← Blog

EU AI Act General-Purpose AI: Article 53 Obligations, the August 2 Deadline, and the Deployer Consequences

The EU AI Act separates general-purpose AI (GPAI) rules from the high-risk system rules. GPAI obligations under Articles 53 through 55 sit with the model providers (OpenAI, Anthropic, Google, Mistral, Meta) and take effect August 2, 2026. Downstream deployers absorb second-order obligations through the technical documentation and evaluation records upstream providers must supply. This piece walks through what Article 53 requires from GPAI providers, what the systemic-risk threshold under Article 55 changes for the frontier labs, and the practical inspection-layer records a deployer running GPT-5, Claude 4, or Gemini 3 needs to keep against Articles 12, 13, and 26 in parallel.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Compliance & Regulationeu-ai-actgpaigeneral-purpose-aiarticle-53article-55compliance
EU AI Act General-Purpose AI: Article 53 Obligations, the August 2 Deadline, and the Deployer Consequences

The EU AI Act separates general-purpose AI (GPAI) rules from the high-risk AI system rules. The GPAI chapter runs from Article 51 through Article 56 and covers the frontier model providers directly. The high-risk chapter runs from Article 6 through Article 49 and covers the deployers of AI systems that fall under Annex III. The two chapters take effect on the same date, August 2, 2026, and the obligations interact in ways that a compliance team running a GPT-5, Claude 4, or Gemini 3 workload has to trace to satisfy both regimes.

I want to walk through what Article 53 requires from GPAI providers, what the systemic-risk threshold under Article 55 changes for the frontier labs, how the deployer obligations under Articles 12, 13, and 26 sit downstream, and where the inspection-layer records land the deployer inside compliance under both regimes.

What Article 53 requires from GPAI providers

Article 53 sets the baseline obligations for every GPAI provider that places a general-purpose AI model on the EU market. The provider has to maintain technical documentation for the model that includes the training process, the training data types, the compute used, the tests and evaluations performed, and the known limitations. The Commission's General-Purpose AI Code of Practice (published November 26, 2025, endorsed by 27 signatories including OpenAI, Anthropic, Google, Microsoft, and Amazon) sets the operational form of the Article 53 documentation.

The provider has to summarize the training data content sufficiently for downstream deployers and copyright holders to assess whether their content was used. The Commission published the template for the training-data summary in April 2026.

The provider has to publish a policy for complying with Union copyright law, including handling text-and-data-mining reservations under the Copyright Directive Article 4.

The provider has to supply downstream deployers with the technical documentation they need to satisfy their own Article 13 transparency obligations. The deployer of a high-risk AI system built on top of GPT-5 has to disclose to affected persons that AI is involved, and the Article 53 documentation flows into that disclosure.

The systemic-risk threshold under Article 55

Article 55 covers general-purpose AI models with systemic risk. The Commission designates a GPAI model as systemic-risk when the cumulative training compute exceeds 10 to the 25th floating-point operations, or when the Commission determines the model has capabilities of high impact.

At the 10^25 FLOPs threshold, GPT-4, Gemini 1.5 Pro, Claude 3 Opus, and their successors qualify. GPT-5 (announced May 8, 2026), Claude 4 (announced March 2026), and Gemini 3 (announced June 2026) each sit well above the threshold.

Systemic-risk models carry additional obligations: adversarial testing (red-teaming) with results documented, incident reporting to the AI Office with a two-week reporting window for serious incidents, cybersecurity protection for the model weights and inference infrastructure, and risk assessment against a catalog of systemic risks (CBRN uplift, cyber-offense uplift, loss of control, harmful manipulation).

The AI Office (the Commission body created to oversee GPAI under Article 64) processes the incident reports and the risk assessments. The office can require additional testing or model modifications.

The downstream deployer's parallel obligations

The deployer of an AI system built on a GPAI model absorbs a separate set of obligations under the high-risk chapter (Articles 6-49) and the transparency chapter (Article 50).

Article 26 lists the deployer obligations. The deployer uses the AI system in accordance with the instructions for use the GPAI provider supplied. The deployer assigns human oversight to persons with the competence, training, authority, and support to exercise that oversight. The deployer monitors the operation of the AI system based on the instructions for use and reports serious incidents to the market surveillance authority.

Article 13 requires the deployer of a high-risk AI system to provide clear and adequate information to affected persons. When the AI system processes personal data, the disclosure has to explain the purpose, the processing categories, and the natural persons involved in the oversight.

Article 12 requires the deployer to keep automatic logs of the AI system's operation. The logs have to record the period of use, the input data, the natural persons involved in the operation, and the reference data set used for verification of the results.

Article 50 requires the deployer to disclose to natural persons that they are interacting with an AI system unless the interaction is obvious to a reasonably informed person.

The GPAI provider's documentation passes through to the deployer

The Article 53 technical documentation carries forward as evidence a deployer relies on for their own Article 13 obligation. The deployer cannot recreate the training-data disclosure the GPAI provider owes because the deployer never saw the training data. The disclosure has to flow through the deployer's documentation to the end user.

Anthropic's model card for Claude 4 (published March 2026) satisfies the Article 53.1(a) technical documentation requirement for downstream deployers under the AI Act. OpenAI's system card for GPT-5 satisfies the same requirement. Google's model card for Gemini 3 does the same.

The GPAI Code of Practice sets three chapters that describe the compliance form: Transparency (documentation and model card), Copyright (training data reservation handling), and Safety and Security (systemic-risk testing and incident reporting).

The deployer's Article 26 obligation to use the AI system in accordance with the instructions requires the deployer to keep a copy of the applicable instructions for use for each version of the model the deployer relies on. When OpenAI or Anthropic updates the model card, the deployer's compliance record has to capture the version of the card that applied to each period of use.

The inspection-layer records that support both regimes

The deployer's Article 12 log has to record, per request, the identity of the natural person involved (or the automated user, in agentic workflows), the input data (the prompt), the output, the model version, and the policy state that applied at the moment of the decision. The regulation does not prescribe the technical form. The Commission's implementing acts (expected in Q4 2026) will describe the technical form more specifically.

A per-decision audit record produced at the AI gateway satisfies the Article 12 log requirement, the Article 26 monitoring requirement, and the Article 50 transparency evidence requirement in a single record series. The record has to sit outside the application's control, because the application under audit cannot be the sole author of the audit records the regulator samples.

The GPAI provider's Article 53 documentation and the deployer's Article 12 log together form the traceability chain the Commission expects at audit. The regulator samples the deployer's log, resolves the model version, retrieves the GPAI provider's technical documentation for that version, and reconstructs the AI system's behavior at the sampled request. Any gap in the chain forces the regulator to escalate.

What operators building on GPT-5, Claude 4, or Gemini 3 have to do before August 2

The deployer has to identify which of its AI systems fall under the high-risk classification in Annex III. HR screening, education admissions, credit scoring, insurance pricing, biometric identification, and access to essential public services are the common triggers.

The deployer has to collect the current version of the model card and technical documentation the GPAI provider supplies for each model version in use. The deployer stores the documentation with the internal system record so the version-to-documentation mapping survives an audit.

The deployer has to instrument the AI system to produce the Article 12 log records. The instrumentation has to sit at the AI request layer so the records are produced for every request the AI system processes.

The deployer has to update the human-oversight assignment for the AI system with the competence, training, authority, and support the operator requires under Article 14.

The deployer has to update the customer-facing disclosure under Article 13 and Article 50 to reflect the AI system's operation. The disclosure has to name the AI system and the model class.

DeepInspect

The DeepInspect gateway sits between the deployer's application and the GPAI provider's inference endpoint. Every request the application makes to GPT-5, Claude 4, Gemini 3, or the open-weights alternatives runs through the gateway. The gateway binds the request to the authenticated user identity, applies the deployer's per-route policy, produces the Article 12 log record, and forwards the request to the model provider.

The gateway's record captures the model version the request targeted, the policy state at the moment of the decision, the input fingerprint, the response classifier outcome, and the human review status. The record sits in tamper-evident storage the deployer's application cannot modify. When the Commission samples the log at audit, the gateway's record series carries the full Article 12 payload for every request the AI system processed.

If your team is preparing for the August 2 deadline and has to produce Article 12 evidence against GPT-5, Claude 4, or Gemini 3 workloads, let's talk today.

Frequently asked questions

Does the GPAI provider's Article 53 documentation cover my Article 12 log obligation?

No. Article 53 covers the model provider's documentation about the model. Article 12 covers the deployer's log of the AI system's operational events. The two documents live at different layers of the compliance stack. The provider's documentation flows into the deployer's Article 13 transparency disclosure. The deployer's Article 12 log records the operational events at deployment time and remains the deployer's obligation.

If I use only the OpenAI or Anthropic API without adding a downstream application, am I a deployer under the AI Act?

The definitions in Article 3 turn on whether the AI system is placed in service. An organization that uses the API to power an internal or customer-facing application places an AI system in service and qualifies as a deployer. The provider (OpenAI, Anthropic) carries the Article 53 obligations for the underlying GPAI model. The deployer carries the Article 26 obligations for the AI system built on top.

What happens if the GPAI provider updates the model mid-quarter and my logs reference the old version?

The Article 12 log has to record the model version the request targeted. When the provider updates the model, the deployer records the new version starting at the switchover time. The audit team reconstructs the version history from the log series. The version-to-documentation mapping the deployer maintains resolves each version to the applicable model card.

How does the systemic-risk designation under Article 55 affect a deployer's obligations?

The systemic-risk designation adds obligations to the provider, not directly to the deployer. The deployer benefits from the additional safety testing the systemic-risk provider performs. The deployer's incident-reporting obligation under Article 26.4 becomes more time-sensitive when the underlying model is a systemic-risk model because the AI Office coordinates cross-deployer incident response.

What penalties apply if my Article 12 log is incomplete?

Article 99 sets the penalty framework. Non-compliance with the high-risk obligations carries fines up to €15 million or 3% of worldwide annual turnover, whichever is higher. The market surveillance authority sets the fine based on the nature, gravity, and duration of the infringement, and the size of the organization.