The EU AI Act GPAI Deadline Hits Today: A 4-Item Checklist for Indian Vendors With EU Customers
The EU AI Act GPAI obligations enter into application today (Aug 2, 2025). The 4 deliverables Indian B2B AI vendors with EU customers need now: documentation pack, training-data summary, copyright posture, and risk classification.
Manvi
August 2, 202514 min read
0%
The EU AI Act's general-purpose AI (GPAI) obligations enter into application today, August 2, 2025. As the implementation timeline confirms, any provider placing a GPAI model on the EU market on or after today is bound by the documentation, transparency, copyright, and risk-management obligations from day one. If you are an Indian B2B AI vendor selling models, agents, or AI-powered SaaS to European customers — directly or via an EU-based reseller — this advisory is the post you forward to your CTO, your data lead, and your legal counsel before Monday.
Aug 2, 2025
GPAI obligations in force
7%
Max fine (% of global turnover)
€35M
Or this floor, whichever is higher
Aug 2027
Pre-Aug-2025 models also bound
## The 60-Second Answer
If you place a GPAI model on the EU market on or after August 2, 2025, you owe the EU AI Office a documentation pack, a public training-data summary using the AI Office template, evidence of EU copyright compliance, and (for systemic-risk models) a risk-management plan. Models already on the market before today get until August 2, 2027 to comply. Enforcement teeth do not bite until August 2, 2026, but the documentation work is 4-12 weeks. Start today.
## What Counts As A "GPAI Model" For An Indian Vendor
The AI Act's definition is functional, not hard-coded by parameter count. A GPAI model is one that displays significant generality and can perform a wide range of distinct tasks, regardless of how it is placed on the market. In practice, this means:
🤖
Yes — clearly in scope
You train and ship a foundation model (10B+ params), an instruction-tuned variant, or a fine-tuned model that retains general task capability. You also count if you re-host an open-weights model with material customisation.
🔌
Maybe — fact-dependent
You ship an API wrapper around a third-party model with significant prompt engineering, retrieval-augmented generation, or tool integration. Whether you are a "downstream provider" or co-provider depends on how much you change the model behaviour.
📦
No — typically out of scope
You sell a single-purpose AI feature embedded in a SaaS app (e.g., spam classifier, OCR, narrow recommender) that does not display general capability. You may still face AI Act Article 6/system-level obligations as a deployer.
⚠️
Yes — and systemic-risk tier
If your training compute exceeds 10^25 FLOPs, you are presumed a GPAI model with systemic risk and inherit additional obligations (model evaluations, adversarial testing, serious incident reporting, cybersecurity).
## Why This Matters Now (Even If Enforcement Is A Year Away)
Three reasons. First, EU procurement teams have already started referencing the August 2, 2025 deadline in vendor questionnaires. The Commission's GPAI guidelines are the document EU enterprise buyers use to evaluate non-EU vendors — saying "we will sort it out by 2026" loses you the contract. Second, the documentation work is non-trivial: a competent training-data summary takes 3-6 weeks and requires the legal, ML engineering, and DPO functions to coordinate. Third, the August 2, 2027 grandfather date for pre-existing models means you cannot indefinitely defer — the work is going to happen anyway.
For Indian vendors specifically, the meta-risk is reputational. The first GPAI providers to publish thoughtful AI Act compliance materials will set the bar; everyone after looks like they are catching up under pressure.
## The 4-Item Checklist (What You Owe The EU AI Office)
1
Technical documentation pack (Annex XI)
Architecture, training methodology, training compute, design decisions, intended uses, restrictions on use, evaluation results, energy consumption. Maintained and updated; provided to the AI Office on request and to downstream providers automatically.
2
Public training-data summary (using AI Office template)
A "sufficiently detailed summary" of training data published using the official template. Covers data sources, licensing, scraping policies, opt-out compliance, and dataset cleaning. The template is the floor, not the ceiling — if the template field is "data sources" you fill it with named sources, not "various web data."
3
EU copyright compliance posture
Evidence that training respected the EU Directive on Copyright in the Digital Single Market (2019/790), specifically Article 4 text-and-data-mining exceptions and the opt-out mechanism. If you trained on web-scraped content, you must demonstrate respect for robots.txt, noai/nocrawl meta tags, and any other reservation-of-rights signals.
4
Risk management (systemic-risk models only)
If your training compute crossed the 10^25 FLOPs threshold or you have been notified by the AI Office, add: model evaluations against known capabilities and risks, adversarial testing, serious-incident reporting workflow, cybersecurity baseline, and energy-consumption tracking.
## The Documentation Pack — What Goes In It
Section
Required content
Typical effort
Model description
Architecture (e.g., transformer with X heads, Y layers), parameter count, context window, modality (text/code/image)
2-4 hours
Training data
Sources, sizes, licensing, language distribution, cleaning, deduplication, content filtering
## The Training-Data Summary — Where Most Indian Vendors Will Stumble
The training-data summary is the most-scrutinised obligation because it is public-facing. Common failure modes:
"We trained on a curated subset of Common Crawl." Insufficient. The AI Office template expects named source domains, the sub-corpus version, the date range, and the cleaning steps applied. "Curated" is not a description.
"We respected robots.txt." Necessary but not sufficient. The AI Office expects evidence: how was robots.txt evaluated, how were the more recent reservation signals (noai, nocrawl, the IAB AI Preferences spec) handled, what was the policy when a domain rescinded permission post-training.
"We used third-party datasets." The summary needs to identify them. Hugging Face dataset names with versions, Kaggle dataset IDs, paid corpora with vendor and licence terms. "Industry-standard datasets" will fail review.
The Code of Practice for General-Purpose AI, which most providers will sign as a presumption-of-compliance shortcut, codifies these expectations. The Code is published and signing it is the lower-friction path than self-developed compliance.
## The Copyright Compliance Test (Indian Vendor Specifics)
If you trained on web-scraped data:
Documented robots.txt evaluation policy with date stamps
Documented handling of noai/nocrawl/IAB-AI-Preferences signals
Process for honouring rescission requests (when a publisher retroactively opts out)
Carve-out for content from EU jurisdictions (the 2019/790 Directive's TDM exceptions)
Audit trail: which domains were scraped, when, with what user-agent, with what headers
Policy for handling DMCA-style takedown requests against training data
Position on ingest of paywalled content (none scraped, or specific licences obtained)
Position on ingest of pirated content (zero tolerance, with detection process)
The Indian vendor specifics: even if your training happened in India, the EU AI Act applies to any model placed on the EU market regardless of training location. So the copyright posture must satisfy EU rules, not Indian rules — even if your Indian data sources are clean under Indian law.
## The Compute Threshold Self-Test (Are You "Systemic Risk"?)
For most Indian vendors, the answer is "below threshold." If you fine-tuned an open-weights model on a domain corpus, your fine-tuning compute is well under the 10^25 floor. The systemic-risk obligations apply if you (a) trained from scratch on a frontier-scale corpus, or (b) accumulated cross-run compute that aggregates above the threshold (the AI Office reserves the right to look at it this way).
## A Real Example: 28-Staff Bengaluru AI SaaS, July 2025
A B2B vendor we work with ships an Indian-language voice and text agent SDK to European customers (a French insurance integrator and a Dutch logistics company). Their model is a fine-tuned Hugging Face-hosted base + RAG layer + tool integration. We ran the in-scope test on July 28: as a co-provider with material behaviour customisation, they qualified as a GPAI provider. Compute clearly below systemic-risk threshold. We scoped the documentation pack at 4 weeks of work: 1 week for the technical sections (engineering team), 2 weeks for the training-data summary (legal + data team + outside copyright counsel), 1 week for evaluation and risk-management write-up. Total cost: ₹3.8 lakh. Their EU customers received the published summary on August 1, one day ahead of the deadline. The Dutch buyer's procurement lead confirmed it accelerated their renewal review by 6 weeks.
## Common Mistakes Indian Vendors Are Making This Week
"We are not selling in the EU yet." Wrong test. The AI Act applies if your model is placed on the EU market. If a single EU customer can buy and use your API today, you are placing it on the EU market.
"Our model is not a GPAI." Maybe, maybe not. The functional definition is wider than founders expect. Get a written legal opinion from EU counsel before relying on this position.
"We will publish the training-data summary later." The deadline is the deadline. Saying "we are working on it" past August 2 increases your enforcement exposure when the AI Office gets full powers in August 2026.
## What You Do NOT Need To Do Today
Skip the panic spend. You do not need a €100k EU AI Act consulting engagement, a "fully audited GPAI model" certification, or to move your data centre to the EU. The actual obligations are documentation, transparency, and copyright posture — most of which can be done by your existing engineering, legal, and data team in 4-12 weeks if they follow the AI Office template.
## Pre-Submission Checklist
Legal opinion on whether you are a "GPAI provider" — written, dated, signed by EU counsel
Technical documentation pack assembled per Annex XI
Training-data summary drafted using AI Office template
Copyright compliance posture documented with evidence (robots.txt logs, opt-out handling)
Compute threshold self-assessment with FLOPs estimate and systemic-risk determination
Authorised representative in the EU appointed (if you are a non-EU provider)
Code of Practice signed (or alternative compliance pathway documented)
Internal contact for EU AI Office correspondence named
Customer-facing FAQ answering common procurement questions about AI Act posture
Quarterly review cadence set to maintain documentation as model evolves
## When This Checklist Does Not Apply To You
Skip it if (a) you do not place any AI model on the EU market — your only EU contact is a sales call that has not converted, (b) your AI offering is a single-purpose narrow system (specialised classifier, OCR engine) that does not display general capability under the AI Act test, or (c) your AI is a research artifact under research and development carve-outs (Article 2(8)) and you have not commercialised it. If you fall in the grey zone, get the legal opinion before relying on a self-assessment that you are out of scope.
## A Common Question We Get About Open-Weights Models
> "We use Llama 3.1 70B as our base model. Are we a provider or a deployer?"
It depends on what you do with it. If you redistribute the weights (e.g., publish a fine-tuned variant on Hugging Face), you are a provider with full obligations. If you serve the model behind an API to end users, you are a deployer for AI Act purposes — different and lighter obligations. If you fine-tune materially and re-host as your own product (common for vertical AI startups), you are a downstream provider with documentation obligations specific to your fine-tuning, not the full base-model obligations. Get this characterisation right; the cost difference is 5-10x. Our AI automation team has run the deployer-vs-provider analysis for two Indian SaaS clients in 2025. Our founder Vivek Singh writes about the EU regulatory environment for AI vendors on his blog.
## FAQ
### Does the EU AI Act apply to Indian vendors?
Yes, if you place an AI system on the EU market or its output is used in the EU. Training in India does not exempt you. The Act explicitly has extraterritorial scope.
### What happens if I miss the August 2 deadline?
For models placed on the EU market on/after August 2, 2025, the obligations apply immediately. Enforcement teeth (fines) come online August 2, 2026, but missed obligations during the gap are not retroactively forgiven. Document and publish as soon as feasible.
### What is the maximum fine?
For GPAI provider violations: up to €15 million or 3% of global annual turnover (whichever is higher). For non-GPAI prohibited-AI violations: up to €35 million or 7%. The AI Office has discretion on actual amounts.
### Do we need an EU representative?
Yes if you are a non-EU GPAI provider. The AI Act requires you to appoint an authorised representative established in the EU before placing your model on the EU market. Costs typically €1,500-€6,000/year for a representative service.
### Is the Code of Practice mandatory?
No. Signing the Code of Practice is voluntary but creates a presumption of compliance, which dramatically reduces your enforcement exposure and audit burden. For most Indian GPAI providers, signing is the cost-effective default.
### What about fine-tuned models from Hugging Face?
If you redistribute the fine-tuned weights, you are a downstream provider with documentation obligations specific to your fine-tuning (data sources, methodology, evaluations). The base-model provider is responsible for the base-model obligations. If you only serve the fine-tuned model behind your API, you are a deployer with lighter obligations under Article 6.
### How does this interact with the DPDP Act in India?
The two regimes are complementary. DPDP covers personal data processed in India; the AI Act covers AI-system obligations in the EU. A model trained in India on Indian data and sold to EU customers is subject to DPDP for its training operations and the AI Act for its EU placement. Compliance teams should mapped the obligations together to avoid duplicate work.
Need an EU AI Act readiness audit?
Our AI automation and engineering team runs a 4-week scoped engagement for Indian B2B AI vendors with EU customers: legal opinion shortlist, documentation pack drafting, training-data summary in the AI Office template, copyright posture audit, and customer-facing FAQ. Fixed scope, ₹3.5-7 lakh depending on model complexity. The first call is with Manvi (security and compliance) and an engineer from our AI team. Related: DPDP Act action plan, CERT-In CISG-2025-02 sprint, TalkDrill case study.