Practice intelligence Current as of Jun 20, 2026
OlenderFeldman

PracticeEU AI Act

EU AI Office publishes first systemic-risk model list — three frontier models designated

What the law is now

Under the EU AI Act's GPAI chapter, models trained at or above 10^25 FLOPs are presumed to carry systemic risk and face additional obligations: adversarial testing, model evaluation, cybersecurity requirements, and serious incident reporting to the AI Office. The AI Office may also designate models below the compute threshold as systemic risk based on capability assessment.

What just shifted

Shift EU Primary source

What this adds: The AI Office's May 2026 Decision names three frontier models as systemic-risk GPAI models based on capability rather than compute alone, establishing the first concrete list of models whose providers face the full Chapter V GPAI obligation set — including mandatory third-party adversarial testing and a 90-day incident reporting clock for serious incidents.

What this puts in question: Whether providers of models used to fine-tune or distill a designated systemic-risk model inherit any of the systemic-risk obligations, or whether only the original model developer is the obligated party.

What clients should weigh

·If you develop or distribute any of the three designated models — or a fine-tuned derivative — confirm whether you are the GPAI provider subject to the systemic-risk obligations or whether your relationship to the original model puts you in the downstream deployer category.
·Do you have a process in place to complete the adversarial testing the AI Act requires for systemic-risk models, either in-house or through a qualified third party, within the timeline the AI Office expects?
·Is your serious-incident reporting process capable of notifying the AI Office within 72 hours of discovering a qualifying incident involving a designated model?
·This Decision creates a defined list — if your model or product is not on it, your obligations today are the baseline GPAI chapter, not the systemic-risk tier. But the second designation round is expected Q4 2026, and the capability assessment criteria may reach more models.
EU AI Office Decision 2026/SR-01 (May 14, 2026) ›

Watch for

· AI Office guidance on adversarial testing methodology and qualified testers

· Second systemic-risk designation round, Q4 2026

· Enforcement referrals for providers of designated models that have not completed mandatory evaluations

Ready to use

These are drafts. Edit before sending to a client.

Client alert

Draft — edit before sending to a client.

This corpus reflects one attorney's personal review. It is not a comprehensive survey. Verify scope and currency before relying on it for any matter.