New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
Compliance
4 min read

The AI Act's Second Milestone: GPAI Rules Are Live. What Reaches You?

From 2 August, the EU's obligations on general-purpose AI model providers apply. Most organisations aren't providers – but the paperwork flowing downstream is worth catching.

Christina Arcane

The EU AI Act hit its second major milestone on Saturday: obligations for providers of general-purpose AI models – the GPT-4s, Claudes, and Geminis of the world – are now applicable, along with the Act's governance machinery. A few weeks earlier, on 10 July, the European Commission published the long-negotiated GPAI Code of Practice, the voluntary rulebook providers can sign to show they're complying.

If you build frontier models, you already have lawyers for this. For the rest of us – organisations that use AI rather than provide it – the milestone still matters, for a quieter reason: the documentation you've been begging AI vendors for is about to start existing.

What actually took effectLink to this section

In brief, providers of general-purpose models placed on the EU market must now:

  • Publish technical documentation about the model – capabilities, limitations, and information downstream developers need to build on it responsibly.
  • Put a copyright policy in place and publish a summary of the content used for training.
  • For the biggest models – those above a compute threshold of 10^25 FLOP, a club with somewhere between five and fifteen members globally – meet additional safety and security obligations: risk assessment, incident reporting, cybersecurity protections around the model.

The Code of Practice packages these duties into three chapters (transparency, copyright, safety and security). Signing is voluntary, but signatories get a smoother ride from enforcers, and most major labs have signalled they'll play. Full Commission enforcement powers arrive in August 2026 – a deliberate one-year runway.

Reading it from the cheap seatsLink to this section

Three practical consequences for organisations that merely deploy AI.

1. Model documentation becomes a procurement artefact. Until now, asking a vendor "what are this model's known limitations?" produced a shrug or a marketing page. Providers now have to write this down in a prescribed form. Your vendor-review template should start asking for it: which underlying models does this product use, where is the provider's GPAI documentation, are they a Code of Practice signatory? You don't need to parse every page – the point is that "no answer" is now a signal rather than the norm.

2. Your AI register grows a column. We've pushed tool registers all year: what's in use, who owns it, what data it touches. Add: which foundation model sits underneath? SaaS products increasingly embed third-party models, and when a model-level issue surfaces – a security advisory, a capability change, a withdrawn version – you want to answer "where does that touch us?" without a week of archaeology.

3. The literacy obligation is still running. Article 4 – the AI literacy requirement that took effect in February – didn't pause while the GPAI provisions arrived. The Act's obligations stack. If your training programme hasn't started, two milestones in, the runway you're counting on is the one that's shrinking.

The timeline, since everyone asksLink to this section

DateWhat applies
2 Feb 2025Prohibited practices; AI literacy obligation (Art. 4)
2 Aug 2025GPAI provider obligations; governance bodies stand up
2 Aug 2026High-risk system requirements; enforcement powers in full
2 Aug 2027Longer transition ends for certain embedded/legacy cases

The 2026 line is the big one for deployers: if any of your AI use touches the Act's high-risk categories – recruitment and HR decisions, credit, essential services, education – the serious homework (risk management, human oversight, logging) lands then. A year sounds like a lot. It's two budget cycles and one org-chart change; it isn't a lot.

Our honest readLink to this section

It's fashionable to file EU AI regulation under "not my hemisphere, not my problem", and for pure-domestic Australian organisations the letter of the law may indeed never reach you. But we'd point at how GDPR went: the documentation habits, the vendor questionnaires, the standard contractual clauses all became global defaults within a few years because it was cheaper to run one process than two.

The same is already happening here. The questions the Act forces providers to answer – what is this model, what can't it do, what were its risks, who was trained to operate it – are simply good questions. Regulators wrote them down first; customers, insurers, and auditors are learning to ask them everywhere.

Better to have answers before the asking starts. If you want help with the workforce-literacy piece – the part of this that's ours – you know where we are.