General-purpose AI — GPAI — is the category the EU AI Act added to address the rise of large, broadly capable models such as the large language models behind today’s most prominent AI products. A general-purpose AI model is one that displays significant generality and is capable of competently performing a wide range of distinct tasks, regardless of how it is released or later built into downstream systems. Because these models sit upstream of countless applications, the Act gives them their own regime, distinct from the risk-tier rules that govern AI systems.
Why GPAI needed its own rules
The original risk-based structure of the AI Act was designed around AI systems built for a defined purpose, where the use case determines the risk. General-purpose models broke that logic: a single model can be used for translation, drafting, code generation, and analysis, with risk depending entirely on the downstream application. Regulating only the downstream systems would have left the powerful upstream models unaddressed, so the Act introduced obligations that attach to the model itself and to its provider.
The two tiers of GPAI
The Act distinguishes between general-purpose AI models in general and those that pose systemic risk. All GPAI providers face a baseline set of obligations. A subset — the most capable models, identified by criteria including the scale of computational resources used in training — are deemed to carry systemic risk and face additional, stricter duties. This two-tier structure mirrors the proportionality principle running through the whole regulation: greater capability and reach bring greater responsibility.
Baseline obligations for all GPAI providers
Every provider of a general-purpose AI model must prepare and maintain technical documentation of the model, including its training and testing process and evaluation results. It must provide information and documentation to downstream providers who integrate the model, so they in turn can understand its capabilities and meet their own obligations. It must put in place a policy to respect EU copyright law, and it must publish a sufficiently detailed summary of the content used to train the model. These duties make the upstream model more transparent to everyone who builds on it.
Additional duties for systemic-risk models
Providers of models deemed to pose systemic risk take on further obligations. They must perform model evaluations, including adversarial testing to identify and mitigate risks; assess and mitigate possible systemic risks; track, document, and report serious incidents; and ensure an adequate level of cybersecurity for the model and its physical infrastructure. The reasoning is that highly capable models can have society-wide effects, so their providers must actively probe for and contain the dangers they might create.
What this means for downstream integrators
Most organisations are not GPAI providers — they are downstream users who build a product on top of someone else’s model. For them, the key consequences are twofold. First, when they integrate a GPAI model into their own AI system, that system is governed by the ordinary risk-tier rules, and they typically become its provider or deployer. Second, they are entitled to receive documentation from the model provider, and they should actively use it: understanding the model’s capabilities, limits, and intended use is part of meeting their own obligations.
Copyright and training data transparency
Two of the baseline GPAI duties — the copyright policy and the training-data summary — reflect a wider European concern about how these models are built. Providers must respect rights reservations expressed by content owners and must publish a summary of training content detailed enough for legitimate interests, such as those of rightsholders, to be exercised. For downstream users, this transparency is useful diligence: it sheds light on the provenance of the model they are relying on.
GPAI versus high-risk AI
It is important not to confuse the GPAI regime with the high-risk regime. A general-purpose model is not automatically high-risk; the categories address different things. GPAI rules govern the upstream model and its provider, focusing on documentation, transparency, and — for the most capable — systemic-risk management. The high-risk rules govern specific downstream uses in sensitive domains. A product can involve a GPAI model and also be a high-risk system, in which case both sets of rules are relevant to different parties.
Codes of practice
To help providers meet the GPAI obligations before detailed standards are finalised, the Act envisions codes of practice developed with industry and other stakeholders. Adhering to an approved code is a way for providers to demonstrate compliance in the interim. For organisations choosing which model to build on, a provider’s engagement with such codes is a useful signal of how seriously it takes its obligations.
What organisations should do
Even organisations that only consume GPAI should take concrete steps: identify which models their products rely on, obtain and read the provider’s documentation, confirm how the model’s use maps onto their own provider or deployer duties, and factor the model’s transparency and copyright posture into vendor selection. Innopulse helps DACH companies place their GPAI-based products correctly within the AI Act — distinguishing what the model provider is responsible for from what the organisation itself must do as it brings an AI product to market.
Conclusion
General-purpose AI models occupy a special place in the EU AI Act because they sit upstream of so many applications. The Act imposes baseline obligations on all GPAI providers — documentation, downstream information, copyright policy, and a training-data summary — and stricter duties on the most capable, systemic-risk models. For the many organisations that build on these models rather than create them, the practical task is to use the provider’s documentation well and to understand how integrating a general-purpose model turns their own product into something the AI Act governs.