What is Article 55 of the EU AI Act?

Article 55 of Regulation (EU) 2024/1689 sets out the additional obligations that apply to providers of general-purpose AI (GPAI) models classified as having systemic risk. On top of the baseline Article 53 obligations that every GPAI provider must meet (technical documentation, copyright policy, transparency to downstream users), Article 55 requires: state-of-the-art model evaluations including adversarial testing, systemic risk assessment and mitigation, tracking + documenting + reporting serious incidents under Article 55(1)(c), and adequate cybersecurity protection. Article 55 applied from 2 August 2025 alongside the rest of the GPAI regime. Full Commission enforcement (with fines) starts 2 August 2026.

What is a GPAI model with systemic risk?

Article 51 of the EU AI Act defines GPAI with systemic risk by capability. The presumption trigger is the compute threshold: any model trained with a cumulative compute amount exceeding 10^25 FLOP is presumed to have high-impact capabilities and is therefore systemic-risk by default. The Commission can also designate a model systemic-risk based on other criteria (number of users, modalities, market influence). Frontier models from OpenAI (GPT-4 class and above), Anthropic (Claude 3 Opus class and above), Google (Gemini Ultra class), and Mistral's largest models are widely understood to exceed the threshold. Providers must notify the Commission within two weeks of foreseeing or reaching the 10^25 FLOP threshold.

What is the 10^25 FLOP threshold?

10^25 FLOP (floating-point operations) is the cumulative compute budget threshold that triggers systemic-risk classification under Article 51 of the EU AI Act. To put it in scale, training a model at this threshold takes weeks on tens of thousands of high-end GPUs. The threshold is deliberately set to capture frontier-scale foundation models. The Commission can update the threshold by delegated act under Article 51(3) as compute economics evolve. Below the threshold, a GPAI model is still subject to Article 53 obligations but not the additional Article 55 systemic-risk obligations. Notification to the Commission is required within two weeks of foreseeing or reaching the threshold.

What does Article 55(1)(c) require for incident reporting?

Article 55(1)(c) requires providers of GPAI models with systemic risk to keep track of, document, and report without undue delay to the AI Office and, where appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures. This is the GPAI counterpart to Article 73 incident reporting for high-risk AI systems but with different scope: Article 55(1)(c) covers model-level safety incidents (capability surprises, misuse incidents, jailbreak successes that lead to real-world harm) rather than deployment-level harm. The receiving authority is the AI Office at the European Commission, not national market surveillance authorities. The Code of Practice provides operational guidance on what constitutes a 'serious incident' for GPAI purposes.

What is the GPAI Code of Practice?

The General-Purpose AI Code of Practice is a voluntary tool published on 10 July 2025 by the European Commission, developed through an open multi-stakeholder process. It provides operational guidance on complying with Articles 53 and 55 of the EU AI Act. The Code has three chapters: Transparency (applying to all GPAI providers), Copyright (applying to all GPAI providers), and Safety and Security (applying only to providers of GPAI with systemic risk). Signing the Code is voluntary, but signatories are presumed to comply with the corresponding AI Act obligations. Major signatories include OpenAI, Anthropic, Google, and Mistral. Non-signatories must demonstrate compliance through other documented means; the Code is the easiest path to a presumption of conformity.

Who has signed the GPAI Code of Practice?

OpenAI, Anthropic, Google, and Mistral are among the major GPAI providers that signed the Code of Practice when it opened for signature in 2025. The full signatory list is maintained by the AI Office at the European Commission and updated as additional providers sign. The Code's signatory taskforce continues to develop additional guidance and updates. Non-signatories are not in breach of the AI Act by virtue of non-signature alone, but they lose the presumption of conformity and must demonstrate compliance through their own documentation and processes, which is more expensive and less legally certain than signing.

When does Article 55 enforcement start?

Article 55 obligations applied from 2 August 2025, the same date as the rest of the GPAI regime under the AI Act. However, the Commission's full enforcement powers (requesting information, ordering model recalls, imposing administrative fines under Article 101) only kick in on 2 August 2026. Between August 2025 and August 2026, GPAI providers are legally bound by Article 55 but face limited Commission enforcement action; this transitional period was designed to allow the AI Office to staff up and for providers to operationalise the Code of Practice. From 2 August 2026, Article 101 fines (up to EUR 15 million or 3% of global turnover, whichever is higher) become enforceable for Article 55 violations. The Digital Omnibus on AI deal of 7 May 2026 did not change this timeline.

Does Article 55 apply to deployers of GPAI models?

No, directly. Article 55 obligations bind providers of GPAI models with systemic risk, not deployers. A deployer using GPT-4 or Claude is subject to Article 4 AI literacy, the relevant Annex III high-risk obligations if the use case is high-risk, and the Article 50 transparency requirements where applicable. The provider's Article 55 obligations are upstream and do not flow through to the deployer. However, deployers benefit indirectly: Article 53(b) requires providers to make information available to downstream providers and deployers about the model's capabilities, limitations, and intended use cases. A deployer doing due diligence on a foundation model should ask the provider for that Article 53(b) information pack and verify whether the provider has signed the Code of Practice.

What fines apply for Article 55 violations?

Article 101 of the EU AI Act sets the penalty regime for GPAI providers. The ceiling is EUR 15 million or 3% of the provider's global annual turnover, whichever is higher. This mirrors the Tier 2 ceiling under Article 99 for deployers of high-risk AI. The same Article 99(7) mitigating and aggravating factors apply: nature and gravity of the infringement, intentional or negligent character, mitigation actions taken, cooperation with the AI Office, prior infringements, size of the undertaking. Late or absent Article 55(1)(c) incident reporting is its own ground for fine. Article 101 fines become enforceable from 2 August 2026.

GPAI providers OpenAI, Anthropic, Google, Mistral facing Article 55 systemic-risk obligations under EU AI Act

Deep dive: Article 55 + GPAI

Knowledge Library/Compliance/Article 55 GPAI systemic risk

ComplianceArticle 55GPAISystemic riskFree

EU AI Act Article 55: GPAI systemic risk obligations explained

Article 55 of the EU AI Act binds providers of general-purpose AI models with systemic risk: model evaluations including adversarial testing, systemic risk assessment + mitigation, serious incident reporting to the AI Office under Article 55(1)(c), and adequate cybersecurity. The 10^25 FLOP cumulative compute threshold triggers the systemic-risk classification. Article 55 has applied since 2 August 2025; full Commission enforcement powers (including Article 101 fines up to EUR 15 million or 3% of turnover) kick in on 2 August 2026. The Omnibus deal of 7 May 2026 did not change this regime.

John Ferguson

Founder, Agentic Fluxus · Published 15 May 2026 · 16 min

Article 55 in 60 seconds

Binds providers of GPAI models classified as systemic-risk
Threshold: 10^25 FLOP cumulative training compute (Article 51)
Obligations: model evaluations, adversarial testing, risk mitigation, incident reporting, cybersecurity
Article 55(1)(c) incident reports go to the AI Office, not national authorities
Applied from 2 August 2025; full Commission enforcement from 2 August 2026
Fines under Article 101: up to EUR 15M or 3% of turnover, whichever is higher
The Omnibus deal of 7 May 2026 did not change Article 55
Major signatories of the voluntary Code of Practice: OpenAI, Anthropic, Google, Mistral

Check the threshold

Are you above the 10^25 FLOP systemic-risk threshold?

Convert from H100 GPU-days, GPU-years, or raw FLOPs and see whether Article 55 obligations attach. Reference table for known frontier models included.

Open the checker

Who Article 55 actually applies to

Article 55 applies to providers of general-purpose AI (GPAI) models classified as having systemic risk under Article 51. Three things matter for that classification.

First, the model must be a GPAI model. Article 3(63) defines a GPAI model as an AI model trained on broad data, designed for generality of output, capable of competently performing a wide range of distinct tasks, and able to be integrated into a variety of downstream systems or applications. In practice this captures foundation models: GPT-4 and successors, Claude, Gemini, Llama, Mistral Large, and similar frontier models. Models trained for a single narrow task are not GPAI.

Second, the model must reach the systemic-risk threshold. Article 51(2) sets the trigger as cumulative training compute exceeding 10^25 floating-point operations (FLOP). Models below the threshold are still subject to the baseline Article 53 obligations (technical documentation, copyright policy, downstream transparency) but not the additional Article 55 systemic-risk obligations.

Third, even if a model is below the threshold, the Commission can designate it as systemic-risk under Article 51(1)(b) based on a separate set of criteria: number of users, modalities, scientific or technical complexity, market reach, or capabilities equivalent to those of state-of-the-art GPAI models. This is the Commission's escape hatch for capability surprises.

What changed on 2 August 2025

The GPAI provider regime under Articles 50 to 55 became enforceable on 2 August 2025. Before this date, the regulation was in force (since 1 August 2024) but the specific GPAI provisions had a 12-month transition period. From 2 August 2025 onwards:

Article 53 baseline obligations apply to every GPAI provider. Technical documentation under Annex XI, downstream-provider information packs under Annex XII, copyright policy, and a public summary of training data per Article 53(1)(d).

Article 55 obligations apply to systemic-risk GPAI providers. Model evaluations, risk assessment + mitigation, Article 55(1)(c) incident reporting, cybersecurity.

Notification to the Commission. Providers must notify the Commission within two weeks of reasonably foreseeing or reaching the 10^25 FLOP threshold (Article 52(1)).

Crucially, the 2 August 2025 date is when the obligations became legally enforceable. The Commission's enforcement powers (formal requests for information, model recalls, administrative fines) do not kick in until 2 August 2026. Between those two dates is a deliberate transitional period: providers are legally bound but the AI Office is staffing up, the Code of Practice is being operationalised, and the Commission's enforcement playbook is being finalised.

Newsletter

Weekly EU AI Act updates, delivered.

One email per week. Deadlines, enforcement actions, regulatory shifts. Curated by John Ferguson, founder of Agentic Fluxus. Unsubscribe anytime.

Article 53: the baseline every GPAI provider must meet

Before getting to the systemic-risk-specific Article 55 obligations, every GPAI provider must satisfy Article 53. These obligations are not specific to systemic risk; they apply whether your model is 10^22 FLOP or 10^27 FLOP.

Technical documentation (Article 53(1)(a))

Providers must draw up and keep up-to-date technical documentation of the model, including its training and testing process and the results of its evaluation. The minimum content is set out in Annex XI of the regulation. The documentation must be made available to the AI Office and national competent authorities upon request.

Downstream-provider information (Article 53(1)(b))

Providers must make information available to downstream providers of AI systems that intend to integrate the GPAI model into their own AI system. This information pack is set out in Annex XII and includes: capabilities and limitations of the model, intended use cases, the model architecture and training methodology, computational and energy use, technical means for integration, and acceptable use policies. This is the document deployers should request when evaluating a foundation model for compliance work.

Copyright compliance (Article 53(1)(c))

Providers must put in place a policy to respect EU copyright law, including identifying and complying with rights reservations under Article 4(3) of the Copyright Directive (Directive (EU) 2019/790). This is the legal hook behind the "robots.txt for AI training" debate; rights reservations must be honoured.

Training data summary (Article 53(1)(d))

Providers must draw up and make publicly available a sufficiently detailed summary of the content used for training of the GPAI model. The Commission and AI Office have published a template; the summary should describe categories of data, sources, and any specific identifiable data sets, without requiring providers to disclose proprietary specifics that would compromise commercial confidentiality.

The 10^25 FLOP cliff

What changes at the systemic-risk threshold

Below 10^25 FLOP cumulative training compute, GPAI providers carry Article 53 baseline only. Above the threshold, Article 55 adds four systemic-risk obligations on top. Article 51(3) lets the Commission update the threshold by delegated act.

Below threshold< 10^25 FLOP

Article 53 baseline only:

• Technical documentation (Annex XI)

• Downstream-provider info pack (Annex XII)

• Copyright policy + rights-reservation handling

• Public training-data summary

Penalty ceiling: EUR 15M / 3% for Article 53 violations under Article 101.

Above threshold≥ 10^25 FLOP

Article 53 baseline + Article 55:

+ 55(1)(a): model evaluations + adversarial testing

+ 55(1)(b): systemic risk assessment + mitigation

+ 55(1)(c): incident reporting to AI Office

+ 55(1)(d): cybersecurity protection

Notification within 2 weeks of foreseeing or reaching the threshold (Article 52(1)).

Models widely understood above the threshold (Code of Practice signatories): OpenAI GPT-4 class and above, Anthropic Claude 3 Opus class and above, Google Gemini Ultra class, Mistral's largest models. GPT-3 (175B params, 2020) was ~3.14 × 10^23 FLOP, two orders of magnitude below.

Methodology. Threshold derived from Article 51(2) of Regulation (EU) 2024/1689. The Commission can also designate a model as systemic-risk under Article 51(1)(b) on capability + reach criteria below the compute threshold. Penalty ceilings from Article 101. Sources: Article 51, Article 53, Article 55, Code of Practice.

Article 55: the additional load for systemic-risk GPAI

For models above the 10^25 FLOP threshold (or designated by the Commission as systemic-risk), Article 55 adds four obligations on top of Article 53.

Article 55(1)(a): Model evaluations including adversarial testing

Providers must perform model evaluation in accordance with state-of-the-art protocols and tools, including conducting and documenting adversarial testing of the model. The aim is to identify and mitigate systemic risks. The Code of Practice (see below) provides operational guidance on what "state-of-the-art" means in practice: red-teaming, capability evaluations against benchmarks, jailbreak resistance testing, misuse-potential analysis.

Article 55(1)(b): Systemic risk assessment and mitigation

Providers must assess and mitigate possible systemic risks at the Union level, including their sources, that may stem from development, placing on the market, or use of GPAI models with systemic risk. Article 3(65) defines systemic risk as a risk that is specific to the high-impact capabilities of GPAI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole, that can be propagated at scale across the value chain.

Article 55(1)(c): Serious incident reporting

Providers must keep track of, document, and report without undue delay to the AI Office and, where appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them. This is the GPAI analogue to Article 73 for high-risk AI deployers, but with different scope and a different reporting destination.

The Article 55(1)(c) clock

Without undue delay is the legal standard, not a specific number of days. The Code of Practice provides operational guidance: incident reports should reach the AI Office within days of awareness for capability-surprise incidents, and immediately for incidents involving actual real-world harm. The Article 73 clocks (2 / 10 / 15 days from awareness) are a reasonable benchmark even though they technically apply to high-risk AI deployers, not GPAI providers.

Article 55(1)(d): Cybersecurity

Providers must ensure an adequate level of cybersecurity protection for the GPAI model with systemic risk and the physical infrastructure of the model. This includes protecting model weights, training data, and inference infrastructure against unauthorised access, exfiltration, or tampering. The Code of Practice translates this into specific controls: weight encryption, access controls, supply-chain security for compute providers, vulnerability disclosure programmes.

The 10^25 FLOP threshold in context

10^25 FLOP is a big number that sounds abstract until you scale it. To train a model at the threshold takes weeks of compute on tens of thousands of high-end GPUs. GPT-3 (175B parameters, 2020) was trained at roughly 3.14 × 10^23 FLOP; GPT-4 is widely understood to exceed 10^25 FLOP. Claude 3 Opus, Gemini Ultra, and Mistral Large are similarly above the threshold by capability comparison.

The threshold is set deliberately to capture frontier-scale foundation models. The Commission can adjust it by delegated act under Article 51(3) as compute economics evolve. As training-efficiency improves, the same capability frontier can be reached at lower FLOP, so a lower threshold might apply in future delegated acts.

Threshold notification

Providers must notify the Commission within two weeks of foreseeing or reaching the 10^25 FLOP threshold (Article 52(1)). The notification triggers a 90-day window for the Commission to confirm or contest the classification. Reaching the threshold without notifying is itself an Article 101 violation.

The GPAI Code of Practice

The General-Purpose AI Code of Practice is a voluntary tool published by the European Commission on 10 July 2025. It was developed through a multi-stakeholder process involving GPAI providers, civil society organisations, academic researchers, and Member State authorities, coordinated by the AI Office. The Code's purpose is to provide operational guidance on complying with Articles 53 and 55.

The Code has three chapters, with different applicability:

Transparency. Applies to all GPAI providers. Operationalises Article 53 obligations on technical documentation, downstream-provider information, training-data summaries.

Copyright. Applies to all GPAI providers. Operationalises Article 53(1)(c) copyright policy obligations, including rights-reservation handling, opt-out mechanism implementation, and downstream-provider information about training data.

Safety and Security. Applies only to providers of GPAI models with systemic risk. Operationalises the four Article 55 obligations: model evaluations, risk assessment + mitigation, incident reporting, and cybersecurity.

Signing the Code is voluntary. The legal benefit of signing is significant: signatories are presumed to comply with the corresponding AI Act obligations. Non-signatories must demonstrate compliance through their own documentation and processes, which is more expensive, less legally certain, and more vulnerable to second-guessing by the AI Office. In practice, every major GPAI provider with EU market exposure has strong incentives to sign.

Who has signed

The Code opened for signature in 2025. OpenAI, Anthropic, Google, and Mistral are among the major signatories. The full list is maintained by the AI Office at the European Commission and updated as additional providers sign. The Code's signatory taskforce continues developing additional guidance and updates; signatories are expected to participate in that ongoing work.

Enforcement timeline + Article 101 penalties

Article 55 has applied from 2 August 2025. But the Commission's full enforcement powers don't kick in until 2 August 2026. Three things change on that date:

Formal information requests under Article 91. The AI Office can demand specific information from providers, with legal teeth behind the request.

Model recalls under Article 93. The Commission can order corrective action, including market withdrawal of a GPAI model where systemic risks are not adequately mitigated.

Article 101 fines. Up to EUR 15 million or 3% of global annual turnover, whichever is higher. Article 101(2) applies the same mitigating and aggravating factors as Article 99(7): nature and gravity of infringement, intent, mitigation, cooperation, prior infringements, size of the undertaking.

Late or absent Article 55(1)(c) incident reporting is its own ground for an Article 101 fine. The Code of Practice gives signatories a presumption of compliance, which is the cleanest defence against Article 101 enforcement. Non-signatories must show their work.

Effect of the Omnibus deal of 7 May 2026

The Digital Omnibus on AI provisional agreement of 7 May 2026 did not change the GPAI regime. Article 53 baseline obligations and Article 55 systemic-risk obligations both remain enforceable from 2 August 2025, with Commission enforcement landing 2 August 2026 as originally planned.

What the Omnibus did change: the high-risk Annex III deadline moved to 2 December 2027, the high-risk Annex I embedded deadline to 2 August 2028, SME relaxations were extended to small mid-caps, Article 10 was amended to allow processing sensitive personal data for bias detection, and a new nudification ban was added to Article 5. None of those changes touched Articles 50-55. Full Omnibus deal breakdown.

What this means if you're a deployer, not a provider

Article 55 binds GPAI providers. If you're a deployer (an organisation using a foundation model to build an AI system or assist with work), Article 55 does not directly bind you. But it changes what you should ask for during vendor evaluation.

Ask for the Article 53(b) information pack. Every GPAI provider must make this available to downstream providers and deployers. It documents capabilities, limitations, intended use cases, and acceptable use policies. If a provider can't produce it, you should be wary.

Confirm Code of Practice signature. Signing creates a presumption of compliance with Articles 53 and 55. Non-signatories are not in breach by virtue of non-signature alone, but they should explain how they meet the obligations otherwise. Ask.

Check the public training-data summary. Required under Article 53(1)(d). Verify the summary covers data classes that are relevant to your use case. If your use case is in finance, healthcare, or legal services, you want to see clear evidence about training-data origins.

Document the provider relationship in your AI inventory. Your compliance checklist needs an entry per GPAI model you depend on, including the provider's compliance posture.

Tools that reflect Article 55

Free tools we built that intersect with the GPAI regime.

Fine Calculator →

Article 101 GPAI fines: EUR 15M or 3% of turnover, whichever is higher. Tier 4 in the fine calculator, mirrors Article 99 Tier 2. SME relief applies.

Incident Response Runbook →

Article 55(1)(c) systemic-risk incident reports go to the AI Office. Our runbook flags the GPAI pathway separately from Article 73 high-risk reporting.

EU AI Act Timeline →

GPAI obligations live since 2 August 2025. Commission enforcement from 2 August 2026. Interactive timeline with pre/post-Omnibus toggle.

Risk Classifier →

GPAI sits separately from the four-tier risk classification (prohibited / high-risk / limited / minimal). Use the classifier to check whether your downstream use of a GPAI model is also high-risk Annex III.

Sources

Frequently asked questions

Free template

GPAI Article 55 Incident Report Template

Pre-structured GPAI incident-report skeleton for Article 55(1)(c) serious-incident notification to the AI Office.

Open + print to PDF →

Official sources

Regulation (EU) 2024/1689 (the EU AI Act) on EUR-Lex ↗The full text of the EU AI Act on the EU's official legal portal. The source of every Article and Annex referenced in this post.
European AI Office ↗The European Commission AI Office, the central enforcement body for GPAI obligations and coordination across national authorities.
GPAI Code of Practice ↗The voluntary GPAI Code of Practice. Signatories include OpenAI, Anthropic, Google, Mistral, Meta and others.

Ask Fluxus

Got a question about this article?

Ask anything about the EU AI Act in this article’s scope. One question per ask. Free, no signup. Powered by Fluxus.

Was this post useful?

John Ferguson

Founder of Agentic Fluxus, Amsterdam. Writes about EU AI Act compliance, AI literacy, and the operational reality of getting AI systems past Article 4 and Annex III.

About John →

Stay in the loop

One email per week. Only the EU AI Act news that matters.

Deadlines, enforcement actions, regulatory shifts, and practical compliance moves. Curated by John. Unsubscribe anytime.

Deep dive: Article 55 + GPAI

Knowledge Library/Compliance/Article 55 GPAI systemic risk

ComplianceArticle 55GPAISystemic riskFree

EU AI Act Article 55: GPAI systemic risk obligations explained

John Ferguson

Founder, Agentic Fluxus · Published 15 May 2026 · 16 min

Article 55 in 60 seconds

Binds providers of GPAI models classified as systemic-risk
Threshold: 10^25 FLOP cumulative training compute (Article 51)
Obligations: model evaluations, adversarial testing, risk mitigation, incident reporting, cybersecurity
Article 55(1)(c) incident reports go to the AI Office, not national authorities
Applied from 2 August 2025; full Commission enforcement from 2 August 2026
Fines under Article 101: up to EUR 15M or 3% of turnover, whichever is higher
The Omnibus deal of 7 May 2026 did not change Article 55
Major signatories of the voluntary Code of Practice: OpenAI, Anthropic, Google, Mistral

Check the threshold

Are you above the 10^25 FLOP systemic-risk threshold?

Convert from H100 GPU-days, GPU-years, or raw FLOPs and see whether Article 55 obligations attach. Reference table for known frontier models included.

Open the checker

Who Article 55 actually applies to

Article 55 applies to providers of general-purpose AI (GPAI) models classified as having systemic risk under Article 51. Three things matter for that classification.

What changed on 2 August 2025

Article 55 obligations apply to systemic-risk GPAI providers. Model evaluations, risk assessment + mitigation, Article 55(1)(c) incident reporting, cybersecurity.

Notification to the Commission. Providers must notify the Commission within two weeks of reasonably foreseeing or reaching the 10^25 FLOP threshold (Article 52(1)).

Newsletter

Weekly EU AI Act updates, delivered.

One email per week. Deadlines, enforcement actions, regulatory shifts. Curated by John Ferguson, founder of Agentic Fluxus. Unsubscribe anytime.

Article 53: the baseline every GPAI provider must meet

Technical documentation (Article 53(1)(a))

Downstream-provider information (Article 53(1)(b))

Copyright compliance (Article 53(1)(c))

Training data summary (Article 53(1)(d))

The 10^25 FLOP cliff

What changes at the systemic-risk threshold

Below threshold< 10^25 FLOP

Article 53 baseline only:

• Technical documentation (Annex XI)

• Downstream-provider info pack (Annex XII)

• Copyright policy + rights-reservation handling

• Public training-data summary

Penalty ceiling: EUR 15M / 3% for Article 53 violations under Article 101.

Above threshold≥ 10^25 FLOP

Article 53 baseline + Article 55:

+ 55(1)(a): model evaluations + adversarial testing

+ 55(1)(b): systemic risk assessment + mitigation

+ 55(1)(c): incident reporting to AI Office

+ 55(1)(d): cybersecurity protection

Notification within 2 weeks of foreseeing or reaching the threshold (Article 52(1)).

Article 55: the additional load for systemic-risk GPAI

For models above the 10^25 FLOP threshold (or designated by the Commission as systemic-risk), Article 55 adds four obligations on top of Article 53.

Article 55(1)(a): Model evaluations including adversarial testing

Article 55(1)(b): Systemic risk assessment and mitigation

Article 55(1)(c): Serious incident reporting

The Article 55(1)(c) clock

Article 55(1)(d): Cybersecurity

The 10^25 FLOP threshold in context

Threshold notification

The GPAI Code of Practice

The Code has three chapters, with different applicability:

Transparency. Applies to all GPAI providers. Operationalises Article 53 obligations on technical documentation, downstream-provider information, training-data summaries.

Who has signed

Enforcement timeline + Article 101 penalties

Article 55 has applied from 2 August 2025. But the Commission's full enforcement powers don't kick in until 2 August 2026. Three things change on that date:

Formal information requests under Article 91. The AI Office can demand specific information from providers, with legal teeth behind the request.

Model recalls under Article 93. The Commission can order corrective action, including market withdrawal of a GPAI model where systemic risks are not adequately mitigated.

Effect of the Omnibus deal of 7 May 2026

What this means if you're a deployer, not a provider

Document the provider relationship in your AI inventory. Your compliance checklist needs an entry per GPAI model you depend on, including the provider's compliance posture.

Tools that reflect Article 55

Free tools we built that intersect with the GPAI regime.

Fine Calculator →

Article 101 GPAI fines: EUR 15M or 3% of turnover, whichever is higher. Tier 4 in the fine calculator, mirrors Article 99 Tier 2. SME relief applies.

Incident Response Runbook →

Article 55(1)(c) systemic-risk incident reports go to the AI Office. Our runbook flags the GPAI pathway separately from Article 73 high-risk reporting.

EU AI Act Timeline →

GPAI obligations live since 2 August 2025. Commission enforcement from 2 August 2026. Interactive timeline with pre/post-Omnibus toggle.

Risk Classifier →

Sources

Frequently asked questions

Free template

GPAI Article 55 Incident Report Template

Pre-structured GPAI incident-report skeleton for Article 55(1)(c) serious-incident notification to the AI Office.

Open + print to PDF →

Official sources

Regulation (EU) 2024/1689 (the EU AI Act) on EUR-Lex ↗The full text of the EU AI Act on the EU's official legal portal. The source of every Article and Annex referenced in this post.
European AI Office ↗The European Commission AI Office, the central enforcement body for GPAI obligations and coordination across national authorities.
GPAI Code of Practice ↗The voluntary GPAI Code of Practice. Signatories include OpenAI, Anthropic, Google, Mistral, Meta and others.

Ask Fluxus

Got a question about this article?

Ask anything about the EU AI Act in this article’s scope. One question per ask. Free, no signup. Powered by Fluxus.

Was this post useful?

John Ferguson

Founder of Agentic Fluxus, Amsterdam. Writes about EU AI Act compliance, AI literacy, and the operational reality of getting AI systems past Article 4 and Annex III.

About John →

Stay in the loop

One email per week. Only the EU AI Act news that matters.

Deadlines, enforcement actions, regulatory shifts, and practical compliance moves. Curated by John. Unsubscribe anytime.

Search

EU AI Act Article 55: GPAI systemic risk obligations explained

Who Article 55 actually applies to

What changed on 2 August 2025

Article 53: the baseline every GPAI provider must meet

Technical documentation (Article 53(1)(a))

Downstream-provider information (Article 53(1)(b))

Copyright compliance (Article 53(1)(c))

Training data summary (Article 53(1)(d))

Article 55: the additional load for systemic-risk GPAI

Article 55(1)(a): Model evaluations including adversarial testing

Article 55(1)(b): Systemic risk assessment and mitigation

Article 55(1)(c): Serious incident reporting

Article 55(1)(d): Cybersecurity

The 10^25 FLOP threshold in context

The GPAI Code of Practice

Who has signed

Enforcement timeline + Article 101 penalties

Effect of the Omnibus deal of 7 May 2026

What this means if you're a deployer, not a provider

Tools that reflect Article 55

Sources

Frequently asked questions

Continue reading the EU AI Act compliance series

Why Your Business Will Be Left Behind Without AI in 2027

The True Cost of AI Non-Compliance: EU AI Act Penalties Explained

Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act

EU AI Act Article 55: GPAI systemic risk obligations explained

Who Article 55 actually applies to

What changed on 2 August 2025

Article 53: the baseline every GPAI provider must meet

Technical documentation (Article 53(1)(a))

Downstream-provider information (Article 53(1)(b))

Copyright compliance (Article 53(1)(c))

Training data summary (Article 53(1)(d))

Article 55: the additional load for systemic-risk GPAI

Article 55(1)(a): Model evaluations including adversarial testing

Article 55(1)(b): Systemic risk assessment and mitigation

Article 55(1)(c): Serious incident reporting

Article 55(1)(d): Cybersecurity

The 10^25 FLOP threshold in context

The GPAI Code of Practice

Who has signed

Enforcement timeline + Article 101 penalties

Effect of the Omnibus deal of 7 May 2026

What this means if you're a deployer, not a provider

Tools that reflect Article 55

Sources

Frequently asked questions

Continue reading the EU AI Act compliance series

Why Your Business Will Be Left Behind Without AI in 2027

The True Cost of AI Non-Compliance: EU AI Act Penalties Explained

Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act