The AI Act has had a phased entry into force since 2 August of last year, as we explained in an earli­er blog post. Pre­vi­ously, the oblig­a­tions to phase out pro­hib­ited AI sys­tems and to ensure AI lit­er­acy already came into effect. As of 2 August 2025, the oblig­a­tions under the AI Act for pro­viders of gen­er­al-pur­pose AI mod­els also apply. In this blog, we out­line these oblig­a­tions.

What are gen­er­al-pur­pose AI mod­els?

These are mod­els cap­able of per­form­ing a broad range of dif­fer­ent tasks and suit­able for a vari­ety of applic­a­tions. For example, AI mod­els that can gen­er­ate text or sum­mar­ize doc­u­ments without hav­ing been spe­cific­ally developed for a par­tic­u­lar sec­tor or use case. Examples include the AI mod­els under­ly­ing AI sys­tems such as Chat­G­PT, Claude, and Google Gem­ini.

What are the oblig­a­tions for pro­viders of such mod­els?

Pro­viders of gen­er­al-pur­pose AI mod­els must, among oth­er things, pre­pare tech­nic­al doc­u­ment­a­tion, make inform­a­tion avail­able about the cap­ab­il­it­ies and lim­it­a­tions of the AI mod­el, and be trans­par­ent about the train­ing data used. Addi­tion­al oblig­a­tions apply to AI mod­els with a “sys­tem­ic risk”, mean­ing AI mod­els whose cap­ab­il­it­ies have a major impact, for example on pub­lic safety. The core of these addi­tion­al oblig­a­tions is to identi­fy, mit­ig­ate, and mon­it­or sys­tem­ic risks.

An AI mod­el can be integ­rated into an AI sys­tem, which also con­sists of, among oth­er things, soft­ware and inter­faces that enable the applic­a­tion of the mod­el in a spe­cif­ic con­text. Gen­er­al-pur­pose AI sys­tems – like oth­er AI sys­tems – are sub­ject to the gen­er­al oblig­a­tions under the AI Act, such as trans­par­ency require­ments and, where applic­able, the per­form­ance of a con­form­ity assess­ment.

The European AI Office has pub­lished a Code of Practice for gen­er­al-pur­pose AI mod­els: the Gen­er­al-Pur­pose AI Code of Prac­tice. The Code of Prac­tice is designed to help pro­viders com­ply with the oblig­a­tions under the AI Act. Among oth­ers, OpenAI, Microsoft, and Google have signed the Code of Prac­tice.

What should organ­iz­a­tions that pro­cure or use AI sys­tems con­sider?

As of 2 August 2025, the oblig­a­tions described above for pro­viders of gen­er­al-pur­pose AI mod­els apply. At the same time, organ­iz­a­tions are increas­ingly using AI sys­tems such as Chat­G­PT or Copi­lot.

Before pro­cur­ing or deploy­ing an AI sys­tem with­in the organ­iz­a­tion, it is advis­able to assess which AI sys­tem best matches the organization’s object­ives and risk pro­file. Key con­sid­er­a­tions include any lim­it­a­tions of the AI sys­tem that may make it unsuit­able or risky for the inten­ded applic­a­tion (such as hal­lu­cin­a­tions) and the level of trans­par­ency regard­ing the AI system’s func­tion­ing.

Once the right AI sys­tem has been selec­ted, thor­ough con­tract­ing with the AI sys­tem pro­vider is essen­tial. Clear agree­ments should be made on the pur­pose, cap­ab­il­it­ies, and inten­ded use of the AI sys­tem, the secur­ity require­ments (such as ISO cer­ti­fic­a­tion), the avail­ab­il­ity of inform­a­tion about the AI sys­tem, and the ser­vice levels, includ­ing uptime and response times for resolv­ing issues.

Organ­iz­a­tions of all sizes should also reg­u­late the use of AI intern­ally. This can be achieved through the adop­tion of an AI Code of Con­duct: a policy doc­u­ment set­ting out basic know­ledge about how AI works, sup­ple­men­ted with clear guidelines on the (per­mit­ted) use of AI with­in the organ­iz­a­tion. An AI Code of Con­duct thus con­trib­utes to both the respons­ible use of AI and the pro­mo­tion of AI lit­er­acy with­in the organ­iz­a­tion – an oblig­a­tion under the AI Act.

Do you have ques­tions about imple­ment­ing the AI Act, con­tract­ing with an AI sys­tem pro­vider, or draft­ing an AI Code of Con­duct? HVG Law is happy to assist. Please feel free to con­tact us to dis­cuss how we can sup­port your organ­iz­a­tion.