AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Explainer

Foundation models and systemic risk: the 10^25 FLOP threshold

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

On top of the baseline regime for general-purpose AI models, the AI Act adds a heavier regime for models with systemic risk (Art. 51-55). A compute threshold of 10^25 FLOP acts as a presumption; above it, model evaluation, risk mitigation, incident reporting and cybersecurity apply.

Short answer: The AI Act has two tiers for general-purpose AI (GPAI) models. On top of the baseline regime sits a heavier package for models with systemic risk: the most powerful "foundation models". A model is presumed to fall in this tier if the compute used for training exceeds 10^25 FLOP (Art. 51). The extra obligations of Art. 55 then apply: model evaluation, risk mitigation, incident reporting and cybersecurity.

What is a model with systemic risk?

A GPAI model has systemic risk if it has "high-impact capabilities" that can affect the EU level as a whole โ€” think of large-scale propagation of harm across the value chain. The AI Act uses two routes to establish this: a compute threshold as a legal presumption, and designation by the Commission on substantive criteria (such as number of users, modalities and autonomy).

The 10^25 FLOP threshold

The most concrete criterion is the amount of compute used for training, measured in floating-point operations (FLOP). If the cumulative training budget exceeds 10^25 FLOP, systemic risk is presumed. The threshold is deliberately a presumption rather than a hard line: the Commission can adjust it by delegated act to track technical progress, and can also designate models below it where the substantive criteria warrant.

In practice this threshold today touches only the largest frontier models. For most companies that use or fine-tune GPAI it is irrelevant โ€” they fall under the baseline GPAI regime, not this heavy track.

Extra obligations for systemic risk (Art. 55)

In addition to the transparency and copyright obligations that apply to all GPAI, the provider of a model with systemic risk must:

  • perform model evaluations, including standardised adversarial testing (red-teaming) to identify and mitigate systemic risks;
  • assess and mitigate systemic risks at EU level, including their sources;
  • track, document and report serious incidents without undue delay to the AI Office and relevant national authorities, together with corrective measures;
  • ensure an adequate level of cybersecurity for the model and its physical infrastructure.

Compliance can be demonstrated through an approved Code of Practice until harmonised standards are available.

Relationship to the baseline regime

A model with systemic risk must comply with both the baseline regime and Art. 55. The systemic-risk track does not stand alone: it stacks extra requirements on top of the transparency, technical documentation and copyright policy that apply to every GPAI provider. Releasing an open-source model with systemic risk also forfeits the open-source exemptions that apply elsewhere โ€” see open-source AI models.

What to do

  • Establish your position: are you building a model above 10^25 FLOP, or using/fine-tuning one? Only the former falls under Art. 55.
  • Watch for AI Office designations: models below the threshold can also be designated.
  • Set up an evaluation and red-teaming process if you are a frontier-model provider.
  • Embed incident detection and reporting as a process, not an ad-hoc action.
  • Using a frontier model as a customer? Ask the provider for evidence of Art. 55 compliance and fold it into your own AI governance.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act), Art. 51-55: classification and obligations for GPAI models with systemic risk.
  2. https://artificialintelligenceact.eu/article/55/
    Article 55 AI Act: obligations for providers of GPAI models with systemic risk.

Share on LinkedIn

Read next

U

Open-source AI models under the AI Act: exemptions and limits

The AI Act eases some GPAI obligations for models released under a free and open licence, but the exemption is narrow and conditional. Copyright policy and a training-data summary still apply, and where there is systemic risk the exemption falls away entirely.

A

The AI Act's expert bodies: the Scientific Panel and the Advisory Forum

On 1 June 2026 the European Commission appointed the two expert bodies the AI Act foresees: a 60-member Scientific Panel of independent experts (Art. 68) advising on general-purpose AI and systemic risk, and a 174-member Advisory Forum (Art. 67) for broad input. Both serve two-year terms.

U

The GPAI Code of Practice: what is in it and who is it for?

The GPAI Code of Practice is a voluntary instrument (Art. 56 AI Act) that lets providers of GPAI models demonstrate compliance with their duties under Arts 53 and 55. Three chapters: transparency, copyright, safety and security.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.