The first draft of the EU AI Act (Act) in April 2021 focused principally on AI systems and their use. Following the proliferation of generative AI, the final Act incorporated an additional regime addressing "general-purpose AI (GPAI) models".
GPAI models
GPAI models are the foundation of many AI-powered products and services. They are critical to the AI supply chain and ecosystem, and crucial in allowing the EU to keep pace with technological advancements. At the same time, especially in the hands of malicious actors, GPAI models can create risks.
The Act therefore lays down obligations for GPAI models and additional obligations for GPAI models with systemic risk (GPAISR models), being the most powerful GPAI models. These obligations will apply to GPAI models placed on the EU market after 2 August 2025.
Modified GPAI models
The Act's regime for GPAI models is far from straightforward. The Act is vague on what constitutes a GPAI model and contains only a few brief requirements for GPAI and GPAISR model providers.
This issue is compounded by the fact that GPAI models are often modified (e.g. fine-tuned) to different degrees. This might be done by the original provider (e.g. OpenAI fine-tuning GPT 3.5 for integration into ChatGPT) or by a downstream user (e.g. a retailer fine-tuning GPT 3.5 for integration into a customer-facing chatbot).
There are likely to be thousands of modified versions of original GPAI models in the EU (if not more). The extent and nature of these modifications are likely to vary considerably, from minor tweaks to a small number of parameters, to larger, more complex modifications with large volumes of additional training data.
It is currently unclear if and how modified GPAI models are caught by the Act and how the GPAI model obligations apply to these modified models.
GPAI model guidance
Given this uncertainty and its inherent complexity, the GPAI model regime will be supplemented by:
- GPAI Guidelines: intended to clarify core concepts relating to GPAI models, including modifications.
- GPAI Code of Practice: intended to provide more detail on how to comply with the GPAI model requirements.
Despite their obvious importance, these documents are not expected until mid-July. This fundamentally does not leave enough time to factor this guidance into what are, in reality, complex scoping and compliance exercises to identify which GPAI models and modified GPAI models fall within the scope of the Act and to ensure that they are compliant when released post-2 August 2025.
Postponing the GPAI model regime
Given this fundamental issue, there are currently ongoing discussions among Member States and EU institutions about postponing the date of application of the GPAI model regime.
This would provide much-needed legal certainty to GPAI model developers and downstream modifiers of GPAI models alike. It would also be consistent with the fact that regulatory enforcement of the GPAI model obligations cannot begin until August 2026.
The problem is that time is running short. The EU can and has previously enacted legislative changes urgently, but the window for action is closing rapidly.
Grandfathering of GPAI models
If postponing the date is unachievable, this fundamental issue could be mitigated to some extent by grandfathering provisions in the Act. Under Article 111(3):
- Where both unmodified and modified GPAI models are each placed on the market pre-2 August 2025, they will not be subject to the GPAI model requirements until 2 August 2027, while
- Where both GPAI models and modified versions of those models are each placed on the market post-2 August 2025, they will not be subject to grandfathering and will need to comply with the rules as from that date.
This is a sensible provision that reflects the significant time and effort required to scope and implement compliance for GPAI models. It also mitigates some of the significant current uncertainty around GPAI models.
However, a key point remains unclear: if and to what extent grandfathering applies to modified GPAI models placed on the market post-2 August 2025 which are based on an original GPAI model placed on the market pre-2 August 2025, i.e. where the original, unmodified GPAI model is subject to grandfathering.
There are likely to be a significant number of modified models impacted by this issue, both for GPAI model providers and downstream users.
Grandfathering should also apply to GPAI model modifications
Even leaving aside the current uncertainty, there are strong reasons why grandfathering should apply to modified GPAI models placed on the market after 2 August 2025 - where the original model is subject to grandfathering:
- Improving legal certainty: It would be farcical for minor modifications (e.g. a minor tweak to a few parameters of a GPAI model) to attract compliance requirements when the entire original GPAI model is not subject to any such requirements. At the same time, there is a risk of drawing an arbitrary distinction, which may not be easy to apply in practice (especially for downstream users), by attempting to draw a line between minor and more substantial modifications. It is far more sensible, and in line with EU law principles (particularly legal certainty), to say that grandfathering should apply to all modifications.
- Promoting meaningful compliance regime: Compliance measures for modified GPAI models are intrinsically linked to compliance measures for the original GPAI model. It isn't possible, for example, to have a meaningful explanation of changes to model architecture when there will be no regulatory documentation available that explains the overall architecture for the original GPAI model due to grandfathering.
- Avoiding disproportionate and unfeasible compliance burden on downstream users, particularly SMEs: Many downstream users rely on modified GPAI models, which form the basis for countless AI systems in the EU. Making modified GPAI models subject to compliance requirements in circumstances where the original GPAI model is not subject to any requirements would place a disproportionate and unfair burden on these users, which will include many SMEs. This issue is also likely to delay launches of AI products and hinder innovation generally given that it takes time to implement compliance measures, a process which itself is currently unfeasible given the lack of guidance.
- Encouraging innovation and adoption: For similar reasons, making some or all modified GPAI models subject to compliance requirements in the absence of being able to leverage existing compliance documentation is likely to have a significant chilling effect on innovation, at least in the short-term, discouraging users from modifying and integrating GPAI models into new and innovative AI systems.
- Preventing unworkable litigation: There is a one-year grace period on regulatory enforcement for GPAI models and modified GPAI models (i.e. until 2 August 2026), but there is an immediate private litigation risk for non-compliant modified models placed on the market from 2 August 2025. This would again create a farcical situation in which litigation could be brought against downstream modifiers of GPAI models, while the original model is protected due to grandfathering.
Solution
At a time of significant uncertainty and potential damage to the credibility of the GPAI model regime (and the Act more generally), the EC can rescue the situation and provide much-needed legal certainty if it clarifies in the forthcoming GPAI guidelines that, where an original GPAI model is subject to grandfathering, all modified models released after 2 August 2025 which are based on that original model are also subject to grandfathering.
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
