Home · Synthesis · cl-ai-gpai-obligations

General-Purpose AI model provider obligations

EU AI Act ISO 42001 NIST AI RMF

Primary statement

GPAI obligations per EU AI Act Article 53 (technical documentation, downstream provider info, copyright/TDM, training data summary) + Article 54 (authorised representative for third-country providers) + Article 55 (systemic-risk GPAI additional obligations) + Article 56 (codes of practice) + ISO 42001 + NIST AI RMF. Chapter V GPAI obligations apply regardless of high-risk classification.

Audit-fatigue payoff

A unified GPAI compliance programme — Article 53 documentation + Article 55 systemic-risk evaluations + Article 56 code of practice alignment — satisfies GPAI obligations across all 3 contributing frameworks.

Strictness matrix

Scope

Scope: GPAI providers — Article 53 baseline + Article 55 systemic-risk additional (model evaluation including adversarial testing, risk assessment, serious incident reporting, cybersecurity). Ceiling source: eu_ai_act:Art.55 Rationale: EU AI Act Art 55 systemic-risk scope is uniquely strict for foundation models.

Threshold

Threshold: third-country providers placing GPAI on EU market must appoint authorised representative via written mandate PRIOR to placement. Ceiling source: eu_ai_act:Art.54 Rationale: EU AI Act Art 54 written-mandate-before-placement threshold is binary.

Method

Method: Annex XI technical documentation + Annex XII downstream provider info + copyright/TDM-opt-out policy + public training data summary + Art 55 model evaluation + adversarial testing + cybersecurity + Art 56 code of practice alignment + authorised representative for third-country (Art 54). Ceiling source: eu_ai_act:Art.55 Rationale: EU AI Act Art 53 + Art 54 + Art 55 + Art 56 form the canonical GPAI method.

Frequency

Technical documentation: continuous (kept up-to-date). Model evaluation: per material change. Code of practice alignment: annual. Ceiling source: eu_ai_act:Art.55 Rationale: Continuous documentation with per-change evaluation is the cadence.

Evidence

Evidence: Annex XI documentation + Annex XII downstream info + copyright/TDM policy + training data summary + model evaluation reports + Art 56 alignment + Art 54 mandate. Ceiling source: eu_ai_act:Art.55 Rationale: EU AI Act Art 55 evidence is comprehensive.

Auditor test pattern

Step 1: For GPAI providers, inspect Annex XI technical documentation. Step 2: Verify Annex XII downstream provider info. Step 3: For systemic-risk GPAI, verify Art 55 evaluations. Step 4: For third-country providers, verify Art 54 mandate.

Common findings

Common findings: (1) Technical documentation initial release only; not updated; (2) Annex XII downstream info absent; (3) Art 54 mandate absent for third-country GPAI providers; (4) Art 56 code of practice alignment not started.