AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Explainer

Open-source AI models under the AI Act: exemptions and limits

Adopted 2026-06-22 ยท ≈ 3 min read ยท Dirk Baaijen

The AI Act eases some GPAI obligations for models released under a free and open licence, but the exemption is narrow and conditional. Copyright policy and a training-data summary still apply, and where there is systemic risk the exemption falls away entirely.

Short answer: The AI Act grants GPAI models released under a free and open licence a partial exemption from some obligations. The exemption is narrow, however: the copyright policy and the public summary of training data remain mandatory, and as soon as an open-source model has systemic risk the exemption falls away entirely. "Open" therefore does not mean "free of the AI Act".

What the exemption does cover

For GPAI models released under a free and open licence โ€” where the parameters, architecture and usage information are publicly accessible โ€” two of the baseline obligations fall away: drawing up extensive technical documentation and providing information to downstream providers. The reasoning is that open availability already delivers part of that transparency.

The exemption applies only to a genuine open licence. A licence that restricts commercial use, monetises, or does not release access to weights and parameters does not count as "free and open" within the meaning of the AI Act. Many so-called "open-weights" models with restrictive terms therefore fall outside it.

What always continues to apply

Two obligations remain in place even for open-source GPAI:

  • Copyright policy: a policy to comply with EU copyright law, including respecting a text-and-data-mining reservation โ€” see AI and copyright in training data.
  • Training-data summary: a sufficiently detailed public summary of the training content used, following the AI Office template.

Open-source therefore does not release a provider from the copyright and transparency core of the regime.

The limit: systemic risk

The most important limit is hard: as soon as an open-source model has systemic risk (see foundation models and systemic risk), all obligations of Art. 55 apply in full โ€” model evaluation, risk mitigation, incident reporting and cybersecurity. The open licence then gives no relief at all. An open frontier model is regulated just as heavily as a closed one.

Watch the role shift

Whoever downloads an open-source model and substantially modifies it (for example heavily fine-tunes or retrains it) can become a provider of a new GPAI model โ€” with the corresponding obligations. Light use or integration into an application generally does not make you a provider, but the line between using and modifying is decisive. So keep track of what you do with a downloaded model: a light tweak for your own use is different from a reworked model you release publicly or supply to customers.

Open is no free pass elsewhere

The open-source nuance sits only within the GPAI model regime. If you build a concrete application with an open model โ€” a high-risk system, say โ€” the ordinary obligations for that application apply in full, regardless of the model's licence. The licence of the model and the regulation of your application are two separate questions.

What to do

  • Check the licence properly: only a free and open licence without commercial restrictions grants the exemption.
  • Keep copyright policy and training-data summary in order โ€” these apply to open-source too.
  • Test for systemic risk: above 10^25 FLOP or on designation, every exemption falls away.
  • Watch your own role: substantial modification can make you a provider.
  • Document your choices in your AI governance framework, so the basis for the exemption is demonstrable.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act), Art. 53-54 and recitals 102-104: exemptions for GPAI models released under a free and open licence.
  2. https://artificialintelligenceact.eu/article/53/
    Article 53 AI Act: obligations for providers of GPAI models, including the open-source nuance.

Share on LinkedIn

Read next

U

The GPAI Code of Practice: what is in it and who is it for?

The GPAI Code of Practice is a voluntary instrument (Art. 56 AI Act) that lets providers of GPAI models demonstrate compliance with their duties under Arts 53 and 55. Three chapters: transparency, copyright, safety and security.

U

Foundation models and systemic risk: the 10^25 FLOP threshold

On top of the baseline regime for general-purpose AI models, the AI Act adds a heavier regime for models with systemic risk (Art. 51-55). A compute threshold of 10^25 FLOP acts as a presumption; above it, model evaluation, risk mitigation, incident reporting and cybersecurity apply.

U

Agentic AI: how do autonomous AI agents fall under the rules?

Agentic AI โ€” systems that plan, use tools and take actions on their own โ€” has no dedicated category in the AI Act. Yet it is covered: through the GPAI regime, risk classification that follows the use, and the transparency and human-oversight duties. Open question: liability for autonomous actions.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.