If you’ve landed here looking for information on GPAI, you probably already know it has something to do with the new European AI regulation — but you’re not sure whether it affects you, how, or what you need to do about it. Let’s get straight to the point: GPAI means General Purpose AI, and yes, it does affect you. Even if you only use ChatGPT to draft emails.
This article explains what a GPAI model is, what obligations you have as a company that uses it (not develops it), which deadlines matter, and how to avoid the common mistakes we’re seeing in Spanish SMEs.
What a GPAI model is
A GPAI model is an AI model capable of performing many different tasks — it isn’t designed for just one function. Models such as GPT-4, Claude, Gemini, or Llama fall into this category. They are the foundation on which assistants, chatbots, image generators, and practically any generative AI tool you’re using today are built.
The European Union decided to regulate them specifically under the AI Act (EU Regulation 2024/1689), the world’s first comprehensive regulatory framework for artificial intelligence. And it did so for a simple reason: these models are so versatile that they can end up in critical applications without anyone having carried out a serious risk assessment.
The timeline you need to know
The AI Act did not come into force all at once. It is being rolled out in phases, and you’re already within it:
| Date | What applies |
|---|---|
| 2 February 2025 | Prohibitions on unacceptable uses + AI literacy requirement |
| 2 August 2025 | Obligations for GPAI model providers |
| 2 August 2026 | Full application for high-risk systems |
| 2 August 2027 | Full adaptation of legacy models and regulated products |
From 2 August 2025, GPAI providers placing models on the European market must comply with specific obligations regarding documentation, transparency, and copyright. This means OpenAI, Anthropic, Google, and Meta are already under regulatory scrutiny. But the important question for you is a different one: what do you need to do, as a user?
Provider vs. deployer: where you fit in
This distinction causes the most confusion, so let’s clear it up. The regulation applies both to providers — companies that develop or place an AI system on the market — and to deployers, meaning companies that use an AI system developed by a third party in the course of their professional activities. This distinction is crucial: a company that buys AI software for recruitment is not a provider, but it is a deployer and has its own obligations.
Most SMEs are deployers. If you use ChatGPT, Claude, Copilot, or any tool built on top of them, you are a deployer. As a deployer (user) of an AI system, you have limited obligations. Mainly, you need to ensure that the use complies with the provider’s terms and inform affected people if the AI impacts their rights (for example, in HR decisions). It is OpenAI, as the provider, that bears most of the GPAI obligations.
That is good news. But it does not mean you are exempt.
Your real obligations as an SME using AI
Here is what you do need to do, even if you do not develop models:
1. AI literacy (already in force)
The AI literacy obligation has been enforceable since February 2025. Staff working with AI systems must understand their capabilities and limitations. Your team does not need to be made up of machine learning engineers — they just need to know what to expect from the tool, what risks it has, and where it should not be used.
2. Transparency with your customers
If you use a chatbot, your customer needs to know they are talking to an AI. From February 2025, all chatbots must clearly inform users that they are interacting with AI. A notice at the start of the conversation ("I’m a virtual assistant powered by AI") is generally enough.
The same applies to AI-generated content published publicly: it must be labeled.
3. Classify your AI uses by risk level
This is the step almost nobody is doing properly. Classification depends on the specific use of the system, not on the underlying technology. The same language model (for example, GPT-4) can be: Minimal risk if you use it to generate internal email drafts; Limited risk if you use it as a public-facing chatbot; High risk if you use it to screen candidates in recruitment processes.
In other words: the same tool can carry completely different obligations depending on what you use it for. Inventory your uses and classify them one by one.
4. Check that your provider is compliant
From 02/08/2025, you must review the GPAI provider’s documentation and adjust notices/contracts across your value chain. If your AI provider cannot show you its technical documentation and compliance policy, you have a problem.
What is prohibited (and many people do not know)
These systems have been completely prohibited since February 2025: social scoring of citizens based on behavior, real-time remote biometric identification in public spaces, biometric categorization that infers sensitive data (race, sexual orientation, political affiliation), emotion recognition in the workplace or educational institutions (except for medical or security reasons), and criminal behavior prediction based solely on profiles.
If any of your processes come close to this — especially employee emotion recognition, which has become trendy in some “productivity” tools — disable it now.
The penalties: they are not symbolic
Fines can reach €35 million or 7% of global turnover for very serious infringements (use of prohibited systems). For breaches of high-risk obligations, up to €15 million or 3%. For SMEs and startups, reduced proportional caps apply.
The exact figure is not the main point — the message is: the EU is taking this seriously, and Spain already has its own supervisory authority, AESIA, up and running.
How to start without losing your mind
If your SME is just getting started with AI or is already using it in a scattered way, this is the logical order:
- Inventory: list every AI tool your company uses (including the ones your team uses without telling you).
- Classification: assign a risk level to each use. 90% will be minimal or limited risk.
- Transparency: add notices in chatbots, label AI-generated content, and update your privacy policy.
- Training: a 1–2 hour session for the team using AI is enough to meet the AI literacy requirement.
- Provider documentation: ask each provider for its AI Act compliance statement.
Compliance is not the enemy of productivity
One thing we see every day at Studio SmartWork: companies that treat the AI Act as a burden end up falling behind. Those that build it into the design of their AI workflows avoid rework and operate with peace of mind.
When we build custom AI solutions for SMEs — voice agents, email management, lead qualification — AI Act compliance is part of the design from day one. We use open-source tools like n8n and auditable APIs, document what each workflow does, where it makes decisions, and what human oversight it has. Not for bureaucracy’s sake, but because a compliant system is also a system you understand and control.
The regulation is not going away. SMEs that adapt now — without panic, with a sensible plan — will have a clear advantage over those that keep putting it off. Start with the inventory this week. The rest is built on that.