AI Act: The Provisions Applicable to General-Purpose AI Models (GPAI) Become Effective

AI Act: The Provisions Applicable to General-Purpose AI Models (GPAI) Become Effective

Key Takeaways

A new set of provisions under the AI Act, primarily targeting General-Purpose AI Models, or GPAI came into effect on August 2.


The Regulation on Artificial Intelligence (AI Act), adopted on June 13, 2024, is being implemented in stages. After the prohibition of unacceptable-risk AI systems became effective on February 2, 2025, a new milestone was reached on August 2 with the entry into force of an additional set of provisions. These provisions primarily concern general-purpose AI models (GPAI), but also include rules on governance, enforcement of the AI Act, and certain aspects of the penalties framework.


1. Entry into Effect of the Provisions Applicable to General-Purpose AI Models

On August 2, 2025, the provisions concerning general-purpose AI models (GPAI), set out in Chapter V of the AI Act (Articles 51 to 56), officially came into effect.

This milestone was preceded in July by the European Commission’s publication of the Code of Practice and the Guidelines, two key documents aimed at helping GPAI model providers better understand the nature of their obligations under the AI Act and prepare for compliance.

The AI Act introduces two sets of obligations: general obligations applicable to all GPAI model providers (Article 52), and additional obligations for providers of GPAI models considered to pose systemic risk. For further details on these obligations, see our article: “AI Act: What Are the Obligations for Providers of General-Purpose AI Models (GPAI)?”

However, GPAI model compliance is subject to a phased timeline over two years:

    - New GPAI models placed on the market from August 2, 2025, must be compliant. That said, enforcement measures by the Commission (such as information requests, access to models, etc.) will only become applicable starting August 2, 2026;
    - For GPAI models already on the market as of that date, providers have until August 2, 2027, to bring them into compliance.


2. Provisions on AI Governance

Chapter VII of the AI Act (Articles 64 to 70), relating to governance, also entered into force on August 2, 2025.

These provisions concern the establishment of the structures responsible for implementing the Regulation, both at the European and national levels.

The European Artificial Intelligence Board (AI Board) is created. The AI Board is composed of one representative from each Member State. The European Data Protection Supervisor (EDPS) participates as an observer.

The primary role of the AI Board is to advise and assist the Commission and Member States in order to facilitate the consistent and effective application of the Regulation. This mission includes, in particular, the following tasks (Art. 66):

    - Contributing to coordination among national competent authorities responsible for enforcing the Regulation;
    - Collecting and sharing technical and regulatory expertise, as well as best practices, among Member States;
    - Providing guidance on the implementation of the Regulation, particularly regarding the supervision of rules applicable to general-purpose AI models;
    - Supporting the harmonization of administrative practices across Member States;
    - Publishing recommendations and written opinions on any relevant matter related to the implementation and enforcement of the Regulation;
    - Advising the Commission on international AI matters and contributing to cooperation with authorities in third countries and international organizations.

The AI Board also has an educational role, helping to build the organizational and technical expertise of national competent authorities and the Commission necessary to implement the Regulation.

Given the highly technical nature of AI and the rapid pace of innovation, the AI Board is supported by two advisory expert bodies: the advisory forum and a panel of independent Experts. Their respective roles are detailed in Articles 67 and 68 of the Regulation.

It is worth noting that the AI Board’s functions largely mirror those of the European Data Protection Board (EDPB).

In addition, the Regulation requires the designation of various national competent authorities, including at least one notifying authority and one market surveillance authority in each Member State.

At this stage, the specific authorities that will be designated in France are not yet confirmed, although the CNIL, ARCOM, and the DGCCRF are expected to be involved in the implementation of the AI Act.


3. Penalties

Finally, Chapter XII (Articles 99 to 101), concerning penalties, also enters into force on August 2, 2025, except for the penalties applicable to GPAI model providers (Article 101), which will take effect in two years.

As in the area of personal data protection, fines can be substantial. However, sanctions must be effective, proportionate, and dissuasive. They also take into account the size and turnover of the companies concerned, particularly “the interests of SMEs, including start-ups, and their economic viability” (Article 99(1)).

The amount of the fine depends on the type of infringement committed. Specifically:

    - Non-compliance with the prohibition on unacceptable-risk AI practices under Article 5 may result in administrative fines of up to EUR 35,000,000 or 7% of the total worldwide annual turnover of the company for the previous financial year, whichever is higher.

    - Failure to comply with any of the obligations imposed on providers, their authorized representatives, importers, distributors, or deployers of high-risk AI systems may result in administrative fines of up to EUR 15,000,000 or 3% of the total worldwide annual turnover for the preceding year, whichever is higher.

    - Providing incorrect, incomplete, or misleading information to notified bodies or national competent authorities in response to a request may result in administrative fines of up to EUR 7,500,000 or 1% of the total worldwide annual turnover, whichever is higher.

    - For SMEs, including start-ups, the lower amount applies in each case.

Fines may also be imposed on public sector bodies by the European Data Protection Supervisor (EDPS). The amounts are significantly lower than those applicable to private-sector entities. They may reach up to EUR 1,500,000 for violations related to prohibited AI systems and up to EUR 750,000 for non-compliance with other requirements or obligations under the Regulation.

The next milestone will occur on August 2, 2026, when most of the Regulation’s provisions will enter into application.

* * * * * * * * * * *


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

August 2025 

Go back to News and Publications

Mots clés :

advertising (1) adwords (3) ai (24) arcep (3) arcom (12) artificial intelligence (10) audiovisual (1) blockchain (6) children (3) cjeu (2) cloud computing (2) cnil (15) commerce (4) communication (8) compliance (29) confidentiality (1) consumers (1) contract (5) cookies (6) copyright (5) cross-border data transfers (4) cybercrime (2) cybersquatting (3) data privacy (13) data privacy framework (2) database (1) domain names (2) dpf (2) drones (1) dsa (6) e-commerce (13) employee (3) encryption (1) eu (15) europe (14) france (11) gdpr (28) general data protection regulation (8) indexing (2) information technology (6) intellectual property (7) internet (32) ip (4) liability (5) métavers (3) nft (4) privacy (9) privacy shield (2) regulation (3) robotics (7) rpa (6) safe harbor (2) search engines (4) security (3) singapore (4) social media (5) software (5) tax (1) trademark (2) uas (1) unmanned aircraft (1) us (3) video game (3)