# EU AI Act & GPAI Obligations – Same-Day Leadership Brief

**Prepared for:** Alex Chen / Leadership Sync 16:30 CET  
**Date:** 2026-04-15  
**Classification:** Internal – Draft for Decision  
**Reading time:** ~7 minutes

---

## 1. Executive Summary

- **The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024** with a phased application schedule. We are now inside the active compliance window.
- **Prohibited AI practices have been enforceable since 2 February 2025.** None of doany.ai's planned products appear to fall within prohibited categories, but this needs formal legal confirmation.
- **GPAI provider obligations apply from 2 August 2025 — this date has already passed.** Any entity that "places on the EU market" a general-purpose AI model must already comply with Articles 53-55 (transparency, documentation, copyright policy, downstream-provider information).
- **High-risk AI system obligations (Annex III) apply from 2 August 2026** — roughly 3.5 months from today. The **Contract Risk Analyzer** may be classified as high-risk depending on deployment claims and context.
- **"Doany-Reasoner-8B" releasing in the EU likely makes doany.ai a GPAI model *provider***, triggering obligations that are already in force (since Aug 2025). There is no grace period remaining.
- **Harmonised standards are still under development** (CEN/CENELEC JTC 21), creating ambiguity on conformity assessment for high-risk systems — this favours a cautious launch timeline.
- **Three roadmap items require compliance gating before proceeding**: Contract Risk Analyzer Beta, Doany Model Hub, and Doany-Reasoner-8B EU Pilot.

---

## 2. Verified Enforcement Timeline

All dates per **Regulation (EU) 2024/1689, Article 113** (EUR-Lex primary text).

| Milestone | Date | Status (as of 15 Apr 2026) | Relevance to doany.ai |
|---|---|---|---|
| Entry into force | 1 Aug 2024 | ✅ Passed | Regulation is live law |
| **Prohibited practices** (Art 5) | **2 Feb 2025** | ✅ **Enforceable now** | Review all products for Art 5 exclusions |
| **AI literacy obligation** (Art 4) | **2 Feb 2025** | ✅ **Enforceable now** | Staff training & awareness required |
| AI Office established | Feb 2024 | ✅ Operational | Directly supervises GPAI providers |
| **GPAI model provider obligations** (Arts 53-55) | **2 Aug 2025** | ✅ **Enforceable now** | Applies to Doany-Reasoner-8B if placed on EU market |
| GPAI Code of Practice (final) | Mid-2025 (published) | ✅ Published | Safe-harbour guidance for GPAI compliance |
| Commission guidelines on high-risk (Art 6) | Expected 2025-2026 | ⏳ In progress | Clarifies whether Contract Risk Analyzer is high-risk |
| **High-risk AI systems** (Annex III) | **2 Aug 2026** | ⚠️ **3.5 months away** | Contract Risk Analyzer + Model Hub potentially in scope |
| High-risk AI systems (Annex I / existing legislation) | 2 Aug 2027 | 🔜 Future | Less likely to affect current roadmap |
| Penalties fully applicable | 2 Aug 2025 (prohibited); 2 Aug 2026 (all) | ⚠️ Fines up to €35M or 7% global turnover | Financial exposure is real |

> **Key quote (Art 113):** *"This Regulation shall apply from 2 August 2026"* for the general case, with the earlier dates specified for chapters on prohibited practices and GPAI.

---

## 3. GPAI Obligations Relevant to doany.ai

### 3a. Role Determination (Critical)

| Scenario | doany.ai's role | Obligations triggered |
|---|---|---|
| Integrating third-party model APIs (e.g., EU Workspace Copilot) | **Deployer** | Transparency to end-users (Art 50); human oversight; downstream monitoring |
| Hosting customer fine-tunes on third-party base models (Model Hub) | **Deployer**, potentially **provider** if substantial modification (Art 25) | If "substantial modification" = provider obligations for the modified model |
| Releasing Doany-Reasoner-8B (own fine-tuned model) on EU market | **GPAI model provider** (Art 53) | Full GPAI provider obligations — **already in force** |
| Doany-Reasoner-8B deemed to have "systemic risk" (>10^25 FLOPs or Commission designation) | **Systemic-risk GPAI provider** (Art 51 + 55) | Additional: red-teaming, incident reporting, cybersecurity, model evaluation |

> **Key quote (Art 25):** *"Any distributor, importer, deployer or other third-party shall be considered a provider… where they put their name or trademark on a high-risk AI system already placed on the market… or make a substantial modification."*

### 3b. GPAI Provider Obligations (Arts 53-55) — Already Applicable

If doany.ai releases Doany-Reasoner-8B in the EU, **these apply from day one (deadline was Aug 2025)**:

| Obligation | Article | What's required | doany.ai readiness |
|---|---|---|---|
| Technical documentation | Art 53(1)(a) | Model card, training methodology, capabilities, limitations | ❌ Not started (per roadmap) |
| Downstream provider info | Art 53(1)(b) | Sufficient info for downstream deployers to comply | ❌ Not scoped |
| Copyright policy | Art 53(1)(c) | Policy to comply with EU copyright law (incl. text & data mining opt-outs) | ❌ Unknown |
| Training data summary | Art 53(1)(d) | Detailed summary of training data (template from AI Office) | ❌ Not prepared |
| EU representative | Art 54 | Designate authorised representative if not established in EU | ❓ Unknown if EU entity exists |
| **Systemic risk** (if applicable) | Art 55 | Model evaluation, adversarial testing, incident tracking, cybersecurity | ❌ Not scoped |

### 3c. Deployer Obligations (for API-integration products)

| Obligation | Article | Applies to |
|---|---|---|
| Transparency / AI disclosure to end-users | Art 50 | EU Workspace Copilot, Contract Risk Analyzer |
| Human oversight measures | Art 14 (high-risk) | Contract Risk Analyzer (if classified high-risk) |
| Fundamental rights impact assessment | Art 27 (high-risk) | Contract Risk Analyzer (if classified high-risk) |
| Registration in EU database | Art 49 (high-risk) | Any product classified as high-risk |
| Post-market monitoring | Art 72 (high-risk) | Any product classified as high-risk |

---

## 4. Product-Roadmap Impact Assessment

### 🟢 Trust Center v2 — 2026-05-28 — LOW RISK / PROCEED

- **Impact:** Supportive. Accelerate, don't delay.
- **Action:** Ensure Trust Center design accommodates AI Act documentation requirements (model cards per Art 53; transparency disclosures per Art 50; incident reporting channel). Use this as the compliance surface.

### 🟡 EU Workspace Copilot GA — 2026-06-15 — MEDIUM RISK / PROCEED WITH CONDITIONS

- **Impact:** As a deployer integrating third-party models, obligations are lighter. However, Art 50 transparency requirements (users must be told they are interacting with AI) apply now.
- **Actions needed before launch:**
  - Implement clear AI interaction disclosure in product UI
  - Confirm upstream model provider is GPAI-compliant (request documentation)
  - AI literacy training for go-to-market team (Art 4 — already enforceable)
- **Delay needed?** No, but legal sign-off required on transparency implementation.

### 🔴 Contract Risk Analyzer Beta — 2026-07-20 — HIGH RISK / GATE

- **Impact:** Legal-text risk scoring with recommendations to SMB legal teams raises significant classification questions. Depending on how the product is positioned:
  - If marketed as influencing decisions on "access to essential private services" or used in legal/contractual contexts, it *may* fall under **Annex III, Area 5(b)** (high-risk).
  - High-risk obligations apply **2 August 2026** — 11 days after planned beta launch.
- **Actions needed:**
  - **Immediate (this week):** Commission formal legal opinion on high-risk classification.
  - **Before launch:** If high-risk: conformity assessment, EU database registration, quality management system, fundamental rights impact assessment, post-market monitoring plan.
  - **Mitigation option:** Limit beta scope/claims (e.g., "informational only, not a legal recommendation") to reduce classification risk — but this needs legal validation.
- **Delay needed?** Very likely. Recommend pushing to post-2 August 2026 to allow classification clarity and compliance build-out, or narrowing beta claims significantly.

### 🔴 Doany Model Hub (Hosted Fine-Tune) — 2026-08-30 — HIGH RISK / GATE

- **Impact:** If customers fine-tune models and doany.ai hosts/serves them under its infrastructure, Art 25 "substantial modification" rules may make doany.ai the **provider** of each fine-tuned variant. This triggers per-model GPAI obligations.
- **Actions needed:**
  - Define legal responsibility model: who is "provider" — customer or doany.ai?
  - Draft customer-facing responsibility matrix (shared-responsibility model).
  - Build documentation pipeline to generate model cards at scale.
- **Delay needed?** Not necessarily, but cannot launch without the legal responsibility framework. Gate on legal/compliance sign-off.

### 🔴 Doany-Reasoner-8B EU Pilot — 2026-09-10 — HIGH RISK / GATE

- **Impact:** Placing an in-house model on the EU market makes doany.ai a **GPAI model provider**. Obligations under Arts 53-55 are **already in force** (since Aug 2025). doany.ai must be fully compliant **before** the model is made available, not by the pilot date.
- **Actions needed (all must complete before any EU availability):**
  - Prepare full technical documentation package per Art 53(1)(a)
  - Create downstream-provider information pack per Art 53(1)(b)
  - Establish copyright/TDM compliance policy per Art 53(1)(c)
  - Produce training data summary per AI Office template per Art 53(1)(d)
  - Determine if model crosses systemic risk threshold (10^25 FLOPs)
  - Appoint EU authorised representative if needed (Art 54)
- **Delay needed?** Pilot date itself may be feasible if compliance workstream starts immediately, but there is **zero grace period** — obligations are already live. Any "soft launch" or early access in the EU without compliance = immediate regulatory exposure.

---

## 5. Contradictions & Open Questions

| Item | Issue | Recommended resolution |
|---|---|---|
| Contract Risk Analyzer classification | Annex III high-risk categorisation is context-dependent; Commission Art 6(5) guidelines not yet finalised as of this date | Seek external legal opinion; monitor AI Office publications weekly |
| "Substantial modification" threshold | Art 25 does not precisely define what fine-tuning qualifies as "substantial modification" | Conservative assumption: treat own-branded fine-tunes as provider-triggering; seek legal memo |
| Harmonised standards gap | CEN/CENELEC standards for high-risk conformity still in development | Cannot rely on standards-based conformity path yet; plan for self-assessment route |
| Systemic risk classification for Doany-Reasoner-8B | 8B parameter model unlikely to hit 10^25 FLOP threshold, but Commission can designate based on other criteria | Confirm training compute; prepare for possibility of designation if model gains high reach |
| No EU AI Act program owner | Roadmap doc confirms no designated owner (Legal vs Product Compliance) | **Decide today** — this is blocking all downstream compliance work |
| EU legal entity status | Unknown whether doany.ai has EU establishment | Determines Art 54 authorised-representative requirement; confirm with Legal |

---

## 6. Immediate Actions for Leadership Decision

### TODAY (15 April 2026)

- [ ] **Designate an EU AI Act program owner** — Legal or Product Compliance. This is the single biggest blocker.
- [ ] **Decision: proceed or pause** on Contract Risk Analyzer beta timeline. Recommendation: pause and re-plan for post-August 2026 with compliance gating.
- [ ] **Decision: confirm or deny** EU market placement intent for Doany-Reasoner-8B. This determines whether GPAI provider obligations (already in force) need immediate action.

### THIS WEEK

- [ ] Commission external legal opinion on: (a) Contract Risk Analyzer high-risk classification; (b) Model Hub provider/deployer split; (c) "substantial modification" threshold for hosted fine-tunes.
- [ ] Begin AI literacy training program rollout (Art 4 obligation is already enforceable).
- [ ] Verify upstream model providers' GPAI compliance status for EU Workspace Copilot.

### THIS QUARTER (Q2 2026)

- [ ] Stand up Art 53 documentation pipeline for Doany-Reasoner-8B (model card, training data summary, copyright policy, downstream info pack).
- [ ] Accelerate Trust Center v2 to serve as the compliance documentation surface.
- [ ] Establish incident reporting process and post-market monitoring framework.
- [ ] Evaluate EU authorised representative appointment.
- [ ] Begin conformity assessment prep for any high-risk classified products.

---

## Source Summary

| # | Source | Type | Credibility |
|---|---|---|---|
| 1 | Regulation (EU) 2024/1689 (EUR-Lex full text) | Primary law | High |
| 2 | European Commission AI Office – GPAI information page | Official guidance | High |
| 3 | Commission Guidelines on Prohibited AI Practices (C/2025/861) | Official guidelines | High |
| 4 | GPAI Code of Practice (AI Office) | Official publication | High |
| 5 | Regulation (EU) 2024/1689 – Annex III (high-risk areas) | Primary law | High |
| 6 | Regulation (EU) 2024/1689 – Art 25 (provider re-classification) | Primary law | High |
| 7 | CEN/CENELEC standardisation process | Official process | Medium |

Full source details with URLs and key quotes available in `source-tracker.csv`.

---

*Brief prepared 2026-04-15. Based on EU AI Act as published (OJ L 2024/1689, 12 July 2024) and publicly available AI Office guidance through early 2026. Does not constitute legal advice — formal legal review recommended for all gating decisions identified above.*