EU Official Journal, postpones Annex III (to December 2027) and Annex I (to August 2028), but does not amend Chapter V. GPAI provider obligations have been in force unchanged since 2 August 2025.
Author: Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.