Article 100 of Regulation (EU) 2024/1689 — Penalties applicable to providers of general-purpose AI models. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 100 of Regulation (EU) 2024/1689 establishes the penalty regime specifically applicable to providers of general-purpose AI models (GPAI models), including those with systemic risk. It operates as a lex specialis within Title XII, complementing the broader penalty framework of Article 99 which governs high-risk AI systems and prohibited practices.
Under Article 100, providers of GPAI models who fail to comply with the obligations set out in Chapter V (Articles 53–56) are subject to administrative fines of up to €15 million or 3% of their total worldwide annual turnover for the preceding financial year, whichever is higher. For providers of GPAI models with systemic risk, additional or aggravated penalties may apply in respect of obligations specifically attached to systemic risk classification under Articles 55 and 56.
The article also provides that the supply of incorrect, incomplete, or misleading information to notified bodies, competent authorities, or the European AI Office in response to a request constitutes a sanctionable infringement. Fines of up to €750,000 may be levied for providing such misleading information, irrespective of the overall turnover threshold.
When determining the appropriate penalty, competent authorities must take into account the nature, gravity, and duration of the infringement, whether the infringement was intentional or negligent, the size and market share of the provider, any action taken to mitigate harm, and the degree of cooperation with supervisory authorities.
What This Means in Practice
Article 100 directly affects any legal or natural person that places a general-purpose AI model on the EU market or puts it into service, regardless of whether that provider is established within the European Union or outside it.
For a large frontier model provider — such as a company training and deploying a foundation model used by downstream application developers across the EU — non-compliance with the GPAI transparency obligations under Article 53 (e.g., failure to produce adequate technical documentation, failure to provide information to downstream providers, or failure to maintain a compliant EU copyright policy) can trigger fines reaching 3% of global annual turnover. For companies with revenues in the billions, this translates into nine-figure penalty exposure.
Providers of GPAI models that the European AI Office has classified as posing systemic risk (typically models trained with compute exceeding 10^25 FLOPs, per Article 51) face an elevated compliance burden under Articles 55 and 56, covering adversarial testing, incident reporting, cybersecurity obligations, and energy efficiency reporting. Failure on any of these fronts exposes the provider to penalties under Article 100.
In practical terms, compliance requires providers to implement robust documentation workflows before model release, establish clear contractual information flows to downstream deployers, appoint an EU representative if headquartered outside the Union, and maintain an active relationship with the European AI Office. Providers should also ensure that all responses to AI Office requests for information are accurate, complete, and timely — as misleading or incomplete responses are independently sanctionable regardless of underlying model compliance status.
Key Obligations
- Technical documentation: Providers must prepare, maintain, and update technical documentation for their GPAI models in accordance with Annex XI before placing the model on the market (Article 53(1)(a)).
- Downstream information: Providers must make available to downstream providers all necessary information and documentation to enable those providers to fulfil their own obligations under the Regulation, including details on capabilities, limitations, and training data provenance where applicable (Article 53(1)(b)–(c)).
- Copyright compliance policy: Providers must put in place a policy to respect EU copyright law, in particular as regards text and data mining under Directive (EU) 2019/790, and publish a sufficiently detailed summary of content used in training (Article 53(1)(d)–(e)).
- Systemic risk assessment and adversarial testing: Providers of GPAI models with systemic risk must conduct model evaluations, including adversarial testing, prior to and following release, and report serious incidents to the AI Office without undue delay (Articles 55–56).
- Accurate information to authorities: Providers must ensure that any information supplied to the European AI Office, national competent authorities, or notified bodies is correct, complete, and not misleading; standalone fines of up to €750,000 apply for infringements of this obligation.
- Cooperation with the AI Office: Providers are required to cooperate with investigations, audits, and requests for access to documentation initiated by the European AI Office under Articles 88–90.
Relationship to Other Articles
Article 100 must be read in close conjunction with Chapter V (Articles 51–56), which defines the substantive obligations for GPAI model providers and forms the primary source of duties whose infringement triggers the penalties under this article. Article 51 establishes the systemic risk classification threshold; Articles 53–54 set out baseline transparency and documentation requirements for all GPAI models; Articles 55–56 impose the enhanced obligations applicable only to systemic-risk models.
Within Title XII, Article 100 sits alongside Article 99 (general penalty regime for high-risk systems and prohibited practices) and Article 101 (penalties applicable to Union institutions and bodies). The supervisory framework underpinning enforcement is established in Chapter VIII, particularly Articles 88–90 governing the powers and investigative tools of the European AI Office. Article 94 on confidentiality and Article 95 on data protection are also relevant to the procedural conduct of any investigation that precedes a penalty decision.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. Its provisions apply in a phased manner:
- 2 February 2025: Prohibitions on unacceptable-risk AI practices (Article 5) became applicable.
- 2 August 2025: Chapter V obligations for GPAI model providers (Articles 51–56), and consequently the penalty regime under Article 100, became fully applicable. Providers of GPAI models already on the market before this date had until 2 August 2025 to bring their models into conformity.
- 2 August 2026: General-purpose AI codes of practice are expected to be finalised by this date, providing detailed guidance on how to meet the obligations underpinning Article 100 penalties.
- 2 December 2026 / 2 August 2027: High-risk AI system obligations under Annexes I and III become applicable (Article 99 territory), but Article 100 GPAI obligations are already in full force by August 2025.
Providers should treat August 2025 as the operative compliance deadline for all Article 100 exposure, with no transitional grace period available for newly released GPAI models after that date.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Providers of general-purpose AI models (GPAI) can face fines of up to €15 million or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher, for non-compliance with obligations specifically applicable to GPAI model providers.
Article 100 applies exclusively to providers of general-purpose AI models as defined in Article 3(63) of Regulation (EU) 2024/1689. This includes both providers of standard GPAI models and providers of GPAI models with systemic risk.
Providers of GPAI models released under free and open-source licences benefit from certain limited exemptions under the EU AI Act, but they are not entirely exempt from Article 100 penalties if they infringe applicable obligations, particularly those relating to GPAI models with systemic risk.
Article 99 covers penalties for infringements involving high-risk AI systems and prohibited practices, with higher maximum fines of up to €35 million or 7% of turnover. Article 100 is a dedicated, separate regime for GPAI model providers with its own penalty caps calibrated to the specific obligations of Chapter V.
The European AI Office has investigative and supervisory powers over GPAI model providers under Articles 88–90. Penalties are formally imposed by national market surveillance authorities or via the mechanisms established under Chapter VIII, but the AI Office plays a central role in the process for GPAI models.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.