GPAI Obligations Explained: What Articles 53 and 55 Actually Require

When we run EU AI Act readiness sessions at enterprise customers, the question that derails the conversation most often is whether the customer is a "provider" of GPAI under Articles 53 and 55. The plain reading suggests not — they're not Meta, Anthropic, OpenAI or Mistral; they don't train and release foundation models. The more careful reading is that the obligations sometimes flow downstream in ways that catch enterprises off guard. Two months ago I was in a session with the General Counsel of a EU enterprise that had fine-tuned an open-weights Llama model on its internal documents and deployed it to its 40,000 employees as a productivity tool. The GC's question was whether the fine-tuning made them a GPAI provider under Article 53. The honest answer is "probably, for the fine-tune." The GC was not pleased. The EU AI Act's GPAI provisions — Article 53 (baseline obligations on all general-purpose AI model providers) and Article 55 (additional obligations for systemic-risk models) — affect every enterprise that integrates LLMs into a downstream product. The provisions matter even if you're not the model provider in the way most people think of that role.

What Article 53 actually requires

Article 53 imposes four obligations on every general-purpose AI model provider. One: technical documentation of the model, made available to the AI Office and national authorities on request — and to downstream providers integrating the model. Two: documentation of training data sources sufficient to satisfy the EU's copyright-compliance expectations. Three: a public summary of training data. Four: a policy for compliance with EU copyright law, including measures to respect text-and-data-mining opt-outs. These obligations apply to anyone who "places on the market" a general-purpose AI model in the EU — which includes commercial release, open release, and deployment to a substantial user base within the EU.

When fine-tuning makes you a Article 53 provider

The hard question. Recital 97 and the related guidance make clear that fine-tuning a general-purpose AI model can produce a new general-purpose AI model — and the entity that performs the fine-tune becomes a provider of that new model. The threshold for "substantial modification" of a GPAI model is lower than most enterprises assume. Significant fine-tuning of the base model (not just LoRA adapters), instruction-tuning that changes the model's behavioural profile, or any tuning that creates a derivative model the enterprise then makes available to a substantial downstream audience can all trigger provider status for the fine-tuner. The remediation: keep the fine-tuning narrow, document the base model's compliance status from its provider, and produce the Article 53 documentation for the fine-tune itself.

Article 55 — when systemic risk obligations attach

Article 55 adds obligations for general-purpose AI models with systemic risk. The current threshold is training compute > 10²⁵ FLOPs, which captures the largest frontier models (GPT-4-class and above) but not most enterprise fine-tunes or smaller models. Enterprise fine-tuners typically don't cross this threshold; only the upstream foundation model providers do. The additional obligations include: model evaluation including adversarial testing for systemic risks; assessment and mitigation of risks at the EU level; tracking, documenting and reporting serious incidents; adequate cybersecurity protection of the model and its physical infrastructure. Article 55 obligations are designed for the frontier model makers; most enterprises won't directly bear them, but they will indirectly bear them through their upstream supplier relationships.

The sovereign open-weights advantage on GPAI

If the enterprise deploys an off-the-shelf open-weights model — Llama 3.3, Qwen 2.5, Mistral, DeepSeek V3 — without substantial modification, the upstream provider (Meta, Alibaba, Mistral AI, DeepSeek) bears the Article 53 obligations for the base model. The enterprise as deployer inherits no Article 53 obligations for the base model — only the deployer obligations under Article 26 for the deployed system. This is structurally cleaner than the fine-tune case, where the enterprise inherits Article 53 obligations for the fine-tune itself. Most of our sovereign customers can avoid being GPAI providers by using off-the-shelf open-weights models with retrieval and prompting rather than fine-tuning. When fine-tuning genuinely is the right answer (format, voice, vocabulary problems prompting can't solve), the team scopes the fine-tune to a small adapter rather than substantial base-model modification, which keeps the Article 53 burden minimal.

The downstream-provider documentation requirement

Article 53's most operationally important provision for enterprises is the requirement that GPAI providers make documentation available to downstream providers integrating the model. As an enterprise deployer, this means you have the right to request from your model maker the technical documentation you need to satisfy your own AI Act obligations downstream. In practice this means insisting on Annex IV-quality documentation from the upstream model maker (Meta, Alibaba, Anthropic if you're using Claude, etc.) as part of your procurement. Many enterprises haven't yet started asking for this documentation; the model makers are starting to provide it but it's not yet standardised. By 2 August 2026 this documentation flow needs to be in place.

What enterprise legal teams should do this quarter

Three actions for GC teams in EU-touching enterprises. One: identify every fine-tuned or substantially modified GPAI model in the enterprise's portfolio and assess Article 53 provider status per model. Two: request Article 53 documentation from upstream GPAI providers for every open-weights or closed-API model the enterprise integrates. Three: incorporate the Article 53 documentation requirements into the standard AI procurement template so future model integrations come with the documentation included. None of this is one-off legal work; it's an ongoing GPAI-provenance management practice that needs to be in place by the August deadline. /eu-ai-act covers the broader article-by-article mapping.