EU AI Act - General Purpose AI (GPAI) Requirements and Implications for Israeli Companies

In July 2025, the European Commission released a package clarifying obligations for General Purpose AI (GPAI) under the EU AI Act:

• Code of Practice for GPAI (July 10, 2025);¹
• Guidelines on the scope of GPAI obligations (July 18, 2025);²
• Template for the public summary of training content (July 24, 2025).³

The obligations apply from August 2, 2025:

• New GPAI models placed on the EU market after that date must comply immediately.
• GPAI models already on the market must comply by August 2, 2027.
• The Commission’s enforcement powers will apply from August 2, 2026.

Definition of GPAI

• GPAI models are defined as those with “significant generality” and the ability to perform a wide range of distinct tasks (not just a single application), such as language generation, text-to-image, text-to-audio, or text-to-video.
• Models trained at or above 10²³ FLOPs (i.e., floating point operations – a standard measure of the total computational workload, here referring to the effort required to train an AI model) are presumed to be GPAI, though the final assessment also considers the model’s generality and capability.
• Models trained at or above 10²⁵ FLOPs are presumed to have “high-impact capabilities” and thus to pose systemic risk, triggering enhanced obligations. The Commission has confirmed that this benchmark is under review.

Obligations for GPAI Providers

As of August 2, 2025 (and subject to the timeline mentioned above), all GPAI providers must:

• Prepare and maintain technical documentation (Model Documentation Form) – concise, high-level disclosures about model properties (architecture, modalities, size), licensing and distribution methods, intended and acceptable uses, training process, datasets, and compute and energy consumption. 
• Implement a copyright compliance policy – this includes using state-of-the-art technologies to comply with rights reservations. The voluntary Code of Practice includes commitments to avoid circumvention of paywalls or scraping piracy sites, comply with robots.txt and similar signals, mitigate risks of copyright-infringing outputs (including through user terms of service) and designate a contact point for copyright complaints.
• Publish a training-data summary – In addition to the documentation form, providers must publish a public summary of training content, disclosing various data characteristics, identification of public and private data sources, and measures taken to filter unlawful content and respect copyright.

Implications for Israeli Companies

Although these rules apply directly to GPAI providers, they will have practical effects for Israeli companies that use or integrate GPAI models:

• Terms of use will change – GPAI providers are expected to update their terms to reflect new obligations. This may include audit or reporting rights, restrictions on sensitive uses, and requirements to accept new disclosures and policies. We recommend that companies monitor updates to such terms of use and ensure they comply accordingly.
• More vendor disclosures – As of August 2025 (and subject to the timeline mentioned above), GPAI providers are required to publish documentation and training-data summaries. Companies may leverage these disclosures to assess whether a model meets their requirements, or to gain insights into its design choices and limitations. This transparency will hopefully also provide companies some visibility into additional information that may be valuable for risk assessment. Companies that actively review such disclosures as they become available may be able to make better product and risk-management decisions.
• Responsible AI is expected – The EU framework raises expectations on governance and transparency. Even if not directly in scope, companies should keep records of their data sources (licensed, scraped, synthetic, customer, or user data), document testing and bias-mitigation, and adopt governance policies. These steps are increasingly expected by investors and partners as a sign of responsible practice. 
• Careful consideration should be given to modifications – The guidelines clarify that fine-tuning or materially modifying a GPAI model may bring a company itself into scope as a GPAI provider, to the extent that such modifications lead to significant change in the model’s generality, capabilities, or systemic risk. Companies should assess whether their modifications could trigger direct Provider obligations under the EU AI Act, to the extent they are subject to the EU AI Act. 

Israeli companies that use or integrate such models should remain attentive to the above potential implications, monitor provider disclosures and regulatory developments, and consider adopting responsible AI practices in line with evolving market expectations.

Please feel free to reach out to us should you have any questions.

¹The Code of Practice is a voluntary instrument, confirmed by the Commission as an adequate way for providers to demonstrate compliance. Providers who do not adhere must demonstrate compliance by other means and may face more scrutiny from the AI Office.

² The Guidelines clarify which models are considered GPAI and when modifications may turn a company into a GPAI provider.

³The Template is a mandatory format, provided by the AI Office, that all GPAI providers must use to draw up and make publicly available a sufficiently detailed public summary of the content used for training the model, in accordance with Article 53(1)(d) AI Act.