Understand your AI Act obligations.
Prove compliance.
Keep it aligned as AI evolves.

A practical compliance platform for companies deploying AI in the EU and the consultants who support them. Built around real deployments, not abstract models.

Join 300+ professionals already exploring AI Act compliance with Aigolex

The real AI Act problem

Companies don't know if they are AI providers, deployers, or both.

Obligations depend on how AI is used, not on the model itself.

Documentation becomes outdated as soon as systems or vendors change.

Audits, enterprise customers, and boards expect immediate answers.

AI Act compliance is not a one-time exercise.
It's an operational problem.

Compliance attaches to deployments, not to AI models

That's why the platform mirrors the structure of the AI Act itself

Company

the legal entity ultimately responsible for compliance

Workspaces

distinct operational perimeters where AI is developed, tested, or used

AI assets

the underlying AI systems or models, independent from any single feature

Deployments

how those AI assets are actually used in practice, by whom, and for what purpose

Under the AI Act, obligations, risk classification, and roles attach to deployments not to AI models in isolation. This ensures compliance decisions reflect real-world AI use, not theoretical system descriptions.

Scope

Define where AI exists, how it's used, and who is responsible.

•Maps AI usage across companies and workspaces
•Identifies AI assets and their concrete deployments
•Determines your role under the AI Act (provider, deployer, or both)

Misclassifying your role means misapplying every obligation that follows.

Obligations

Know exactly what the AI Act requires, per deployment.

•Assigns regulatory requirements at the deployment level
•Based on role, risk classification, and usage context
•Generates clear, trackable checklists
•Separates applicable obligations from irrelevant ones

The AI Act is obligation-driven. Guessing is not a strategy.

Evidence

Always-ready documentation to prove compliance.

•Centralizes compliance documentation per workspace and deployment
•Includes system descriptions and risk assessments
•Tracks human oversight measures and monitoring controls

Static documents fail the moment reality changes.

Continuity

Stay compliant as AI systems, vendors, and uses change.

•Monitors changes to AI assets, deployments, and operational perimeters
•Flags when obligations or risk levels must be updated
•Alerts when documentation needs to be refreshed

Most compliance failures happen after the first assessment.

AI Act compliance readiness assessment

Identify your AI Act obligations, classify risk exposure, and uncover compliance gaps — with a guided interactive assessment.

Built for teams that can't ignore regulation

EU-based or EU-operating

Active AI deployments

Exposure to audits

Legal & compliance leaders

Risk & trust teams

Engineering leaders accountable for AI systems

Built by people who've done this before

Experience in legaltech and regulated environments

Built with legal and technical teams

Not Big-4 complexity

Prepare now. Don't scramble later.

AI Act

AI Act: What obligations apply to developers of General-Purpose AI (GPAI) models?

Aigolex Team3 March 2026

With the entry into force of the European AI Act, General-Purpose AI (GPAI) models — meaning general models like LLMs, multimodal models, or foundation models — are also subject to specific obligations.

The legislator's goal is simple: to ensure transparency, accountability, and risk management for technologies that can be integrated into thousands of different applications.

The main obligations for GPAI providers are defined primarily in Articles 53–56 of the AI Act.

Let's see what this means in practice.

1. Technical documentation of the model

Developers of a GPAI model must create and maintain detailed technical documentation describing the model and its development process.

This documentation must include information such as:

•Model architecture
•Number of parameters
•Input and output modalities
•Intended purpose and possible uses
•Training methods
•Data used for training, validation, and testing
•Computational resources used
•Estimated energy consumption

This information must be made available to competent authorities upon request.

The purpose is to allow authorities and actors in the AI supply chain to understand how the model works and how it was built.

2. Information for downstream users

Providers must provide sufficient information so that those integrating the model (for example, companies building AI applications) can use it in compliance with the regulation.

This includes:

•Technical instructions for integration
•Limitations of the model
•Acceptable use policies
•Information on known risks

In practice, if someone builds an AI product on top of your model, they must have the tools to comply with the AI Act themselves.

3. Copyright compliance policy

One of the most debated obligations concerns training data.

Providers must:

•Implement a policy to respect European copyright law
•Identify and respect any opt-outs from rights holders
•Properly manage protected content used in datasets

This obligation applies even if the model's training took place outside the EU.

4. Transparency on training data

Providers must publish a summary of the content used for training the model.

It is not required to reveal every single dataset or file (to protect trade secrets), but the summary must indicate:

•Main data sources
•Categories of datasets
•Archives or databases used

The goal is to allow interested parties, such as authors or publishers, to understand if their content might have been used in training.

5. Authorized representative in the EU (for non-EU providers)

If the model provider is not based in the European Union, they must appoint an authorized representative in the EU.

This representative:

•Acts as a point of contact with European authorities
•Can be responsible for communications and compliance checks

The goal is to prevent companies outside the EU from selling models in the European market without legal accountability.

6. Additional obligations for models with "systemic risk"

Some very powerful models (for example, large foundation models) can be classified as GPAI with systemic risk.

In this case, obligations increase and include:

•In-depth model evaluations
•Safety testing and adversarial testing
•Analysis and mitigation of systemic risks
•Reporting of serious incidents to authorities
•Advanced cybersecurity measures

These measures serve to reduce risks that could have large-scale impacts on society or the economy.

7. Adoption of codes of practice

The European AI Office encourages GPAI providers to adhere to codes of practice.

These codes serve to:

•Standardize compliance practices
•Define common metrics and procedures
•More easily demonstrate compliance with the regulation

If a provider follows a recognized standard, they can obtain a presumption of conformity with respect to certain obligations.

Conclusion

Developers of General-Purpose AI models must face a new regulatory responsibility.

In summary, the provider must:

•Document the model and the development process
•Provide information to downstream developers
•Respect copyright in training data
•Publish a summary of data sources
•Appoint an EU representative if necessary
•Manage and mitigate systemic risks (for more powerful models)

The AI Act does not ban the development of foundation models, but it introduces a new rule of the game: transparency and accountability along the entire AI supply chain.

Or, translated into less diplomatic language: you can build the next revolutionary model, but Europe wants to know how you trained it, what it can do, and what risks it brings with it.

Understand your AI Act obligations.Prove compliance.Keep it aligned as AI evolves.