General-purpose AI obligations under the EU AI Act apply primarily to model providers. The deployer position is narrower than commonly assumed — but it is not nothing. Here is what an Irish organisation using a general-purpose model actually needs to do.
TL;DR. GPAI obligations under the EU AI Act apply mostly to model providers (OpenAI, Anthropic, Google, etc.), not deployers. For Irish organisations using ChatGPT, Claude, Copilot, or Gemini for work, the engaging obligations are Article 4 literacy, Article 50 disclosure for AI-generated content, and any high-risk classification of the use context. The deployer posture is narrower than commonly assumed.
The general-purpose AI provisions of the EU AI Act — Articles 51 to 55 — have produced more confusion in Irish organisations than any other part of the Act. The confusion is not unreasonable. The provisions were the most heavily contested part of the legislative process, the Code of Practice that operationalises them has gone through multiple drafts, and the obligation chains between providers and deployers are not intuitive on a first reading.
This piece sets out the deployer-side question — what an Irish organisation using ChatGPT, Claude, Gemini, Microsoft Copilot, or a model accessed via Azure OpenAI Service actually has to do under the GPAI provisions. The answer is narrower than commonly assumed, but it is not nothing.
Who the GPAI articles apply to
Articles 51 to 55 impose obligations primarily on providers of general-purpose AI models. A provider is the entity that develops or places the model on the market. OpenAI, Anthropic, Google DeepMind, Mistral, Meta in respect of its open models — these are providers. The obligations include transparency documentation, training data summaries, copyright compliance evidence, and (for models classified as posing systemic risk) significant additional risk assessment and reporting.
A deployer is the entity that uses an AI system. An Irish organisation using ChatGPT is a deployer. The deployer obligations under the AI Act are set out in Article 26 and elsewhere — but they apply to the AI system context (high-risk, limited-risk, prohibited), not to the underlying GPAI model. The GPAI articles themselves impose remarkably few direct obligations on deployers.
This is the first clarification that needs to land. Reading the GPAI articles and concluding that an Irish SME using a consumer ChatGPT subscription needs to produce its own training data summary or copyright evidence is a misreading. Those obligations sit with OpenAI.
What the deployer obligations actually look like for GPAI use
The substantive deployer obligations that engage when using a GPAI-based system, in approximate order of how often they come up in Irish organisations:
Article 50 transparency: AI-generated content disclosure. Where an organisation uses a GPAI model to generate text, image, audio, or video content that is published or otherwise made available, the organisation must label that content as AI-generated where the content could be mistaken for human-produced material. The Omnibus deal extended the implementation grace period for machine-readable watermarking by four months because the AI Office's implementation guidance was not final in time. The obligation itself stands. For practical purposes: AI-assisted client correspondence drafted internally and reviewed by a human is not "AI-generated content" in the labelling sense. AI-generated content published externally without meaningful human authorship is.
Article 50 disclosure: emotion recognition and biometric categorisation. If the deployer uses an AI system that performs emotion recognition or biometric categorisation, individuals affected must be informed. This rarely engages in standard professional services use of GPAI. It engages in specific deployment contexts — HR screening tools, security systems, customer experience analytics — where it should be assessed deliberately.
Article 4 literacy. The literacy obligation applies to deployers of AI systems, including GPAI-based systems. Staff using ChatGPT, Claude, or Copilot for work tasks must be supported in developing sufficient AI literacy for the context. This is the single most common GPAI-related deployer obligation, and supervision begins on 2 August 2026.
Risk classification of the use, not the model. The underlying GPAI model is not "high-risk" in itself. The use of a GPAI model in a high-risk context — for example, a CV screening system built on a GPAI model and used in recruitment — is what triggers high-risk obligations under Annex III. The deployer obligations attaching to that high-risk use are extensive (human oversight, monitoring, record-keeping, conformity). They attach because the use is high-risk, not because the model is GPAI.
Data protection alignment. Personal data entered into a GPAI system engages GDPR obligations in the standard way. The deployer is the controller in most contexts. The lawful basis, retention, and transparency questions are not novel under the AI Act; they are GDPR questions that the AI Act does not displace.
What the GPAI articles do not impose on deployers
They do not impose a duty to produce training data summaries. That is a provider obligation.
They do not impose copyright compliance evidence at the deployer level. The provider has obligations regarding the lawfulness of training data acquisition. The deployer's copyright position relates to the deployer's own use of outputs.
They do not impose a duty to assess the systemic risk classification of the underlying model. That is a provider question and a competent authority determination.
They do not impose registration of GPAI-based AI systems unless those systems are independently classifiable as high-risk under Annex III or Annex I.
The Code of Practice and what it changes
The General-Purpose AI Code of Practice — the voluntary instrument that operationalises Articles 51 to 55 — applies to providers, not deployers. The Code's signatories are model providers. Its commitments cover transparency disclosures, copyright handling, and systemic risk management at the provider level. Deployer organisations do not sign the Code of Practice and are not in breach for not having signed it.
What the Code does affect, indirectly, is the documentation that providers make available to deployers. Signatory providers will publish more detailed transparency information about their models — training data summaries, capability disclosures, known limitations. This is useful for deployer due diligence and is relevant to demonstrating literacy and informed use. It is not a deployer-side obligation.
What a defensible deployer posture looks like for GPAI use
In practical terms, the defensible posture for an Irish organisation using GPAI-based systems is:
An AI inventory that identifies the GPAI-based systems in use, the provider, the contract terms, and the risk classification of the use context.
A literacy programme mapped to the roles using GPAI systems, with content covering capability, limits, use boundaries, and escalation.
A data-handling policy that addresses what may and may not be entered into GPAI tools, with a clear distinction between consumer-terms and enterprise-terms deployment.
An Article 50 review for any function that publishes AI-generated content externally, to determine the labelling posture.
A high-risk classification review for any deployment of a GPAI model in an Annex III context (recruitment, education access, essential services, law enforcement support, migration management, justice administration). Where the use is high-risk, the full Article 26 deployer obligations engage and the GPAI question becomes secondary.
This is not a small list, but it is the defensible list. Organisations doing more than this in respect of GPAI obligations specifically are over-reading the provisions. Organisations doing less are under-supported on Article 4 and Article 50.
The thing not to confuse
GPAI obligations and Article 4 literacy obligations are different things and the supervision conversation in late 2026 will treat them differently. Article 4 supervision starts on 2 August 2026 and is the immediate deployer-side question for almost every Irish organisation using AI. GPAI obligations are mostly provider obligations and remain so. Conflating the two has produced unnecessary work in some organisations and missed compliance in others.
Acuity AI Advisory provides independent EU AI Act consulting calibrated to deployer obligations under Article 4, Article 26, and Article 50, including GPAI-based deployment reviews. Vendor-neutral and fixed-fee.