EU AI Act Compliance

GPAI Vendor Obligations Under the EU AI Act: What to Demand From OpenAI, Anthropic, and Google

Under the EU AI Act, general-purpose AI providers like OpenAI, Anthropic, and Google have legal obligations to give you documentation and transparency. Here is exactly what your contracts should require.

· 6 min read · By

EU-law graduate (Maastricht University) · MSc International Tax Law (AI & technology). Builds AI systems and advises SMEs on EU AI Act compliance.

GPAI vendor obligations under the EU AI Act are not optional extras buried in enterprise pricing tiers. They are hard legal requirements that apply to every provider placing a general-purpose AI model on the EU market, regardless of whether that provider is based in San Francisco or Seoul. If your company uses ChatGPT, Claude, or Gemini to assist with any business process, you are a deployer under the Act. That status comes with rights. Knowing those rights is the first step to enforcing them.

The Act entered into force on 1 August 2024. The provisions governing general-purpose AI (GPAI) models, found in Articles 51 through 56, apply from 2 August 2025. That means the compliance window for your vendors is already closing.


What the AI Act Actually Requires From GPAI Providers

A GPAI model is any AI model trained on broad data that can serve multiple tasks: text generation, summarisation, code, translation. OpenAI's GPT-4o, Anthropic's Claude 3.5 Sonnet, and Google's Gemini 1.5 Pro all qualify. Under Article 53, providers of these models must:

  • Draw up and maintain technical documentation covering training methodology, data sources, and compute used.
  • Make available a model card or equivalent that describes capabilities, limitations, and foreseeable risks.
  • Publish a summary of training data used, including a description of the content categories.
  • Establish and implement a policy for complying with EU copyright law.
  • Register the model in the EU database once it is publicly released.

For models assessed as posing systemic risk (currently those trained with more than 10^25 FLOPs), Article 55 adds further obligations: adversarial testing, incident reporting to the Commission within 30 days of a serious incident, and cybersecurity measures.

GPT-4, Claude 3, and Gemini Ultra all sit above the systemic-risk threshold. Their providers owe you the full stack of obligations.


What You Are Entitled to as a Deployer

This is the practical question: what can you actually demand?

Article 53(1)(b) requires that GPAI providers give downstream deployers and users the information necessary to comply with their own obligations under the Act. If you are building a workflow on top of Claude or integrating Gemini into an HR screening tool, you need documentation about what the model can and cannot do. The provider must supply it.

Specifically, you should be able to obtain:

Usage instructions. Clear guidance on intended use cases, known failure modes, and contexts where the model should not be deployed without additional safeguards.

Capability and limitation disclosure. Quantified where possible. Not "this model may occasionally make errors" but specifics: known performance gaps on certain languages, documented hallucination rates in domain-specific tasks, or limitations with dates and real-time information.

Information sufficient for a risk assessment. Under Article 26, you as a deployer must conduct a conformity assessment or fundamental rights impact assessment for high-risk AI use cases. You cannot do that assessment without knowing what the model actually does under the hood.

Incident reporting channels. If a GPAI model causes or contributes to a serious incident in your deployment, you need to know how to report it and what the provider's obligations are to notify the Commission.


Red Flags in Current Tool Terms of Service

Here is where things get uncomfortable. Most current terms of service from major GPAI providers were written before the AI Act passed. Some have been updated. Many have not.

Watch for these specific red flags:

Broad liability disclaimers with no carve-outs for regulatory obligations. A clause stating the provider bears "no responsibility for your use of outputs" is not automatically illegal, but it cannot override the provider's statutory obligations under Articles 53 and 55. If your vendor's ToS attempts to transfer all regulatory risk to you without providing the documentation required by law, that is a problem.

No documentation commitment. If the ToS contains no reference to model cards, technical documentation, or capability disclosures, ask directly. Under Article 53, this is not optional. A vendor who cannot point you to this documentation is either non-compliant or treating you as a consumer rather than a deployer with rights.

Incident reporting opacity. The Act requires systemic-risk model providers to report serious incidents. Your contract should specify: what counts as an incident, how you will be notified if a model update materially changes capability, and what the provider's timeline is for disclosure.

Unilateral model update clauses. Several providers reserve the right to update the underlying model without notice. If your AI system relies on a specific model version and the provider silently swaps it, your previous risk assessment may no longer be valid. This is not just a product concern; it is a compliance concern under Article 26.


What to Add to Your Vendor Contracts Right Now

Negotiating with OpenAI or Google on contract terms is not realistic for most SMEs. But enterprise agreements, API terms, and data processing addenda often have more flexibility than the standard consumer ToS suggests. Even where you cannot negotiate, documenting what the vendor provides (and what it does not) is itself a compliance act.

At a minimum, your vendor management file for any GPAI tool should contain:

  1. A copy of the provider's current technical documentation or model card, with a retrieval date. Links go stale; save the document.
  2. Written confirmation of the model version your integration uses, so that changes are detectable.
  3. The provider's incident reporting policy, including contact details and timelines.
  4. A summary of the provider's EU copyright compliance policy as required by Article 53(1)(c).
  5. The provider's EU AI Act compliance statement or roadmap, if published.

For high-risk use cases specifically (HR tools that assess candidates, systems that determine access to services, credit-related tools), you also need to be able to demonstrate to a national market surveillance authority that you selected a tool with sufficient transparency. Inadequate vendor documentation is your compliance gap, not just theirs.


Enforcement Is Coming and the Fines Are Real

Non-compliance with GPAI obligations carries penalties under Article 99 of up to €15 million or 3% of global annual turnover for providers, whichever is higher. For systemic-risk model violations the ceiling rises to €35 million or 7%.

Those fines fall primarily on providers. But deployers are not shielded. If you deploy a GPAI tool in a high-risk context without obtaining and reviewing the documentation that Article 53 requires providers to give you, you may be found to have failed your own Article 26 obligations. The Dutch Autoriteit Persoonsgegevens and equivalent national authorities across the EU are building AI supervision capacity now. Enforcement actions will follow the model used under GDPR: high-profile cases against large actors first, then sector sweeps.

Start the paper trail today. Request documentation from your providers. Log the response. If they cannot or will not provide what Article 53 requires, that is information you need before the next audit, not after.


One Action to Take This Week

Pull the terms of service and any available model cards for every GPAI tool currently in use at your company. Check whether each document includes the four elements listed above: capability disclosure, usage instructions, copyright compliance policy, and an incident reporting channel. Note the gaps. That gap list is your negotiation agenda and your compliance to-do list in one document.

If you want a structured way to run that exercise across your full tool stack, Khairos AI Comply offers a free 2-minute compliance check that maps your current tools against your EU AI Act obligations as a deployer. No vendor excuses. Just a clear picture of where you stand.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →