Providers
Providers are the entities that develop or place an AI system or GPAI model on the market. They usually carry the heaviest burden for documentation, conformity, and risk management.
Regulatory HUB
Navigating the
EU AI Act
The world's first comprehensive legal framework for AI. This page interprets the regulation through the lens of Practical Open Weights (POW).
Omnibus update
High-risk deadlines are set to move, but the 2026 transparency date still matters
Under the provisional political agreement on the Digital Omnibus on AI, obligations for stand-alone Annex III high-risk systems would move to December 2, 2027, while high-risk AI systems embedded in Annex I regulated products would move to August 2, 2028. The changes still require formal adoption and publication in the Official Journal.
The Article 50 transparency framework largely remains on the original August 2, 2026 compliance date.
A four-month grace period, until December 2, 2026, is proposed for machine-readable watermarking on systems already placed on the market before August 2, 2026.
A proposed new Article 5 prohibition would cover AI-generated non-consensual intimate imagery and CSAM, with a transition period until December 2, 2026.
The Risk Pyramid
Classification by Severity
🚫
Prohibited
Unacceptable Risk
+
⚠️
Regulated
High Risk
+
ℹ️
Transparency
Limited Risk
+
✅
Permitted
Minimal Risk
+
Who Has Obligations
Separate providers, deployers, and GPAI responsibilities
One of the most practical compliance steps is to identify which role you occupy in each use case.
Deployers
Deployers are organizations that use the system in their own operational setting. For them, correct use, human oversight, disclosures, and operational safeguards matter most.
Importers & Distributors
Importers and distributors are responsible for not circulating non-compliant systems and for checking that essential documentation and marking obligations have been met.
GPAI Model Providers
Providers of general-purpose AI models face dedicated duties around documentation, copyright policy, training-data summaries, and, in some cases, additional systemic-risk controls.
GPAI Obligations
What changes for general-purpose AI models
The GPAI layer matters most for model providers, open-weight ecosystems, and teams building on foundational models.
Tier 01
Base ComplianceStandard GPAI Models
Standard multi-purpose models (e.g., Llama 3 8B, Mistral Small).
Technical documentation for the AI Office and national authorities.
Instructions for use for downstream providers.
A policy to comply with Union copyright law.
A sufficiently detailed summary of the training content.
Open Source Note
Exceptions for models released under free and open-source licenses, provided they don't pose systemic risks (Recital 102).
Tier 02
High RigorGPAI with Systemic Risk
Cumulative computing power > 10^25 FLOPs or determined by the AI Office (e.g., Llama 3 400B+, GPT-4).
Rigorous adversarial testing (Red-Teaming).
Assessment and mitigation of systemic risks (e.g., cybersecurity, bias).
Reporting of serious incidents to the AI Office.
Adequate cybersecurity protection for model weights and infrastructure.
Regulatory Note
Open-source release does NOT exempt these models from systemic risk obligations.
Transparency Duties
What the user must be told
Many of the most practical AI Act obligations show up directly in product design, UX, and content labeling.
AI interaction disclosure
When users interact with an AI system, they must be clearly informed that they are not dealing with a human, unless that is already obvious from the context.
Synthetic and deepfake content
AI-generated or manipulated content should be labeled appropriately, especially where authenticity could otherwise be misunderstood.
Emotion recognition and biometric context
Certain use cases involving emotion recognition or biometric categorisation require extra caution, legal review, and clearer user-facing communication.
Compliance Quick-Check
Describe a product idea and get a lightweight EU AI Act read.
This is a practical first-pass check for likely risk area, role focus, and the questions worth investigating next.
Example product ideas
How to use it
Paste a realistic product description.
Mention the users, what the system decides or influences, whether it generates content, and whether it affects hiring, credit, education, healthcare, or other sensitive domains.
Operations
Technical Compliance Checklist
Practical steps for turning the AI Act from a policy topic into an operating model.
Governance
Appoint an AI Compliance Officer
Establish clear internal accountability for AI systems.
Inventory AI Systems
Identify all AI systems currently in use and classify their risk tier.
Human Oversight Framework
Design HITL (Human-in-the-loop) systems for High-Risk categories.
Technical Documentation
Record Lifecycle Logs
Implement automated logging for system performance and decision-making.
Dataset Privacy Audit
Verify that training/fine-tuning data complies with GDPR and Copyright laws.
Conformity Assessment
Conduct internal or third-party audits for High-Risk applications.
Transparency
AI Disclosure Labels
Implement UI indicators informing users they are interacting with AI.
Deepfake Labeling
Ensure AI-generated audio/video is digitally watermarked or labeled.
Downstream Manuals
Provide clear documentation for users implementing your model via API or local weights.
Strategic View
The Open Source Advantage
The EU AI Act provides significant exemptions for models released under free and open-source licenses, provided they do not pose systemic risks. This encourages the development of transparent, adaptable, and sovereign AI systems that help organizations avoid vendor lock-in while meeting baseline compliance.
Implementation Timeline
August 1, 2024
The AI Act enters into force.
February 2, 2025
Prohibited practices and AI literacy obligations start applying.
August 2, 2025
GPAI obligations and governance provisions start applying.
August 2, 2026
Article 50 transparency obligations remain a live compliance date.
December 2, 2026
Proposed end of the watermarking grace period for existing systems and the transition period for the new NCII/CSAM prohibition.
August 2, 2027
Proposed new deadline for member states to establish AI regulatory sandboxes.
December 2, 2027
Proposed new application date for stand-alone Annex III high-risk AI systems.
August 2, 2028
Proposed new application date for high-risk AI systems embedded in Annex I regulated products.
Glossary
Useful terms for product and compliance teams
High-risk AI system
An AI system subject to stricter governance, documentation, oversight, and risk-control obligations.
Prohibited practice
A practice that is not allowed to be developed or used under the Act.
General-purpose AI model
A general-purpose AI model that can be adapted or deployed across many downstream use cases.
Provider
The entity that develops or places an AI system or model on the market.
Deployer
The organization that uses the system in a real operational or product setting.
Transparency duty
An obligation to inform users when they are interacting with AI or consuming AI-generated content.
The "Brussels Effect"
The EU AI Act is expected to become a global blueprint for AI regulation, much like GDPR redefined data privacy. Organizations that align early may gain stability, trust, and a cleaner multi-model operating posture.
Sources
Sources and Guidance
European Commission: Implementation timeline
Official implementation timeline for the main milestones under the AI Act.
Open source
European Commission: GPAI obligations
Official summary of the obligations for general-purpose AI models.
Open source
European Commission: Guidelines on prohibited AI practices
Guidance on prohibited practices and how they are interpreted in practice.
Open source
European Commission: GPAI Code of Practice
Supporting material around the code of practice for GPAI compliance.
Open source
Gibson Dunn: EU AI Act Omnibus Agreement
Analysis of the provisional Omnibus agreement, proposed high-risk deadline delays, and new Article 5 and Article 50 changes.
Open source