Am I a GPAI Provider? EU AI Act Self-Test 2026

72 days left until August 2, 2026, the GPAI enforcement date.

If you're asking whether you qualify as a GPAI provider under the EU AI Act, you're not alone in finding the definition confusing. Most companies using AI tools are not GPAI providers. But if you've built, fine-tuned, or deployed a general-purpose AI model, even internally, you may be. The definition is broader than most legal teams realize, and the Act's language is not written to make this easy.

Work through the 8 questions below. Each one takes 30 seconds. By the end, you'll know your classification and what you need to have ready before August 2.

Jump to the self-test

TL;DR: 8 yes/no questions that classify your organization as a GPAI provider, open-source GPAI provider, systemic risk GPAI provider, or deployer under the EU AI Act. If you trained or fine-tuned an AI model on large amounts of data and made it available to others in the EU, you are a GPAI provider. Standard GPAI providers must have technical documentation, a training data copyright summary, and downstream operator information ready by August 2, 2026. If your training compute exceeded 10²⁵ FLOPs, add red-team results, incident reporting, and cybersecurity documentation to that list.

What is a GPAI provider?

Under Article 3(63) of the EU AI Act, a general-purpose AI (GPAI) model is an AI model trained on large amounts of data using self-supervision at scale, capable of serving many different purposes, and made available for other organizations or developers to use.

A GPAI provider is the company or individual that develops or fine-tunes that model and places it on the EU market (or makes it accessible to users in the EU).

If you're only using a GPAI model someone else built, you're a deployer, not a provider. Deployers have separate obligations under the EU AI Act, the high-risk AI system rules, but not the GPAI-specific ones in Chapter V.

The 8-question self-test

Work through these in order. You can stop as soon as you hit a "no" that clearly doesn't apply to you.

Question 1: Did your organization train or fine-tune an AI model?

This includes:

• Training a model from scratch on your own data
• Fine-tuning a base model (GPT, Llama, Mistral, etc.) on proprietary data
• Continued pretraining of an open-source model

No → You're using models others built. You're a deployer, not a provider. Stop here, GPAI provider obligations don't apply. See the EU AI Act August 2026 compliance checklist for deployer obligations.

Yes → Continue to Question 2.

Question 2: Is the model capable of serving multiple different tasks?

A GPAI model is "general-purpose", it can do more than one thing. Examples: text generation, code completion, summarization, question-answering, classification.

A model that only classifies images into two categories, or only detects a single specific pattern, is likely a narrow AI system, not a GPAI model.

No → Your model is purpose-specific. GPAI provider rules don't apply, but you may still be a high-risk AI system provider. Stop here.

Yes → Continue to Question 3.

Question 3: Do you make the model available to others, inside or outside your organization?

"Making available" means other people or systems can use it. This includes:

• Providing API access to customers or partners
• Publishing the model weights (open-source release)
• Integrating the model into a product used by others
• Licensing the model to other businesses

Internal use only, where the model only runs inside your own systems and no one outside can access it, even via a product you sell, is a gray area, but the EU AI Act's recitals suggest this leans toward deployer, not provider.

No → Internal-use-only model. You're likely a deployer, not a GPAI provider. Stop here.

Yes → Continue to Question 4.

Question 4: Are any users or downstream businesses located in the EU, or does the model affect people in the EU?

The EU AI Act applies when:

• Your model is available to EU-based organizations or developers
• EU citizens interact with a product that uses your model
• The model processes data of people located in the EU

No → No EU market access. EU AI Act may not apply. Stop here, but monitor, indirect EU reach through customers can be sufficient.

Yes → Continue to Question 5.

Question 5: Are you making the model available under an open-source license?

Open-source GPAI providers face reduced obligations under Article 53(2), but they're not fully exempt.

Yes (open-source) → You have limited obligations: mainly copyright transparency and a basic technical summary. Skip to the Open-source GPAI obligations section. But first, answer Question 6 to check if you're still subject to full obligations despite open-source status.

No (proprietary) → Continue to Question 6.

Question 6: Does your model have training compute above 10²⁵ FLOPs?

This is the systemic risk threshold under Annex XIII. Models trained with more than 10²⁵ floating-point operations are presumed to pose systemic risk and face the heaviest obligations.

For reference:

• GPT-4 class models: estimated ~2×10²⁴ FLOPs (below threshold)
• Models trained on 10,000+ H100-equivalent GPU-days: likely above threshold
• Most fine-tuned models: well below threshold

If you don't know your training compute, you're almost certainly below this threshold. The organizations that cross it are training frontier models, not fine-tuning Llama on their support tickets.

Yes → You're a systemic risk GPAI provider. This applies regardless of open-source status. Continue to Question 7.

No → You're a standard GPAI provider. Skip to Question 8.

Question 7 (systemic risk only): Has your model been independently evaluated or red-teamed?

This is required for systemic risk GPAI providers before August 2, 2026. The evaluation must assess:

• Adversarial robustness
• Capability for generating CSAM, CBRN-enabling content, or critical infrastructure attacks
• Risks to fundamental rights at scale

Yes → Document the methodology and results. You'll need this for the EU AI Office.

No → Start now. Third-party red-teaming takes 4-8 weeks to arrange, and August 2 is 72 days away.

Question 8: Do you have technical documentation ready?

All GPAI providers (standard and systemic risk, proprietary and open-source) must maintain technical documentation covering:

• Model architecture description
• Training data categories and sources
• Training compute (approximate)
• Intended purposes
• Copyright compliance approach for training data

Yes → You're in reasonable shape. Review the GPAI compliance checklist to confirm all six obligations are met.

No → This is a clear gap. Technical documentation is non-negotiable for any GPAI provider.

Your results

Open-source GPAI obligations

If you answered yes to Question 5 and no to Question 6, you face reduced obligations under Article 53(2):

1. Copyright transparency, publish a sufficiently detailed summary of training data used, including sources
2. Basic technical documentation, architecture, training approach, intended purposes
3. Acceptable use policy, document what the model should not be used for

You do NOT need to comply with the full copyright compliance regime (Article 53(1)(c)) or provide downstream operator documentation as extensively as proprietary providers.

Standard GPAI provider obligations (Article 53)

If you're a standard GPAI provider (proprietary, below systemic risk threshold):

1. Technical documentation (Article 53(1)(a)), model card covering architecture, training data, compute, intended purposes, and limitations
2. Information for downstream operators (Article 53(1)(b)), capabilities, limitations, known misuse risks, safety measures
3. Copyright compliance (Article 53(1)(c)), policy for complying with EU copyright law, including Article 4 TDM opt-outs
4. Training data summary (Article 53(1)(d)), sufficiently detailed summary of training data used, publicly available
5. Cooperation with EU AI Office, respond to audits and requests

Deadline: August 2, 2026. All five must be in place.

Systemic risk additions (Annex XIII)

If you're above the 10²⁵ FLOPs threshold:

6. Adversarial testing / red-teaming (Article 55(1)(a)), before deployment, and after significant model updates
7. Incident reporting (Article 55(1)(b)), serious incidents to the EU AI Office without undue delay (implementing measures set specific timeframes, aligned with GDPR's 72-hour breach window)
8. Cybersecurity measures (Article 55(1)(c)), document cybersecurity protections for model weights and training infrastructure
9. Energy efficiency reporting (Article 55(1)(d)), document energy consumption

Five mistakes GPAI providers make with compliance

Most GPAI provider compliance failures aren't about missing the rules, they're about misreading them.

1. Treating fine-tuning as deployment, not development. If your team fine-tuned a base model and provides it as part of your product, you are a GPAI provider. The fine-tuner, not the original model creator, holds provider obligations for the derivative model.

2. Assuming the open-source exemption covers everything. Article 53(2) reduces obligations for open-source GPAI, it does not eliminate them. Copyright transparency and basic technical documentation are still required. And if your open-source model crosses the 10²⁵ FLOPs threshold, the full systemic risk regime applies anyway.

3. Underestimating what "technical documentation" means. It is not a README. The EU AI Act's Annex XI lists the required content: model architecture, training methodology, training data categories and sources, compute used, known limitations, safety testing results, and intended and prohibited uses. For many teams, assembling this takes 4-6 weeks.

4. Confusing the EU AI Act GPAI rules with high-risk AI system rules. GPAI obligations (Chapter V) apply to the model developer. High-risk AI system obligations (Chapters II and III) apply to whoever deploys the model in a high-risk context. A GPAI provider can also be a high-risk AI system provider, these are not mutually exclusive.

5. Waiting for implementing acts. The GPAI Code of Practice is still being drafted, and implementing acts are pending. Some teams are waiting for these to be finalized before acting. That is a mistake: Article 53 obligations are not contingent on the Code of Practice. The baseline requirements are already enforceable as of August 2, 2026.

GPAI provider compliance timeline

If you're a systemic risk provider, add red-team completion by July 1, results take time to document properly, and last-minute red-teaming is not credible to auditors.

What to do now

If you've confirmed you're a GPAI provider, the EU AI Act GPAI compliance checklist walks through each obligation with specific deliverables and who should own them.

If you're a GPAI deployer (using models built by others), the EU AI Act August 2026 compliance checklist covers your obligations for high-risk AI system deployment.

For internal governance, who owns compliance, how to run vendor reviews, how to document AI systems, the AI governance guide for small teams covers the operational setup.

The August 2 deadline is firm. The EU AI Office has confirmed no extension for GPAI providers (unlike the high-risk AI system deadline, which was extended to December 2027 by the EU Digital Omnibus).

Related Reading

• EU AI Act GPAI compliance checklist
• EU AI Act August 2026 compliance checklist
• AI governance for small teams, complete guide
• AI vendor due diligence checklist
• EU AI Act compliance for small teams, complete guide
• EU AI Act deadline extended to December 2027