Article 53 requires GPAI providers to submit technical docs and cooperate with authorities. Here's what foundation model builders must actually do before August 2026.
If you're building or deploying a general-purpose AI model (GPAI) — think GPT-4, Claude, Mistral, or Llama — Article 53 of the EU AI Act creates a new set of obligations that kick in on August 2, 2026.
Unlike Articles 9–15 (which apply to high-risk AI systems), Article 53 targets GPAI providers directly. It requires technical documentation, transparency about training data, cooperation with authorities, and adherence to the AI Office's codes of practice.
This guide walks through what Article 53 actually requires, who it applies to, and what you need to prepare before the enforcement deadline.
Who Article 53 Applies To
Article 53 applies to providers of general-purpose AI models placed on the EU market. A GPAI model is defined as:
An AI model trained on large amounts of data, capable of performing a wide range of tasks, and intended to be integrated into various downstream systems or applications.
In-Scope Examples
- Foundation models (GPT-4, Claude, Gemini, Llama, Mistral)
- Multimodal models (DALL·E, Stable Diffusion, Midjourney)
- Embedding models distributed as APIs or libraries
- Code generation models (Codex, GitHub Copilot backend)
Out-of-Scope Examples
- A chatbot built on top of GPT-4 (you're a deployer, not a GPAI provider)
- A narrow-domain model trained only for sentiment analysis
- An internal model not placed on the EU market
If you're a downstream deployer (e.g., you use OpenAI's API to build a customer service bot), Article 53 does not apply to you directly — but Articles 9–15 might, depending on your use case.
Core Obligations Under Article 53
Article 53 establishes four primary requirements for GPAI providers:
1. Technical Documentation
You must prepare and maintain up-to-date technical documentation that includes:
- Model architecture and training methodology
- Data sources, including a description of training data and its provenance
- Compute resources used (e.g., GPU-hours, training duration)
- Testing and validation procedures
- Known limitations and intended use cases
- Measures taken to detect and mitigate bias
This documentation must be sufficient for the AI Office to assess compliance with the EU AI Act.
2. Transparency About Training Data
If your model was trained on copyrighted material, you must provide:
- A sufficiently detailed summary of the content used for training
- Compliance with Directive (EU) 2019/790 (the Copyright Directive)
This is the "copyright transparency" clause — it's designed to address concerns about models trained on scraped web data, books, or code repositories without explicit licensing.
3. Cooperation with the AI Office
You must cooperate with the European AI Office and national competent authorities, including:
- Responding to requests for information
- Providing access to documentation
- Participating in audits or assessments
Refusal to cooperate can trigger enforcement action.
4. Adherence to Codes of Practice
The AI Office will publish codes of practice for GPAI providers. These are voluntary frameworks, but:
- If you adhere to an approved code of practice, you benefit from a presumption of compliance with Article 53.
- If you don't adhere, you must demonstrate compliance through other means.
Codes of practice are expected to cover:
- Model evaluation benchmarks
- Red-teaming and adversarial testing
- Incident reporting
- Transparency about model capabilities and limitations
Article 53 vs. High-Risk AI System Requirements
| Requirement | Article 53 (GPAI Providers) | Articles 9–15 (High-Risk AI Systems) |
|---|---|---|
| Who it applies to | Foundation model providers | Deployers of high-risk AI systems |
| Documentation scope | Model training, data, architecture | System-level risk management, data governance |
| Conformity assessment | Self-assessment + AI Office oversight | Third-party assessment (Annex VII systems) |
| Ongoing obligations | Cooperation with AI Office, code of practice adherence | Monitoring, logging, human oversight, incident reporting |
| Penalties for non-compliance | Up to €15M or 3% of global turnover | Up to €35M or 7% of global turnover |
Key takeaway: If you're a GPAI provider and your model is integrated into a high-risk system, you face both Article 53 obligations (as the model provider) and Articles 9–15 obligations (as the system deployer or in cooperation with the deployer).
What "Systemic Risk" GPAI Models Must Do (Article 53 + Annex XIII)
If your GPAI model meets the systemic risk threshold — defined as models trained with compute exceeding 10²⁵ FLOPs — you face additional obligations under Annex XIII:
- Model evaluation (including adversarial testing)
- Assessment and mitigation of systemic risks (e.g., misuse for cyberattacks, CBRN threats)
- Tracking and reporting of serious incidents
- Cybersecurity protections for model weights and infrastructure
- Energy efficiency reporting
As of April 2026, this threshold captures models like:
- GPT-4
- Claude 3 Opus
- Gemini Ultra
- Llama 3 405B
Smaller models (e.g., Mistral 7B, Llama 3 8B) are subject to Article 53 but not the systemic risk obligations.
Practical Compliance Checklist for Article 53
Here's what you should prepare before August 2, 2026:
| Task | Owner | Deadline |
|---|---|---|
| Draft technical documentation (architecture, training data, compute) | ML Engineering | Q2 2026 |
| Document copyright compliance for training data | Legal + Data | Q2 2026 |
| Identify applicable code of practice and map adherence | Compliance Lead | Q3 2026 |
| Establish AI Office liaison and incident reporting process | Compliance Lead | Q3 2026 |
| (If systemic risk) Conduct adversarial testing and document results | ML Engineering + Security | Q2 2026 |
| (If systemic risk) Implement model weight access controls | Security | Q2 2026 |
Example: A Startup Building a Code Generation Model
Scenario: You're building a code completion model (similar to GitHub Copilot) trained on 500B tokens of open-source code from GitHub, Stack Overflow, and public documentation.
Article 53 obligations:
Technical documentation: Document your model architecture (e.g., transformer-based, 7B parameters), training data sources (GitHub repos, Stack Overflow posts), and compute used (e.g., 10²³ FLOPs on 128 A100 GPUs over 14 days).
Copyright transparency: Provide a summary of the repositories used for training. If you scraped GPL-licensed code, document how you comply with the Copyright Directive (e.g., attribution, license compatibility).
Cooperation: Designate a compliance contact who can respond to AI Office requests within 30 days.
Code of practice: Monitor the AI Office's published codes of practice for GPAI models. If one covers code generation models, map your practices to it (e.g., "We red-team for code injection vulnerabilities and document results quarterly").
What you DON'T need to do under Article 53:
- Conformity assessment (that's for high-risk systems, not GPAI models)
- Logging of user queries (that's an Article 12 obligation for high-risk system deployers)
- Human oversight (again, Article 14 for high-risk systems)
However, if a customer deploys your model in a high-risk context (e.g., an AI system that screens job candidates — Annex III.4), they become subject to Articles 9–15, and you may need to provide them with documentation to support their compliance.
Common Mistakes GPAI Providers Make
Mistake 1: Assuming Article 53 Only Applies to "Big Tech"
Reality: Article 53 applies to any GPAI provider placing a model on the EU market, regardless of company size. If you're a startup offering a fine-tuned Llama model via API, you're in scope.
Mistake 2: Confusing GPAI Obligations with High-Risk System Obligations
Reality: Article 53 is about the model. Articles 9–15 are about the system. If you provide a model API, you're subject to Article 53. If you deploy that model in a high-risk use case, you're also subject to Articles 9–15.
Mistake 3: Waiting for the AI Office to Publish Codes of Practice
Reality: Codes of practice may not be finalized until late 2026 or early 2027. You should prepare technical documentation and copyright summaries now, rather than waiting for official guidance.
Mistake 4: Treating Documentation as a One-Time Exercise
Reality: Article 53 requires up-to-date documentation. If you retrain your model, change your training data mix, or discover new limitations, you must update your documentation.
How Vigilia Helps GPAI Providers
If you're a GPAI provider, Vigilia's audit tool can help you:
- Map your model to Article 53 requirements: Identify which obligations apply (standard GPAI vs. systemic risk).
- Generate a compliance checklist: Article-by-article gap analysis covering Article 53, Annex XIII, and related transparency obligations.
- Document your compliance posture: Audit-ready PDF you can share with the AI Office, investors, or enterprise customers.
The audit takes 20 minutes and costs €499 — versus €5,000–€40,000 for a traditional compliance audit.
Generate your Article 53 compliance report →
With 101 days until EU AI Act enforcement, now is the time to document your GPAI model's compliance posture. Article 53 doesn't require third-party certification, but it does require you to have your documentation ready when the AI Office comes knocking.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified EU AI Act attorney for guidance on your specific situation.
Originally published at Vigilia.
Top comments (0)