Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

A BigLaw Firm Just Asked Whether the Foundation Model Powering Your AI Research Tool Complies With the EU AI Act's GPAI Codes of Practice: Answering the Article 55 Questions

Updated
5 min read
A
Ari Volcoff

A BigLaw firm just asked whether the foundation model powering your AI legal research tool complies with the EU AI Act's GPAI codes of practice: answering the Article 55 questions

Your enterprise legal team account lead flagged the question on a Friday afternoon. A Magic Circle firm evaluating your AI legal research tool has identified that your product is built on a general-purpose AI model. Their technology governance committee has sent a specific question before approving the vendor:

"Article 55 of the EU AI Act requires providers of general-purpose AI models to participate in or adhere to codes of practice. Does the foundation model provider whose model powers your tool participate in the EU AI Act GPAI code of practice? If so, provide documentation."

This question is becoming more common as sophisticated buyers understand the layered structure of the EU AI Act. Here is what Article 55 requires and how to answer it accurately.

The Two-Layer Structure of GPAI Compliance

The EU AI Act creates a two-layer compliance structure for AI systems built on general-purpose AI models. The foundation model provider (the company that trained and makes the model available — an API provider, for example) has obligations under Chapter V of the regulation, including Article 55. You, as the downstream provider building an application on top of that model, have obligations under Chapter III if your application is high-risk.

Article 55 applies to providers of GPAI models — companies like those providing large language model APIs. It requires those providers to draw up and keep up to date technical documentation; to comply with EU copyright law; and to publish a sufficiently detailed summary of training data. For GPAI models with systemic risk (above a certain compute threshold under Article 51), additional obligations apply including incident reporting and cybersecurity requirements.

Codes of practice under Article 55(5) and Article 56 are the mechanism through which GPAI model providers can demonstrate compliance. The European AI Office oversees their development, and providers who adhere to an approved code of practice are presumed to be compliant with the relevant obligations.

What Your Customer Is Actually Asking

The law firm is asking two questions in one. First: does the foundation model your product relies on have provider obligations under Chapter V? Second: does that provider fulfil those obligations, including through participation in a code of practice?

This matters for the law firm because they are a deployer of your system, which is itself built on a GPAI model. If the foundation model layer is non-compliant, that creates a gap in the compliance chain they are relying on when they use your product to handle client matters.

What You Need to Identify and Document

Which foundation model your product uses. Name the model provider and the specific model or model family. If you use multiple models, identify each one.

Whether that provider has GPAI obligations. A GPAI model provider has obligations under Chapter V if the model is trained on text and data with a general character and can be used for a range of different tasks. Most large commercial LLM providers whose models are accessible via API meet this definition.

Whether the provider participates in an approved code of practice. As of early 2026, the European AI Office's code of practice process for GPAI models was still in development and finalisation. Major foundation model providers were participating in the drafting process. The accurate answer to this question is whether your specific model provider has publicly committed to participate in the code of practice process and what documentation they have published.

What access you have to the provider's compliance documentation. Under Article 55(1)(a), GPAI model providers must make available technical documentation. You should be able to provide your customer with a reference to the foundation model provider's published compliance materials — transparency report, training data summary, and (when available) code of practice commitment — as evidence.

How to Structure Your Answer

A complete answer has three parts:

Identify the model. State which GPAI model provider and model version your product uses. If this is subject to NDA, say so and offer to disclose it under a technology NDA.

State the provider's compliance status. Reference publicly available documentation from the model provider regarding their EU AI Act Chapter V obligations. If the code of practice is not yet finalised or the provider's participation is pending, say that accurately — and note that you monitor your supply chain and will update customers when the position changes.

Explain the separation of obligations. Your obligations as an application provider under Chapter III are distinct from the GPAI model provider's Chapter V obligations. Explain what you have done to meet your obligations (technical documentation, risk management, etc.) independently of what the model provider is doing.

Buyers who receive a clear, layered answer to this question — one that demonstrates you understand the regulatory structure and have reviewed your supply chain — move through procurement faster than buyers who receive a vague reference to "industry standards."

Try Complizo free at complizo.com

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts