2026-04-16·12 min read·

EU AI Act Art.51 GPAI Model Classification: Systemic Risk Threshold and Provider Obligations — Developer Guide (2026)

EU AI Act Chapter V introduces a distinct regulatory layer for General-Purpose AI (GPAI) models — the foundation models, large language models, and multimodal systems that developers build products on top of. Article 51 is the classification gateway: it defines two tiers of GPAI models and determines which tier triggers the heightened systemic risk obligations under Articles 52–55.

If you train, fine-tune, or distribute a foundation model — or if you build products on top of models that may soon cross the systemic risk threshold — Art.51 directly shapes your regulatory exposure. The threshold is quantitative: 10^25 floating-point operations (FLOPs) of cumulative training compute. Models crossing this line face mandatory code of practice adherence, adversarial testing, serious incident reporting, and cybersecurity obligations that do not apply to general GPAI models.

For SaaS developers building on GPAI APIs, Art.51 classification is the upstream regulatory fact that cascades into your obligations. If your GPAI API provider is classified as a systemic risk provider under Art.51, specific downstream transparency and information obligations are activated for your product. Understanding Art.51 is prerequisite knowledge for navigating the Chapter V framework.

Art.51 in the EU AI Act Structure

Art.51 sits at the opening of Chapter V — General-Purpose AI Models, which runs from Art.51 through Art.56. Chapter V operates parallel to Chapter III (high-risk AI) and Chapter IV (transparency obligations) — a GPAI model may simultaneously be subject to Chapter V obligations and, when integrated into a high-risk AI system, Chapter III obligations.

Chapter	Scope	Art.51 Relationship
Chapter III	High-risk AI systems (Art.6–Art.49)	A GPAI model integrated into a high-risk AI system triggers Chapter III for the system integrator
Chapter IV	Transparency obligations (Art.50)	Art.50(3) explicitly includes GPAI model providers for AI-generated content marking
Chapter V	GPAI models (Art.51–Art.56)	Art.51 is the classification gateway for all Chapter V obligations
Chapter VI	Governance and enforcement	Art.99 penalty framework applies to Art.51–56 violations

Chapter V Obligation Cascade starting from Art.51:

Article	Title	Applies To
Art.51	GPAI model classification	All GPAI model providers — defines the two tiers
Art.52	Obligations for all GPAI providers	All GPAI model providers
Art.53	Obligations for GPAI providers with systemic risk	Only systemic risk tier
Art.54	Authorised representatives for non-EU systemic risk providers	Only systemic risk tier (non-EU providers)
Art.55	Downstream provider obligations cascade	All GPAI model providers — obligations to downstream integrators
Art.56	GPAI model codes of practice	Systemic risk tier — compliance pathway via code of practice

Art.51(1): Two Categories of GPAI Models

Art.51(1) divides GPAI models into two regulatory tiers based on training compute:

Tier 1 — GPAI Model (General): Any AI model trained with a broad set of data using self-supervision at scale, designed with significant generality and competence across a wide range of distinct tasks, which can be integrated into a variety of downstream systems or applications. The defining characteristic is generality — GPAI models are not trained for a single narrow task.

Tier 2 — GPAI Model with Systemic Risk: A GPAI model that meets either of the following conditions:

Trained with a cumulative amount of compute greater than 10^25 floating-point operations (FLOPs); or
Designated by the Commission under Art.51(2) based on criteria indicating systemic risk regardless of compute threshold.

What "cumulative training compute" means:

Concept	Definition	Notes
Training compute	FLOPs used during the full pre-training phase	Includes forward and backward passes
Cumulative	Total FLOPs across all pre-training runs contributing to the released model	Re-runs, continued pre-training, and subsequent training runs accumulate
10^25 FLOPs	Approximately 10 septillion floating-point operations	Equivalent to ~3.2 × 10^9 GPU-hours on an A100 at peak utilisation
Fine-tuning only	Fine-tuning FLOPs alone rarely reach 10^25	The threshold targets foundational pre-training, not downstream fine-tuning

Who falls in each tier (indicative as of 2026):

Model Category	Estimated FLOPs	Likely Tier
Small open-source LLMs (7B–13B)	10^22–10^23	General GPAI
Mid-scale models (70B)	10^23–10^24	General GPAI
Large frontier models (GPT-4 scale, Gemini Ultra scale)	10^24–10^26	Systemic Risk tier
Multimodal frontier models at frontier scale	10^25+	Systemic Risk tier
Fine-tuned variants of systemic risk models	Derived from threshold model	Classified with base model

Key practical implication: If you are a developer building on top of an API from a model provider (OpenAI, Google, Anthropic, Mistral, Meta, Cohere), the classification of their underlying model under Art.51 determines which Art.55 downstream obligations your products are subject to. Systemic risk model providers must contractually flow down certain transparency obligations to API users.

Art.51(2): Commission Designation Authority

Art.51(2) grants the European Commission authority to designate additional GPAI models as having systemic risk even where the 10^25 FLOPs threshold is not met. This provision exists because compute thresholds alone may not capture all models that pose systemic risks — a highly capable model achieving frontier performance through novel efficiency techniques could remain below 10^25 FLOPs while posing equivalent systemic risk.

Criteria for Commission designation:

The Commission may consider:

Number of registered users — models with extremely broad deployment create systemic exposure even below the compute threshold
Capabilities at or near frontier — models demonstrating capabilities equivalent to threshold-crossing models
Systemic risk based on reasoning, autonomy, or cross-domain ability — models capable of autonomous action across multiple high-impact domains
Adversarial risk — models with demonstrated susceptibility to large-scale misuse
Opinion of the Scientific Panel — Art.68a establishes a Scientific Panel of AI experts whose opinion the Commission solicits before designation

Designation procedure:

Step	Actor	Mechanism
1. Initial assessment	Commission (or Scientific Panel notification)	Review of technical capability reports
2. Scientific Panel opinion request	Commission → Scientific Panel	Formal opinion on systemic risk
3. Provider consultation	Commission → Model provider	Opportunity to provide technical information
4. Designation decision	Commission	Delegated act or implementing act
5. Provider notification	Commission → Provider	Written designation decision
6. Provider compliance	Provider	30-day period to begin Chapter V systemic risk compliance

Rebuttable presumption: Providers that can demonstrate through authoritative documentation that their model does not in fact have systemic risk despite reaching 10^25 FLOPs may seek a Commission decision that the model does not have systemic risk. This rebuttal must address the capabilities criteria and be supported by evaluation results.

Art.51(3): Provider Notification Obligation

Art.51(3) imposes a proactive notification obligation on GPAI model providers: when a model reaches or exceeds the 10^25 FLOPs threshold, the provider must notify the Commission.

Notification timing:

Event	Notification Requirement	Timeline
Model reaches 10^25 FLOPs during training	Notify Commission	Before or upon market placement
Model is updated with additional training that pushes cumulative compute over threshold	Notify Commission	Within 30 days of the cumulative threshold being crossed
Model is fine-tuned by a downstream party (fine-tuner)	Fine-tuner inherits obligations via Art.55; original provider records updated	On awareness

Content of the notification:

The notification must include, at minimum:

Identity of the provider (legal name, address, contact point)
Model name and version number
Intended purpose and deployment scenarios
Estimated cumulative training compute (in FLOPs, with methodology)
Training data provenance summary (types of data, geographic sources)
Reference to any existing technical documentation, model cards, or training data transparency documentation
Any known capabilities that may be relevant to systemic risk assessment
Contact details of the GPAI provider's EU representative (if non-EU provider under Art.54)

Form of notification: Notifications are submitted to the Commission through the GPAI model registry established under Art.71. The Commission has published guidance on the notification form and required annexes.

Confidentiality: Providers may request confidential treatment of commercially sensitive information in the notification. The Commission must balance transparency obligations under the AI Act with protection of trade secrets.

The 10^25 FLOPs Threshold: Technical Guidance for Developers

The threshold is precise but requires careful measurement. The AI Act uses "cumulative amount of compute used for training" — this is not the compute per training step but the total FLOPs integrated across all pre-training steps.

Standard FLOPs estimation formula for transformer models:

Total Training FLOPs ≈ 6 × N × D

Where:

N = Number of model parameters
D = Number of training tokens
6 = Constant accounting for forward pass (multiply-add counted as 2 FLOPs) × backpropagation (≈ 2×)

Example calculations:

Model Configuration	N (params)	D (tokens)	Estimated FLOPs	vs. 10^25
7B model, 1T tokens	7 × 10^9	10^12	4.2 × 10^22	3 orders below
70B model, 2T tokens	7 × 10^10	2 × 10^12	8.4 × 10^23	2 orders below
400B model, 15T tokens	4 × 10^11	1.5 × 10^13	3.6 × 10^25	Above threshold
1T model, 10T tokens	10^12	10^13	6 × 10^25	Above threshold

Critical nuance — cumulative compute:

The 10^25 FLOPs threshold applies to cumulative training compute, not to a single training run. This has significant implications:

A model trained in multiple runs (e.g., training continuation after initial release) accumulates FLOPs across runs
Re-training from a previous checkpoint continues the cumulative count from the prior run's compute, not from zero
Providers must maintain accurate compute accounting records from first training token to final model release

What is NOT counted:

Inference compute (running the model for predictions)
Fine-tuning by downstream parties (though the fine-tuned model inherits the provider's classification)
Evaluation and benchmarking compute during development

Art.51 × Art.52/53/54/55: The Full Obligation Cascade

Art.51 classification determines the full body of Chapter V obligations. Here is the complete obligation matrix:

Obligation	Art.52 (All GPAI)	Art.53 (Systemic Risk Only)
Technical documentation	Required — model architecture, training data description, training methodology	Enhanced — adversarial testing results, serious incident reports
Training data transparency	Required — types and sources of training data	Enhanced — detailed dataset composition, copyright compliance measures
Copyright compliance policy	Required — policy for complying with EU copyright law, summary of data used	Enhanced — full dataset documentation per Art.53(1)(a)
Summary of training data	Required — publishable summary for downstream transparency	Enhanced version
AI Act compliance information to downstream providers	Required under Art.55 — contractual and technical	Required with systemic risk classification notification
Code of practice adherence	Voluntary for general GPAI	Required — must adhere to EU GPAI code of practice or equivalent
Adversarial testing	Not required	Required — model evaluation covering systemic risks
Serious incident reporting	Not required	Required — report serious incidents and corrective measures to Commission
Cybersecurity obligations	Not required	Required — appropriate level of cybersecurity protection
Authorised representative	Not required (for general GPAI non-EU providers)	Required (Art.54) — designated EU representative

Art.55: Downstream provider obligations (all GPAI models):

Art.55 requires GPAI model providers to pass specific obligations to downstream providers who integrate the GPAI model into their own AI systems. This creates a contractual and technical chain of obligations:

Downstream Obligation	All GPAI	Systemic Risk GPAI
Cooperation on Art.52 technical documentation	Yes	Yes
Machine-readable model card provision	Yes	Yes
Training data summary provision	Yes	Yes
Systemic risk classification notification	N/A	Yes — downstream providers must be informed of systemic risk classification
Incident reporting cooperation	No	Yes — downstream providers must report serious incidents that may be related to the upstream GPAI model

GPAI Provider Compliance Strategy

For providers approaching or above the 10^25 FLOPs threshold, compliance requires building regulatory infrastructure alongside the model:

Pre-notification phase (before market placement):

Calculate cumulative training FLOPs using the standard formula + detailed hardware logs
Determine tier classification (general vs. systemic risk)
If systemic risk: prepare Commission notification package
Draft model card covering Art.52 technical documentation requirements
Prepare training data summary for public disclosure
Establish copyright compliance policy and documentation

Post-classification (systemic risk tier):

Designate EU authorised representative (Art.54) if non-EU provider
Join EU GPAI code of practice or establish equivalent measures
Design adversarial testing program per Art.53(1)(b)
Implement serious incident reporting system per Art.53(1)(c)
Implement cybersecurity measures per Art.53(1)(d)
Flow down Art.55 obligations to downstream API users contractually

For downstream SaaS developers (API users of GPAI models):

Request from your GPAI API provider: Art.51 classification status + Art.55 model card
If provider is systemic risk classified: update your incident reporting to include GPAI-related incidents
If provider is general GPAI: obtain training data summary and technical documentation
Update your Art.13 technical documentation to reference the GPAI model and its classification
If building a high-risk AI system on top of a GPAI model: Art.55 + Chapter III both apply

CLOUD Act × GPAI Model Cards and Training Records

The CLOUD Act intersection with GPAI compliance is particularly significant for frontier model providers operating US infrastructure:

At-risk compliance records:

Record Type	Art.51/52/53 Requirement	CLOUD Act Risk
Cumulative training compute logs	Must be retained for Commission notification	If stored on US infrastructure, compellable without EU consent
Training dataset documentation	Art.52(1)(a)(i) — types and sources of data	Trade-sensitive; dual-access risk
Model evaluation and adversarial testing results	Art.53(1)(b) — for systemic risk models	Security-sensitive; dual-access risk
Serious incident reports	Art.53(1)(c) — Commission notifications	Law enforcement interest; dual compellable
Copyright compliance documentation	Art.52(1)(a) — training data copyright policy	Litigation risk; dual-access risk
AI model cards (technical documentation)	Art.52(1)(b) — for downstream Art.55 compliance	Competitive intelligence; dual-access risk

CLOUD Act scenario for GPAI providers:

A frontier model provider operating primarily on US cloud infrastructure (AWS, Azure, GCP) faces the following dual-access scenario:

EU AI Act Art.51/52/53 requires maintaining compliance records for Commission inspection
CLOUD Act allows US law enforcement to compel access to those same records stored on US infrastructure without an EU court order
The records are simultaneously compellable by two separate jurisdictions under two different legal regimes

EU-native infrastructure mitigation: Hosting GPAI compliance records, model cards, training data documentation, and incident reports on EU-native infrastructure (operating exclusively under GDPR and EU administrative law) eliminates the CLOUD Act dual-access scenario. The EU's Budapest Convention and GDPR data transfer restrictions provide the legal basis for keeping sensitive model compliance data within EU jurisdiction.

For SaaS developers building compliance infrastructure for GPAI-adjacent systems — model registries, training record management, incident reporting pipelines — EU-native PaaS deployment addresses the jurisdiction question from the architecture level.

Python Implementation

GPAIModelClassifier

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import math

class GPAITier(Enum):
    GENERAL = "general_gpai"
    SYSTEMIC_RISK = "systemic_risk_gpai"
    BELOW_THRESHOLD = "not_gpai"

@dataclass
class GPAIClassificationResult:
    tier: GPAITier
    cumulative_flops: float
    threshold_flops: float = 1e25
    commission_designated: bool = False
    designation_date: Optional[str] = None
    notification_required: bool = False
    compliance_articles: list[str] = field(default_factory=list)

    @property
    def flops_ratio(self) -> float:
        return self.cumulative_flops / self.threshold_flops

    @property
    def above_threshold(self) -> bool:
        return self.cumulative_flops >= self.threshold_flops

    def summary(self) -> dict:
        return {
            "tier": self.tier.value,
            "cumulative_flops": f"{self.cumulative_flops:.2e}",
            "threshold_flops": f"{self.threshold_flops:.2e}",
            "ratio_to_threshold": f"{self.flops_ratio:.4f}",
            "above_threshold": self.above_threshold,
            "commission_designated": self.commission_designated,
            "notification_required": self.notification_required,
            "applicable_articles": self.compliance_articles,
        }


class GPAIModelClassifier:
    """
    Classifies GPAI models under EU AI Act Art.51.
    Art.51(1): Two tiers — general GPAI and systemic risk GPAI (>= 10^25 FLOPs).
    Art.51(2): Commission designation authority for models below threshold.
    Art.51(3): Provider notification obligation upon reaching threshold.
    """
    SYSTEMIC_RISK_FLOPS_THRESHOLD = 1e25  # Art.51(1) threshold

    def classify(
        self,
        cumulative_training_flops: float,
        is_commission_designated: bool = False,
        designation_date: Optional[str] = None,
        is_gpai: bool = True,
    ) -> GPAIClassificationResult:
        """
        Classify a GPAI model under Art.51.

        Args:
            cumulative_training_flops: Total FLOPs across all pre-training runs
            is_commission_designated: True if Commission has designated under Art.51(2)
            designation_date: ISO date of Commission designation if applicable
            is_gpai: False for narrow-purpose models that do not qualify as GPAI
        """
        if not is_gpai:
            return GPAIClassificationResult(
                tier=GPAITier.BELOW_THRESHOLD,
                cumulative_flops=cumulative_training_flops,
                notification_required=False,
                compliance_articles=[],
            )

        is_systemic_risk = (
            cumulative_training_flops >= self.SYSTEMIC_RISK_FLOPS_THRESHOLD
            or is_commission_designated
        )

        if is_systemic_risk:
            tier = GPAITier.SYSTEMIC_RISK
            articles = ["Art.51", "Art.52", "Art.53", "Art.54", "Art.55", "Art.56"]
        else:
            tier = GPAITier.GENERAL
            articles = ["Art.51", "Art.52", "Art.55"]

        return GPAIClassificationResult(
            tier=tier,
            cumulative_flops=cumulative_training_flops,
            commission_designated=is_commission_designated,
            designation_date=designation_date,
            notification_required=is_systemic_risk,
            compliance_articles=articles,
        )

    @staticmethod
    def estimate_flops_chinchilla(
        num_parameters: int,
        num_training_tokens: int,
    ) -> float:
        """
        Estimate training FLOPs using the Chinchilla approximation.
        FLOPs ≈ 6 × N × D
        Args:
            num_parameters: Number of model parameters
            num_training_tokens: Number of tokens in the training dataset
        Returns:
            Estimated total training FLOPs
        """
        return 6 * num_parameters * num_training_tokens

    def is_approaching_threshold(
        self,
        cumulative_flops: float,
        warning_ratio: float = 0.5,
    ) -> bool:
        """Returns True if model is within warning_ratio of the systemic risk threshold."""
        return cumulative_flops >= (self.SYSTEMIC_RISK_FLOPS_THRESHOLD * warning_ratio)

SystemicRiskThresholdChecker

from dataclasses import dataclass
from datetime import datetime
from typing import Optional

@dataclass
class TrainingRunRecord:
    run_id: str
    start_date: str
    end_date: str
    num_parameters: int
    num_tokens: int
    estimated_flops: float
    hardware: str
    checkpoint_name: Optional[str] = None

    @classmethod
    def from_chinchilla_estimate(
        cls,
        run_id: str,
        start_date: str,
        end_date: str,
        num_parameters: int,
        num_tokens: int,
        hardware: str,
        checkpoint_name: Optional[str] = None,
    ) -> "TrainingRunRecord":
        flops = 6 * num_parameters * num_tokens
        return cls(
            run_id=run_id,
            start_date=start_date,
            end_date=end_date,
            num_parameters=num_parameters,
            num_tokens=num_tokens,
            estimated_flops=flops,
            hardware=hardware,
            checkpoint_name=checkpoint_name,
        )


class SystemicRiskThresholdChecker:
    """
    Tracks cumulative training compute across runs for Art.51(3) notification compliance.
    Maintains audit-ready record of FLOPs accumulation per Art.52 documentation requirements.
    """
    THRESHOLD = 1e25

    def __init__(self):
        self._runs: list[TrainingRunRecord] = []
        self._notification_sent: bool = False
        self._notification_date: Optional[str] = None

    def add_training_run(self, run: TrainingRunRecord) -> dict:
        """Add a training run record and check if threshold is crossed."""
        self._runs.append(run)
        cumulative = self.cumulative_flops
        crossed = cumulative >= self.THRESHOLD
        approaching = cumulative >= (self.THRESHOLD * 0.5) and not crossed

        return {
            "run_id": run.run_id,
            "run_flops": f"{run.estimated_flops:.2e}",
            "cumulative_flops": f"{cumulative:.2e}",
            "threshold": f"{self.THRESHOLD:.2e}",
            "threshold_crossed": crossed,
            "approaching_threshold": approaching,
            "notification_required": crossed and not self._notification_sent,
            "art_51_3_action": "NOTIFY COMMISSION IMMEDIATELY" if (crossed and not self._notification_sent) else "monitor",
        }

    @property
    def cumulative_flops(self) -> float:
        return sum(r.estimated_flops for r in self._runs)

    def mark_notification_sent(self, notification_date: str) -> None:
        """Record that Art.51(3) notification has been sent to Commission."""
        self._notification_sent = True
        self._notification_date = notification_date

    def compliance_report(self) -> dict:
        """Generate Art.52 technical documentation entry for compute records."""
        return {
            "total_training_runs": len(self._runs),
            "cumulative_flops": f"{self.cumulative_flops:.2e}",
            "systemic_risk_threshold": f"{self.THRESHOLD:.2e}",
            "threshold_crossed": self.cumulative_flops >= self.THRESHOLD,
            "notification_sent": self._notification_sent,
            "notification_date": self._notification_date,
            "runs": [
                {
                    "run_id": r.run_id,
                    "dates": f"{r.start_date} → {r.end_date}",
                    "params": f"{r.num_parameters:.2e}",
                    "tokens": f"{r.num_tokens:.2e}",
                    "flops": f"{r.estimated_flops:.2e}",
                    "hardware": r.hardware,
                }
                for r in self._runs
            ],
        }

ModelProviderNotificationRecord

from dataclasses import dataclass, field
from datetime import datetime
from typing import Optional
import json

@dataclass
class ModelProviderNotificationRecord:
    """
    Art.51(3) Commission notification record.
    Also serves as Art.52 technical documentation foundation.
    """
    # Provider identity
    provider_legal_name: str
    provider_address: str
    provider_contact_email: str
    eu_representative: Optional[str]  # Art.54 — required for systemic risk non-EU providers

    # Model identity
    model_name: str
    model_version: str
    model_description: str

    # Classification basis
    cumulative_flops: float
    classification_basis: str  # "flops_threshold" | "commission_designation"
    commission_designation_date: Optional[str]

    # Training data
    training_data_types: list[str]
    training_data_geographic_sources: list[str]
    copyright_compliance_policy_url: str

    # Documentation references
    model_card_url: Optional[str]
    technical_documentation_url: Optional[str]

    # Notification metadata
    notification_date: str = field(default_factory=lambda: datetime.utcnow().date().isoformat())
    notification_status: str = "draft"  # draft | submitted | acknowledged

    def to_notification_payload(self) -> dict:
        """Serialize for Commission GPAI model registry submission."""
        return {
            "notification_type": "art_51_3_provider_notification",
            "notification_date": self.notification_date,
            "notification_status": self.notification_status,
            "provider": {
                "legal_name": self.provider_legal_name,
                "address": self.provider_address,
                "contact": self.provider_contact_email,
                "eu_representative": self.eu_representative,
            },
            "model": {
                "name": self.model_name,
                "version": self.model_version,
                "description": self.model_description,
            },
            "classification": {
                "tier": "systemic_risk_gpai",
                "cumulative_flops": f"{self.cumulative_flops:.2e}",
                "threshold": "1e25",
                "basis": self.classification_basis,
                "commission_designation_date": self.commission_designation_date,
            },
            "training_data": {
                "types": self.training_data_types,
                "geographic_sources": self.training_data_geographic_sources,
                "copyright_policy_url": self.copyright_compliance_policy_url,
            },
            "documentation": {
                "model_card_url": self.model_card_url,
                "technical_documentation_url": self.technical_documentation_url,
            },
        }

    def to_json(self) -> str:
        return json.dumps(self.to_notification_payload(), indent=2)

    def is_complete(self) -> tuple[bool, list[str]]:
        """Validate notification completeness before Commission submission."""
        missing = []
        if not self.provider_legal_name:
            missing.append("provider_legal_name")
        if not self.eu_representative:
            missing.append("eu_representative (Art.54 required for non-EU providers)")
        if not self.model_card_url:
            missing.append("model_card_url (Art.52 documentation reference)")
        if not self.training_data_types:
            missing.append("training_data_types")
        if not self.copyright_compliance_policy_url:
            missing.append("copyright_compliance_policy_url (Art.52(1)(a))")
        return len(missing) == 0, missing

40-Item Art.51 Compliance Checklist

Classification Assessment (Art.51(1))

Determine whether your model qualifies as a GPAI model (broad generality across diverse tasks)
Calculate cumulative training FLOPs using the standard formula (6 × N × D) for all pre-training runs
Sum FLOPs across all training runs contributing to the released model version
Compare cumulative FLOPs to the 10^25 FLOPs systemic risk threshold
Document the FLOPs calculation methodology and hardware utilisation assumptions
Verify whether any prior training runs (foundation checkpoint, continued pre-training) are included in the cumulative count
Determine whether the model is approaching the threshold (>5 × 10^24 FLOPs) — monitor proactively
Confirm whether the model has been the subject of a Commission designation request under Art.51(2)

Commission Designation Monitoring (Art.51(2)) 9. Monitor Commission delegated act publications for GPAI designation criteria updates 10. Monitor Scientific Panel publications for model capability assessments 11. Establish internal alert process if Commission contacts you for information preceding a designation decision 12. Prepare rebuttal documentation capability if your model is proposed for designation but you dispute systemic risk characterisation 13. Document deployment scale (registered users) as a Commission designation criterion independent of FLOPs

Provider Notification (Art.51(3)) 14. Prepare Commission notification package before market placement if threshold is met 15. Include all required notification content: provider identity, model ID, FLOPs estimate, training data summary, documentation references 16. Designate EU authorised representative (Art.54) if you are a non-EU provider and your model crosses the threshold 17. Submit notification through the GPAI model registry (Art.71) before or concurrent with market placement 18. Mark notification date and Commission acknowledgment in your compliance records 19. Update notification if the model undergoes subsequent training that materially changes its characteristics or compute total 20. Retain notification records for at least 10 years (Art.18 retention obligation applies by analogy for Chapter V documentation)

Art.52 — General GPAI Obligations (All GPAI Providers) 21. Prepare and maintain technical documentation per Art.52 covering model architecture, training methodology, intended purposes 22. Draft training data transparency summary for public disclosure (Art.52(1)(a)) 23. Implement copyright compliance policy for training data with documentation 24. Make Art.52 technical documentation available to Commission and national authorities on request 25. Provide downstream API users with machine-readable model card and technical documentation per Art.55

Art.53 — Systemic Risk GPAI Obligations (Systemic Risk Tier Only) 26. Design adversarial testing program covering identified systemic risks (Art.53(1)(b)) 27. Conduct adversarial testing before market placement and after significant updates 28. Establish serious incident reporting system — notify Commission of serious incidents within 30 days (Art.53(1)(c)) 29. Define what constitutes a "serious incident" for your GPAI model (reference Art.3(49) definition) 30. Implement cybersecurity measures appropriate to the systemic risk profile (Art.53(1)(d)) 31. Adhere to EU GPAI code of practice or demonstrate equivalent compliance measures (Art.56) 32. Participate in code of practice working groups or provide justification for alternative compliance pathway

Art.55 — Downstream Provider Obligations (All GPAI Providers) 33. Update API terms of service to include Art.55 required information flows to downstream providers 34. Provide machine-readable model card to all downstream API integrators 35. Include GPAI classification status (general vs. systemic risk) in model card 36. If systemic risk: notify downstream providers of systemic risk classification and their Art.55 incident reporting obligations

Infrastructure and Records 37. Store GPAI compliance records (training logs, model cards, incident reports) on EU-native infrastructure 38. Ensure training compute records are maintained with audit-trail integrity for Commission inspection 39. Implement access control for compliance records — separation of regulatory records from operational data 40. Annual review of classification status — update Commission notification if material changes occur to model capabilities or compute

Art.51 Compliance Timeline

Milestone	Date	Obligation
AI Act Entry into Force	2 August 2024	Regulation effective
Chapter V Application (GPAI)	2 August 2025	Art.51–56 obligations apply
GPAI Code of Practice Final	Target Q2 2025	Code of practice finalised for systemic risk compliance
Commission GPAI Registry Live	Target H1 2025	Notification submission channel opens
Systemic Risk Provider Full Compliance	2 August 2025	Adversarial testing, incident reporting, cybersecurity required

Critical note: Chapter V (Art.51–56) became applicable on 2 August 2025 — one year before Chapter III (high-risk AI systems, applicable 2 August 2026). GPAI model providers already face full Art.51–56 obligations. If you are providing a frontier-scale model or building GPAI compliance infrastructure, the compliance window is now.