The EU AI Act is the world’s first comprehensive legal framework for artificial intelligence, and its General-Purpose AI chapter is proving to be its hardest section to operationalize. In July 2025, the European Commission published draft guidelines clarifying how the GPAI provisions apply, but “draft” is doing significant work in that sentence. Open-source developers and organizations maintaining AI model releases for European markets are still working from guidance that hasn’t been finalized, applying compliance frameworks to technology that the regulators are still figuring out how to classify.
The core tension is structural. The EU AI Act, as documented on the European Commission’s digital strategy page, applies risk-based obligations across AI systems, but GPAI models don’t fit neatly into a single risk tier. A foundation model released as open-weight can be fine-tuned for high-risk applications without the original developer’s involvement or knowledge. That creates an attribution problem the July 2025 guidelines have not fully resolved.
For open-source contributors specifically, the compliance picture is more complex than for closed-model vendors. The Linux Foundation Europe has published developer guidance on how the Act applies to open-source releases, but the questions that matter most, which open-source releases trigger GPAI obligations, what transparency documentation is required, and when systemic risk thresholds apply, remain subjects of active regulatory interpretation. Ongoing analysis continues to surface concerns about compliance complexity for open-source contributors, particularly around documentation and transparency requirements that may be difficult to satisfy for community-developed models with distributed authorship.
Three questions are not yet resolved by the July 2025 GPAI guidelines:
1. Which open-source releases trigger GPAI obligations? The Act’s thresholds for GPAI designation and systemic risk classification are defined in the regulation, but their application to open-weight models with no commercial distribution channel is still being worked through in Commission guidance and industry consultation.
2. What transparency documentation satisfies the Act? Closed-model vendors can produce training data summaries and safety evaluations through internal processes. Open-source projects with hundreds of contributors and no single legal entity responsible for the release face a documentation challenge that the guidelines haven’t directly addressed.
3. When does downstream fine-tuning affect upstream liability? If an open-source base model is fine-tuned for a high-risk application by a third party, what obligations, if any, flow back to the original developer? This is the systemic risk attribution question, and it has major implications for foundation model strategy.
None of these questions have final answers yet. The Commission’s draft guidelines provide a framework, but they’re guidelines, not binding law, and they’re still drafts.
What to watch: the finalization of the GPAI guidelines and any enforcement actions that begin to establish how regulators interpret open-source model obligations in practice. Watch also for EU Parliament activity on compliance timelines, unverified reports of a potential deadline extension for high-risk AI rules are circulating, but no T1 source has confirmed them. Do not plan around that claim until it’s verified.
The EU AI Act’s open-source provisions are a live compliance planning problem. Organizations maintaining AI models for European distribution should be building compliance frameworks now, even against unfinalized guidance, because waiting for final rules is unlikely to be a viable defense when enforcement begins.