General-Purpose AI and Governance: The AI Office, GPAI Rules, and What's Next

The systems that captured the world's imagination — the large models behind today's chatbots and copilots — needed their own chapter in the EU AI Act. These general-purpose AI (GPAI) models can perform a huge range of tasks and increasingly form the foundation of other AI systems. Regulating them, and building the institutions to enforce the rules, is one of the most consequential parts of Regulation (EU) 2024/1689.

This is the final article in our AI Act series. For the foundations, see The EU AI Act Explained and High-Risk AI Systems. Here we look at GPAI obligations, the new European AI Office, the wider governance system, penalties, and the changes on the horizon.

What is a general-purpose AI model?

A GPAI model is trained on large amounts of data and can perform many different tasks. It is not an application in itself — it is a component that downstream developers build AI systems on top of. Because a single model can ripple across thousands of products, the Act places obligations on the model provider, not just on the businesses that use it.

Obligations for GPAI providers

Since 2 August 2025, providers of GPAI models have had to meet baseline transparency and accountability duties, including:

• Maintaining up-to-date technical documentation of the model.
• Providing information to downstream developers so they can comply with their own obligations.
• Publishing a summary of the content used for training.
• Respecting copyright rules, including the EU's text-and-data-mining provisions.

These obligations are designed to make the GPAI supply chain legible, so that the companies building on a model understand what they are working with.

When a model carries "systemic risk"

The most capable models get extra scrutiny. A GPAI model is presumed to carry systemic risk when it crosses a high threshold of capability — assessed, among other things, through the cumulative amount of compute used to train it. Models in this category must do more:

• Perform model evaluations, including adversarial testing, to find and fix weaknesses.
• Assess and mitigate systemic risks at EU level.
• Ensure an adequate level of cybersecurity.
• Track and report serious incidents to the AI Office.

To help providers meet these duties in practice, the Commission facilitated a General-Purpose AI Code of Practice, drawn up with developers, the scientific community and other experts. Open-source models receive some tailored treatment, reflecting their different distribution model, while still respecting core safety and copyright expectations.

The European AI Office

Enforcing GPAI rules across a continent requires an institution, and the Act created one: the European AI Office, established within the European Commission. With a staff of more than 125 — technologists, lawyers, economists and policy specialists organised into specialised units — the AI Office is the foundation of a single European AI governance system.

Its mandate is broad. The AI Office:

• Supports consistent application of the AI Act across Member States.
• Enforces the rules for GPAI models, with powers to evaluate models, request information, demand corrective action and apply sanctions.
• Develops tools, benchmarks and codes of practice to classify and assess models, including those with systemic risk.
• Promotes trustworthy AI through sandboxes, real-world testing and support for innovators.
• Leads international cooperation, promoting the EU's approach to trustworthy AI worldwide.

The wider governance system

The AI Office does not work alone. The Act sets up a network of bodies, most of them active from 2 August 2025:

• National competent authorities in each Member State oversee and enforce the rules for AI systems.
• The European Artificial Intelligence Board (AI Board) brings together Member State representatives to coordinate consistent application.
• A Scientific Panel of independent experts provides scientific advice and can flag systemic risks.
• An Advisory Forum gives industry, SMEs, academia and civil society a structured voice.

Voluntary initiatives complement this structure — the AI Pact for early compliance, the Apply AI Alliance for real-world coordination, and the AI Act Service Desk for practical questions.

Penalties for getting it wrong

The AI Act has teeth. Fines are set as a percentage of a company's global annual turnover or a fixed amount, whichever is higher, with the steepest penalties reserved for breaching the prohibitions on unacceptable-risk practices. SMEs and start-ups face proportionate fines, but no organisation should treat compliance as optional.

What's next: the Digital Omnibus

The framework is still evolving. In November 2025 the Commission proposed an "AI omnibus" — part of a wider Digital Simplification Package — with targeted amendments meant to keep the rules clear, simple and innovation-friendly, and a political agreement was reached in May 2026. The Commission also reviews the lists of prohibited practices and high-risk uses every year, and will deliver a broader evaluation by 2 August 2028. In other words, the AI Act is a living framework, not a finished monument.

Preparing for the GPAI era

If your business builds on GPAI models, three moves matter now:

1. Know your role. Understand whether you are a model provider, a downstream developer, or a deployer — your obligations differ sharply.
2. Demand documentation. Ask your model suppliers for the transparency information the Act entitles you to.
3. Watch the thresholds. If you train or substantially modify a powerful model, you may inherit provider obligations, including systemic-risk duties.

The GPAI rules and the AI Office together signal Europe's bet: that safety and innovation can reinforce each other. For organisations that engage early — through the AI Pact, sandboxes and good documentation — the framework is less a constraint than a roadmap to trustworthy, market-ready AI.

Revisit the start of the series with The EU AI Act Explained, or contact our team to map your GPAI obligations.