The EU AI Act gives open-source GPAI model providers a partial exemption from the standard documentation and disclosure requirements. But the exemption is conditional, partial, and completely removed if your model crosses the systemic risk threshold.
The exemption has three limits — all three matter
First, it only works if four specific conditions are satisfied. Second, it exempts only two of the four Article 53 obligations — the other two apply to every GPAI provider regardless. Third, it disappears entirely for any model with systemic risk. Art 53(2)
Not sure whether your open-source model qualifies for the exemption? Regumatrix checks your model against Article 53(2) and returns your exact obligation set — including whether systemic risk rules apply — in 30 seconds. Check your model free →
Article 53(2) sets out four requirements that must all be satisfied at the same time. Miss one condition and the exemption does not apply. Art 53(2)
The model must be released under a licence that qualifies as free and open-source. Restrictive licences — such as those that limit commercial use, require purchase of a separate commercial licence, or restrict modification — do not satisfy this condition.
The licence must explicitly permit all four of these activities: accessing the model, using it, modifying it, and distributing it. A licence that permits use but restricts redistribution of modified versions does not qualify.
The model parameters — specifically the weights — must be made publicly available. A model whose architecture is published but whose weights are kept private (sometimes called 'open architecture, closed weights') does not qualify for the exemption.
In addition to the weights, information on the model architecture and on model usage must also be made publicly available. If any of these three categories of information (weights, architecture, usage) are withheld, the exemption does not apply.
Article 53(1) sets out four obligations for all GPAI providers. The exemption removes two of them. The other two apply to every provider — including open-source ones.
| Obligation | Open-source exemption |
|---|---|
| (a) Technical documentationAnnex XI — for AI Office on request | ✓ Exempt (if all 4 conditions met) |
| (b) Downstream provider informationAnnex XII — for integrators building on your model | ✓ Exempt (if all 4 conditions met) |
| (c) Copyright compliance policyMust identify and respect rights reservations under Art 4(3) of Directive 2019/790 | ✗ Always applies — no exemption |
| (d) Public training data summaryPublished using AI Office template | ✗ Always applies — no exemption |
Article 53(2) ends with an explicit carve-out: "This exception shall not apply to general-purpose AI models with systemic risks."
If your open-weights model was trained using more than 10²⁵ floating-point operations, or the Commission designates it as systemic risk on capability grounds, the full Article 53 obligation set applies — including the Annex XI technical documentation and Annex XII downstream information obligations — plus all four additional Article 55 obligations: adversarial testing, Union-level risk assessment, incident reporting, and cybersecurity. Art 53(2)Art 55
Providers established outside the EU must normally appoint a written mandate authorised representative inside the EU before placing a GPAI model on the Union market (Article 54(1)). Article 54(6) removes this obligation for open-source GPAI providers — but with the same carve-out: the exemption is explicitly removed for open-source models that have systemic risk.
A US-based open-weights provider whose model crosses the 10²⁵ FLOPs threshold must appoint an EU-established authorised representative before placing the model on the Union market. Art 54(6)
The exemption exists inside Chapter V — GPAI obligations. It does not affect any other part of the EU AI Act. In particular:
No changes are proposed under COM(2025) 836 or COM(2025) 837 for this topic.
No — a free licence is necessary but not sufficient. Article 53(2) requires that all four conditions are met simultaneously: the model is released under a free and open-source licence; the licence allows access, usage, modification, and distribution; and the model parameters (weights), architecture information, and usage information are all made publicly available. If your licence restricts commercial use, or if you do not publish the weights, the exemption does not apply.
No. The exemption in Article 53(2) only removes the obligations in Article 53(1)(a) — the Annex XI technical documentation — and Article 53(1)(b) — the Annex XII downstream provider information package. Two obligations remain regardless of open-source status: Article 53(1)(c) — you must have a policy to comply with EU copyright law and respect rights reservations — and Article 53(1)(d) — you must publish a sufficiently detailed training data summary using the AI Office template.
The exemption is explicitly disapplied for GPAI models with systemic risk. Article 53(2) states that the exception 'shall not apply to general-purpose AI models with systemic risks.' If your open-weights model crosses the 10²⁵ FLOPs compute threshold — or is designated by the Commission on capability criteria — all Article 53 obligations apply in full, plus all four Article 55 systemic risk obligations: adversarial testing, Union-level risk assessment, incident reporting to the AI Office, and cybersecurity for the model and infrastructure.
Not if the model qualifies for the open-source exemption. Article 54(6) removes the authorised representative requirement for open-source GPAI providers, mirroring the Article 53(2) exemption. However — exactly as with Art 53(2) — this exemption is also removed if the model has systemic risk. A non-EU provider of a systemic risk open-weights model must still appoint an EU-established authorised representative before placing the model on the Union market.
The open-source exemption applies to your obligations as the GPAI model provider. It does not affect the obligations of a downstream provider who integrates your GPAI model into a high-risk AI system. That downstream provider must comply with Articles 9–15 regardless of whether the underlying model is open-source. As the GPAI provider, you are not responsible for downstream high-risk deployments — but you should consider what information downstream providers need to meet their own obligations, even though you are exempt from Annex XII.
Regumatrix checks your GPAI model against the Article 53(2) conditions, verifies whether the systemic risk carve-out applies, and returns your exact obligation set — showing which requirements you are exempt from and which remain. Full cited report in around 30 seconds.
