Fine-Tuning GPT or Claude: Your EU AI Act Obligations
The Short Answer: Fine-Tuning Adds Duties, It Does Not Remove Them
A hope we hear often: "We built on GPT, so compliance is OpenAI's problem, not ours." It is a comforting idea. It is also wrong, and sometimes backwards. Fine-tuning or building on a frontier model can hand you more obligations, not fewer, because of what you do with the result.
What you owe comes down to one thing: what your fine-tuned system does, and whether you ship it under your own name. The free risk check maps that in about 90 seconds, with no signup to see your result.
Map your obligations free (90 seconds)Who Carries What: Model Maker vs You
Two parties, two sets of duties. The maker of the base model (OpenAI, Anthropic, and the rest) is the provider of the general-purpose AI model, and carries the model-level duties under Article 53. You, when you fine-tune that model and wrap a product around it, are usually the provider of your own AI system, and a deployer of the base model underneath.
The disclosure to your users, the human oversight, the documentation for the system you shipped: those are yours. The model maker's duties do not absorb them. For the line between the two roles, see our guide to provider vs deployer.
When Fine-Tuning Makes You a Provider (Article 25)
Article 25 is the one to know. You become the provider of a high-risk system, with the full obligations, if you:
- put your own name or trademark on it,
- make a substantial modification to it,
- or change what it is used for in a way that makes it high-risk.
A substantial modification is a change the original assessment never planned for: it affects the system's compliance, or it changes what the system is used for. Fine-tuning a model and shipping it as the engine of your own product tends to land right here. The moment your name is on the box, the duties follow it.
What You Owe Depends on What It Does
Becoming a provider is not the end of the story. The size of your obligations tracks your system's risk tier, the same as any other AI system.
| What you built | Likely role | What you owe |
|---|---|---|
| A fine-tuned model shipped inside your product, under your name | Provider of your system | Duties scale to the system's risk tier |
| The base model called unchanged in an internal tool | Deployer | Lighter Article 26 duties, plus Article 50 if it is user-facing |
| A fine-tuned system doing an Annex III job, such as hiring or credit | Provider of a high-risk system | The full high-risk obligations |
So the real question is not "did we fine-tune?" It is "what does the thing we shipped actually do?" A fine-tuned support bot owes chatbot transparency. A fine-tuned hiring tool is high-risk. Same technique, very different duties.
Picture a five-person team that fine-tunes an open model into a CV-screening tool and sells it to recruiters. They wrote none of the base model, yet they are the provider of a high-risk system, with every obligation that brings. The fine-tune was the easy part. The duties came with it.
See what your fine-tuned system owesThe GPAI Layer Above You
The base model sits in its own category: general-purpose AI. Its provider carries the GPAI duties, including the technical documentation and the information they pass down to you. You lean on that information to meet your own duties, which is why it flows down the chain. We cover the model-level picture in our guide to GPAI requirements.
For most small teams, fine-tuning for a product does not turn you into the provider of a general-purpose model. That bar is high, and it is about retraining at scale. What it does is make you the provider of the AI system you built. That is the duty that lands on you.
Your Next 90 Seconds
- Classify what you shipped. The risk check asks what your system does and returns your role and tier.
- Map the duties. AI Comply HQ turns that into your exact obligations and drafts the documentation. A consultant charges €10,000 or more for the same scoping. Our plans start at $97 a month, and the check is free.
- Stay ready. One dashboard, every system, every deadline.
Frequently Asked Questions
We fine-tuned GPT for our product. Are we the provider? Usually yes, the provider of your AI system. Putting your name on it, or making a substantial modification, brings you under Article 25, with duties that scale to your system's risk tier.
Does OpenAI's or Anthropic's compliance cover us? No. The model-level duties are theirs. The duties for the system you built and shipped are yours, including transparency and human oversight.
Are we now the provider of a general-purpose AI model? Almost certainly not. That category is about large-scale retraining of the model itself. Fine-tuning for your product makes you the provider of the system, not the model.
What decides how much we owe? What your system does. A limited-risk feature owes little. A high-risk one owes the full set.
For more, see how to tell if you are a provider or a deployer, whether your system is high-risk, what an AI chatbot owes, and the full EU AI Act FAQ.
Update: Where the Digital Omnibus Stands (June 12, 2026)
A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.
Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.
We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.