Article 55: Obligations of providers of general-purpose AI models with systemic risk

Article 55 requires providers of GPAI models with systemic risk to perform model evaluations, assess and mitigate systemic risks, report serious incidents, and ensure an adequate level of cybersecurity.

Yes, Article 55 requires providers to report serious incidents and possible corrective measures without delay to the AI Office and competent authorities.

Article 55 of the AI Act does not provide a general exemption for SMEs. However, the AI Act includes supportive measures and potentially lighter obligations for small and medium-sized enterprises, depending on their role in the AI value chain.

Article 55 of the AI Act complements the GDPR. While the GDPR protects personal data, the AI Act focuses on the safety and trustworthiness of AI systems. Organisations must comply with both regulations when their AI system processes personal data.

The AI Act follows a phased implementation. Prohibited AI practices apply from February 2025, obligations for high-risk AI systems from August 2026, and other provisions take effect gradually. The specific deadline for Article 55 depends on the category of the obligation.

Yes, Article 55 of the AI Act may also be relevant when you purchase AI systems. As a deployer, you have your own obligations under the AI Act, regardless of whether you developed the system yourself or purchased it from a provider.

Under Article 55 of the AI Act, the provider is the entity that develops or places the AI system on the market, while the deployer is the entity that uses the system under its own authority. Both roles carry different obligations.

Article 55 of the AI Act requires that relevant documentation is maintained as part of the compliance process. This may include technical documentation, instructions for use, logs or declarations of conformity, depending on the classification of the AI system.

On top of the basic obligations under Article 53, providers of GPAI models with systemic risk must: conduct model evaluations, perform adversarial testing (red teaming), report serious incidents to the AI Office, and ensure adequate cybersecurity measures.

A GPAI model is presumed to have systemic risk if cumulative training compute exceeds 10^25 FLOP (Article 51). The European Commission can also classify a model as systemic risk based on other criteria from Annex XIII (such as 10,000+ business users).

The European Commission maintains a register of GPAI models with systemic risk. Large models like GPT-4, Gemini Ultra and Claude with training above 10^25 FLOP likely fall under this category. Providers must notify the AI Office when their model reaches this threshold.