← Back to Insights PL
Regulations 18 August 2025 · 5 min

EU AI Act — GPAI Obligations Now in Force

August 2, 2025 — The Second Wave of AI Act Obligations

The EU AI Act entered into force on August 1, 2024, but its provisions are being phased in gradually. On August 2, 2025, the second major wave of obligations became applicable — affecting general-purpose AI (GPAI) model providers, national governance structures, and penalty frameworks.

What Changed on August 2, 2025?

  • GPAI model obligations — providers must maintain technical documentation, implement transparency measures, and comply with copyright rules
  • Systemic risk models — GPAI models with systemic risk face additional obligations: adversarial testing, incident tracking, cybersecurity measures
  • AI Board operational — the EU-level coordination body began active work, advising the Commission on consistent application
  • National authorities designated — Member States were required to designate competent authorities (market surveillance + notifying authority)
  • Penalty framework — rules on penalties for GPAI violations now apply (actual enforcement powers for GPAI penalties start August 2026)

Who Is Affected?

The GPAI obligations apply to providers of models that display "significant generality" and are capable of performing a wide range of distinct tasks. In practice, this covers large language models (LLMs), multimodal models, and foundation models used across multiple applications.

Importantly, if your company deploys GPAI-based products (e.g., integrates an LLM into your SaaS), you may also have indirect compliance obligations — especially if you modify the model or use it in high-risk contexts.

Key GPAI Provider Obligations

  • Technical documentation — detailed records of training methodology, data governance, performance benchmarks
  • Transparency to downstream providers — sufficient information for deployers to understand capabilities and limitations
  • Copyright compliance policy — documented approach to respecting EU copyright law in training data
  • Public summary of training data — a summary following a template provided by the AI Office

What's Next — August 2026

The main event is still ahead. On August 2, 2026, the majority of the AI Act becomes applicable:

  • High-risk AI systems (Annex III) — biometric identification, credit scoring, employment screening, critical infrastructure
  • Transparency obligations — chatbot disclosure, deepfake labeling, AI-generated content marking
  • Full enforcement powers — including national-level sanctions
  • Regulatory sandboxes — at least one per Member State

Practical Recommendations

  1. Map your AI inventory — identify all AI systems your company develops, deploys, or imports
  2. Classify risk levels — determine which systems may fall under high-risk categories (Annex III)
  3. Start documentation now — technical documentation requirements are detailed; early preparation is essential
  4. Monitor the Digital Omnibus — the Commission's simplification proposal may modify some requirements
  5. Ensure AI literacy — staff training obligations are already in force since February 2025

Need help assessing your AI Act exposure? Schedule a free consultation.

Related articles

Author: Przemysław Kołakowski · Legal Counsel · Harbor Legal