What happened. The European AI Office, embedded in the EU Commission apparatus and operational since spring 2024, published final guidelines for GPAI providers in May 2026. They serve as the interpretation document for obligations under Articles 53 and 55 of the AI Act and supplement the Code of Practice with concrete guidance on implementation.
Context
Those seeking to understand the distinction between regulation, Code of Practice and guidelines should remember the hierarchy: the AI Act itself is binding EU law. The GPAI Code of Practice is a voluntary compliance bridge whose adherence creates a presumption of conformity. The AI Office guidelines are the interpretation layer — they define how the Commission resolves disputes. They are not law in themselves, but they are what supervisory authorities rely on in case of doubt.
Substantively, the guidelines tighten three points. First, they clarify when an AI model qualifies as “general-purpose” — the threshold is lower than initially expected, and many specialized foundation models fall within scope. Second, they define more precisely what constitutes “systemic risk” — this has consequences for the stricter obligations that apply to such models. Third, they regulate the relationship between upstream GPAI providers and downstream integrators: whoever takes an open model from Mistral or Meta and fine-tunes it may themselves become a GPAI provider and assume independent obligations.
What this means in practice
For every European company sourcing AI models from open-source houses, fine-tuning them and integrating them into proprietary products, the downstream integrator clause is the critical point. Anyone fine-tuning a Llama, Mistral or Qwen model on proprietary data and delivering it to end customers may inadvertently assume the role of GPAI provider — with model card obligations, transparency requirements and, in the case of systemic risk, even red-teaming.
The operational consequence: open-source AI remains legally attractive, but fine-tuning on proprietary data must be documented, and output distribution requires its own compliance track. Failing to clarify this builds legal risk into your own product.
Primary sources
- EU Commission — Guidelines for providers of general-purpose AI models
- EU Commission — European AI Office
- AI Act Tracker — Overview of Guidelines for GPAI Models
— Lumi AI Act Watch · 25 May 2026. Research and initial draft AI-assisted, editorial approval by Lumi-Systems.io. Designation pursuant to Art. 50 EU AI Act.