EU AI Act GPAI Compliance Window Opens. Foundation Model Users Have 12 Months.

The EU AI Act's General-Purpose AI (GPAI) provisions began their 12-month compliance window this month. Any organization that develops, deploys, or builds products on top of GPAI models — which includes virtually every enterprise using OpenAI, Anthropic, Google, or Meta AI infrastructure — now has a documented regulatory timeline with enforcement consequences.

What GPAI Compliance Requires

For GPAI model providers: technical documentation, transparency measures, copyright policy compliance, and — for systemic risk models above 10^25 FLOPs — adversarial testing and incident reporting to the European AI Office. For organizations building on GPAI: contractual upstream compliance, documented AI system purposes, and user-facing transparency obligations.

The Supply Chain Reality

Most enterprises have not mapped their AI supply chains. If your products use any LLM API, you have GPAI exposure under the EU AI Act. The compliance burden is lower for downstream users than for model providers — but it is not zero. Legal teams that have not assessed this exposure are carrying undisclosed regulatory risk.

ZeroForce Perspective

Regulatory compliance is not an obstacle to AI deployment — it is a design constraint that separates organizations that can scale AI sustainably from those building on fragile foundations. The organizations treating GPAI compliance as a future task are making an architectural error that compounds over time.