If you use ChatGPT, Claude, Gemini, or any AI assistant in your business, you are already working with what Europe calls a GPAI model (General-Purpose AI, or general-purpose artificial intelligence). And since August 2025, there have been clear rules on who is responsible for what when these models are used in the European market.
The good news: if you are an SME that uses these tools, most of the obligations do not fall on you. The less good news: there are important nuances, especially if you integrate AI into products you sell to third parties. Let’s break it down without unnecessary jargon.
What exactly is a GPAI model
A GPAI model is not the same thing as an AI application. It is the engine underneath. GPAI models can perform a wide range of tasks and are becoming the foundation of many AI systems in the EU.
The legal definition is technical but clear: the AI Act defines a GPAI model as one that "exhibits significant generality and is capable of competently performing a wide range of distinct tasks". The Commission will presume that a model with more than 10²³ floating-point operations (FLOP) of training compute, capable of generating language (text or audio), text-to-image or text-to-video, is a GPAI model.
In practice, that includes the usual suspects: several multimodal LLMs (e.g. GPT 4, Gemini 3, Llama 3, Claude Opus 4.5, Grok 4) that power the most widely used AI assistants (ChatGPT, Gemini, Meta AI, Claude, Perplexity, Grok) fall within the definition of GPAI models under the Act.
In short: if an AI can write, translate, code, summarize, and generate images using the same base model, it is probably a GPAI.
Why you should pay attention, even if you do not build models
The strictest obligations under the AI Act apply to the providers of GPAI models: OpenAI, Anthropic, Google, Meta, Mistral. Not to your business. But there are three reasons this still affects you:
- Your providers will have new transparency obligations that benefit you as a customer.
- If you significantly modify or retrain a model, you may become a provider in the eyes of the law.
- The AI Act has extraterritorial reach, which changes the rules for any tool you use.
The AI Act has broad extraterritorial reach. It applies, among other actors, to providers and deployers of GPAI models and AI systems located within the EU, to providers outside the EU placing GPAI models or AI systems on the market in the EU, to providers outside the EU putting AI systems into service in the EU, and to providers and deployers of AI systems outside the EU when the output of the system is used within the EU.
In plain English: even if you use an American tool, if its output reaches your business in Spain, the AI Act applies.
The dates that matter
The AI Act rules for GPAI models became applicable on 2 August for new models placed on the market after that date; providers of GPAI models already on the market before 2 August 2025 have until 2 August 2027 to align their models and documentation.
And there is an important recent change: this legislative proposal (nicknamed the 'AI omnibus') was adopted on 19 November 2025 and a political agreement was reached on 7 May 2026. Following the political agreement, there is a clear implementation timeline for the rules governing high-risk AI systems: the rules for systems used in certain high-risk areas — including biometrics, critical infrastructure, education, employment, migration, asylum, and border control — will apply from 2 December 2027.
What obligations GPAI providers have (and why you should care)
When you contract an AI API or use a model in your business, it helps to know what can be required from that provider. It helps you choose better and justify decisions in audits or to clients.
All providers of GPAI models must provide technical documentation, instructions for use, comply with the Copyright Directive, and publish a summary of the content used for training.
For the most powerful models there is an extra layer: in addition to the four obligations above, providers of GPAI models with systemic risk must also: carry out model evaluations, including documented adversarial testing to identify and mitigate systemic risks. Assess and mitigate possible systemic risks, including their sources. Track, document, and report serious incidents and possible corrective measures to the AI Office and the relevant national competent authorities without undue delay. Ensure an adequate level of cybersecurity protection.
When is a model considered to pose "systemic risk"? GPAI models present systemic risks when the cumulative amount of compute used for their training is greater than 10²⁵ floating-point operations (FLOPs). We are talking about frontier models from OpenAI, Anthropic, and Google.
The critical point for SMEs: when do you become a "provider"?
This is where many people get confused. Using a model does not make you a provider. But there are clear red lines:
Under the GPAI Guidelines, your company must comply as a GPAI model provider if it: places a GPAI model on the EU market in any form, such as via API, download, or cloud service. Integrates its own GPAI model into a chatbot, mobile app, or other system that your company makes available in the EU. Provides a model to someone who does any of the above — unless your company has clearly and unequivocally prohibited distribution and use in the EU.
And the most relevant nuance for anyone customizing AI: intermediate providers that fine-tune or modify an existing GPAI model (e.g. a company integrating a GPAI model into its products) may also become a provider under the CoP and the EU AI Act under certain circumstances, but only in relation to their modifications. In this case, special provisions under the CoP apply (e.g. regarding transparency).
The pragmatic approach is clear: the guidelines are designed to be pragmatic. For example, they clarify that only those making significant modifications to AI models need to comply with GPAI model provider obligations, not those making minor changes.
What this means for your SME, specifically
Let’s get to the point. If you run an SME in Spain and use AI, this is what changes — and what does not:
| Situation | Are you a GPAI provider? | What do you need to do? |
|---|---|---|
| Use ChatGPT/Claude/Gemini with prompts | No | Nothing specific under Chapter V |
| Connect AI APIs to your internal processes | No | Check the provider’s terms |
| Build a chatbot with a third-party model | No (in general) | Be transparent with your users |
| Do significant fine-tuning and distribute it | Possibly yes | Document modifications |
| Train your own model from scratch | Yes | Full compliance |
Most SMEs fall into the first three rows. In other words: you can keep using AI normally, but do so thoughtfully.
Good practices that will save you trouble
Regardless of regulation, there are decisions every SME should make when implementing AI. These are the ones we apply when building solutions for clients:
- Choose providers already aligned with the AI Act. If they have signed the Code of Practice, even better. It saves you explanations.
- Document where you use AI and for what. You do not need a 200-page dossier. A basic internal log is enough for most cases.
- Be transparent with your customers. If a chatbot or automated email interacts with them, they should know.
- Avoid black boxes. Solutions you cannot audit or explain are a legal and operational risk.
- Use open architectures. Being tied to a single model provider is expensive and fragile. Open-source tools like n8n let you switch AI engines without rebuilding everything.
How this fits with automating your business
At Studio SmartWork, we build applied AI solutions for Spanish SMEs, and most of them do not need to train their own models. They need to orchestrate existing GPAI models well to solve specific problems: answer calls 24/7, manage email, qualify leads, automate proposals.
That orchestration — combining a GPAI model with your data, your CRM, your calendar, and your business logic — is where the real value lies. And it can be done without becoming a regulated provider, without losing control, and without tying yourself to a single AI engine.
Regulation is not an obstacle to using AI in your business. It is a map. And now that it is clearer who is responsible for what, there is no excuse to keep wasting hours on tasks that a well-implemented AI can solve in seconds.