Open-source AI Model and the Artificial Intelligence Act: Applicable Obligations

"We use an open-source AI model, so the RIA doesn't apply to us." This assertion, regularly heard from companies integrating AI into their work processes, is false in the vast majority of cases.

The European Artificial Intelligence Act (RIA), which fully enters its application timeline in 2025, does indeed provide for an exemption for open-source AI models and systems. However, this exception is narrow. It does not exempt the professional user of an open-source model from complying with most of the regulation's central provisions.

A breakdown of the obligations that truly apply, the updated timeline after the Digital Omnibus of May 7, 2026, and other legal risks that open source does not mitigate.

The RIA's open-source exemption

Article 2 §12 of the RIA stipulates that the regulation does not apply to AI systems published under free and open licenses. Three major exceptions significantly limit the scope of this exemption:

  • High-risk systems, listed in Annex III of the RIA (HR, credit scoring, education, justice, biometrics, etc.).
  • The prohibited practices under Article 5.
  • The transparency obligations under Article 50 (deepfakes, emotional AI, biometric categorization, synthetic content disseminated to the public).

Recital 103 of the RIA adds a fourth exception: AI components provided for remuneration or monetized do not benefit from the open-source exemption.

For general-purpose AI models (GPAI), Article 53 §2 provides a distinct exemption that partially exempts open-source model providers from technical documentation obligations. However, this exemption does not cover the copyright compliance policy obligation (Article 53 §1 c), nor the obligation to publish a detailed summary of training data (Article 53 §1 d), published according to the template provided by the AI Office on July 24, 2025. And it does not apply at all if the model presents a systemic risk within the meaning of Article 55.

Three RIA articles that apply to any professional user of an open-source model

If you use an open-source model for production (image generation, brainstorming, code, internal scoring, writing), three provisions of the RIA apply regardless of the open-source nature of the model.

Article 4: Sufficient user training

Article 4 of the RIA, applicable since February 2, 2025, requires any organization deploying AI to ensure a sufficient level of knowledge and training for the people using it. The nature of the model (proprietary or open source) has no bearing on this obligation. Training must be proportionate to actual uses and the profile of internal users.

Article 5: Prohibited practices

Article 5 of the RIA prohibits certain practices within the European Union, regardless of the type of model used:

  • manipulation of behavior through subliminal techniques;
  • exploitation of vulnerabilities related to age, disability, or social or economic situation;
  • social scoring by public authorities;
  • untargeted facial recognition from the internet or video surveillance;
  • emotion inference in the workplace or education, excluding strictly medical or security uses;
  • biometric categorization based on sensitive characteristics.

The Digital Omnibus of May 7, 2026, adds a new prohibition: AI-generated non-consensual intimate content and child sexual abuse material. Penalties can reach 35 million euros or 7% of global turnover.

Article 26: Obligations of a High-Risk System Deployer

If you use a model, even open source, for a function falling under Annex III of the AI Act (CV pre-screening, credit scoring, decisions affecting access to education or essential services, biometric identification), you assume the status of a "high-risk system deployer." The specific obligations of Article 26 then apply: human oversight, transparency towards affected individuals, log retention, and, in certain cases (public bodies, public service providers, deployers of credit scoring or life and health insurance), conducting a fundamental rights impact assessment under Article 27.

The political agreement on the Digital Omnibus of May 7, 2026, has postponed the application of these obligations to December 2, 2027, for high-risk systems under Annex III, and to August 2, 2028, for those under Annex I. This formal adoption is still expected before August 2, 2026.

Article 50: Transparency of Synthetic Content

Article 50 imposes transparency obligations on professional users of certain AI systems:

  • inform individuals when they interact with an AI system;
  • label synthetic content (image, sound, video, text) disseminated to the public;
  • disclose the use of an emotional AI system or biometric categorization to exposed individuals;
  • flag deepfakes and certain AI-generated texts published on topics of general interest.

The Digital Omnibus reduced the grace period from six to three months and set the new deadline for labeling AI-generated content to December 2, 2026. The open-source exemption under Article 2 §12 does not apply to these obligations.

Updated AI Act Timeline after the Digital Omnibus of May 7, 2026

On May 7, 2026, the Council and Parliament reached a provisional political agreement on the Digital Omnibus on AI, confirmed by Member State representatives on May 13, 2026. This agreement, currently undergoing formal adoption expected before August 2, 2026, significantly modifies the AI Act's application timeline:

  • Obligations on general-purpose models (Article 53): unchanged, applicable since August 2, 2025.
  • Prohibitions under Article 5: applicable since February 2, 2025.
  • AI literacy obligation (Article 4): applicable since February 2, 2025.
  • Obligations on high-risk systems under Annex III (Article 26): postponed from August 2, 2026, to December 2, 2027.
  • Obligations for Annex I high-risk systems: postponed from August 2, 2027, to August 2, 2028.
  • Labeling of synthetic content (Article 50): new deadline set for December 2, 2026.
  • National regulatory sandboxes: postponed to August 2, 2027.

The postponement of obligations for high-risk systems does not remove other obligations. It offers a window for compliance, not an exemption.

Beyond the AI Act: GDPR, copyright, contractual liability

For a professional user of an open-source model, the real points of legal exposure often lie outside the AI Act.

GDPR applies fully as soon as personal data processing is involved. For an open-source model used in production, the central issues are the legal basis for processing, the qualification of responsibilities (data controller, data processor), transfers outside the EU when the model is hosted abroad, and the risk of personal data disclosure in the outputs (regurgitation, overtraining).

Copyright law governs the outputs generated by the model. A recent decision by the Munich court (February 13, 2026) and the USCO report (January 2025) agree on one point: a general and open prompt is not sufficient to characterize a human creative effort protectable by copyright. The open-source model's license must also be read carefully: not all licenses permit commercial use, some impose redistribution conditions, and others restrict high-risk uses.

Contractual liability must be anticipated with regard to your own clients. If a creative deliverable or professional advice was produced with the help of an AI model, do your existing contracts authorize it? Do your liability clauses cover this case? Do your originality guarantees hold up against an AI-produced deliverable?

How to prepare

Three questions structure the assessment of your legal exposure before or during the use of an open-source AI model:

  • Are your teams trained to the level required by Article 4 of the AI Act?
  • Do your uses fall into a category with enhanced transparency (Article 50) or a high-risk function (Article 26)?
  • Do your client contracts and the model's license cover the use you make of it?

A mapping of internal uses, complemented by an audit of applicable contracts and an update of internal policies, helps stabilize the framework. This approach is the opposite of a formal compliance process: it starts with actual practices to identify applicable requirements, not the other way around.

Frequently Asked Questions

Does the AI Act apply to open-source AI models?

Yes, for the most part. Article 2(12) of the AI Act provides an exemption for models and systems released under a free and open-source license, but this exemption does not cover high-risk systems, prohibited practices under Article 5, or transparency obligations under Article 50. For general-purpose models, the exemption in Article 53(2) is partial and does not waive copyright policy or the training data summary.

What are the AI Act obligations for a professional user of an open-source model?

Three articles always apply: Article 4 on AI literacy (applicable from February 2, 2025), Article 50 on transparency and labeling of synthetic content, and, if the use falls under a high-risk function, Article 26 on the deployer's obligations.

Does the Digital Omnibus of May 7, 2026 change open-source obligations?

The political agreement on the Digital Omnibus postpones certain deadlines. Obligations for high-risk systems are pushed back to December 2, 2027 (Annex III), and the labeling of synthetic content to December 2, 2026. Obligations for general-purpose models remain applicable from August 2, 2025, unchanged.

What are the legal risks beyond the AI Act for professional use of an open-source model?

The GDPR remains fully applicable (legal basis, transfers outside the EU, data injected into the model). Copyright law governs outputs and requires verification of the model's license. Contractual liability towards clients must be anticipated when deliverables are produced with AI.