How does the EU AI Act define open-source AI?
The EU AI Act provides for a narrow exemption for some open-source AI models from its regulatory obligations. The EU AI Act does not include one specific definition of ‘open source’. However, the Act defines software and data, including models, as being made available under a free and open-source licence if released under a licence that ‘allows them to be openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof’.
On 18 July 2025, the Commission released its Guidelines explaining what general-purpose AI model providers must do under the EU AI Act (the ‘Commission Guidance’), which also offers advice on understanding the rules of the EU AI Act concerning open-source models. The guidance states that “free and open-source” should be understood as a form of licensing that utilises copyright to allow for the wide dissemination of the model and incentivise further development. It also provides guidance on the scope and interpretation of each of the rights to ‘access, use, modify and redistribute’. For example, ‘access’ is defined as ‘the right of anyone interested to freely obtain the model without any payment requirements or other restrictions’, where ‘reasonable safety and security measures, such as user verification processes, may be implemented provided that they do not unfairly discriminate against persons, for example, based on their country of origin’.
In respect of GPAI models, the EU AI Act also states that:
General-purpose AI models that are released for free and open use should be seen as important for transparency and openness if their details, like the weights, model design, and how the model is used, are shared with the public. The license should also be considered free and open-source when it allows users to run, copy, distribute, study, change, and improve software and data, including models, under the condition that the original provider of the model is credited and the identical or comparable terms of distribution are respected.
Importantly, the EU AI Act does not require that datasets used for training or fine-tuning models be made freely available, allowing developers to benefit from the exemption discussed below. Some organisations argue that stricter regulatory and transparency requirements may be needed if community norms do not lead to sufficient transparency regarding the datasets used to train AI. See, for example, this blog, ‘AI Act fails to set meaningful dataset transparency requirements for open source AI’, by Open Future.
A narrow exemption for open-source AI
Article 2 (12) of the EU AI Act states that the Act does not apply to AI systems released under ‘free and open-source software licenses’, subject to certain caveats (discussed in detail below). Recital 89 of the EU AI Act explains the rationale for this exemption, stating that ‘third parties making accessible to the public tools, services, processes, or AI components apart from GPAI models should not be mandated to comply with requirements targeting the responsibilities along the AI value chain, in particular towards the provider that has used or integrated them, when those tools, services, processes, or AI components are made accessible under a free and open-source licence’.
There are a number of caveats to the exemption in Article 2 (12) that have led some commentators to question how many open models will really be able to benefit from it.
Firstly, the exemption in Article 2 (12) applies to AI systems, but it does not apply to GPAI models, such as GPT-4.
Secondly, it also does not apply to high-risk AI systems (such as those used in settings such as critical infrastructure, education and vocational training, employment, essential private services, law enforcement, migration and asylum, and remote biometric identification systems). This is a significant carve-out because the EU AI Act adopts a risk-based approach that imposes the greatest regulatory obligations on high-risk AI systems. Therefore, excluding high-risk systems from the exemption does significantly lessen its practical impact.
The transparency and disclosure requirements for specific types of systems under Article 50 (such as chatbots, systems that generate synthetic outputs and deepfakes, and systems that are used for emotion recognition or biometric categorisation) also apply, regardless of whether these kinds of systems are released under a free and open-source license. Providers/deployers of these types of systems will have to comply with the specific requirements that apply to the use or provision of the relevant type of system (e.g., synthetic outputs must be marked in a machine-readable format and detectable as artificially generated or manipulated).
However, the transparency requirements that apply to GPAI model providers under Article 53(1)(a) and (b)—namely, to draw up and keep up-to-date detailed technical information about the model for the purpose of making it available both to the AI office on request and to providers of systems incorporating such models—do not apply to those general-purpose models that are made available under free and open-source licenses, unless these present a systemic risk. Systemic risk is defined as ‘a risk that is specific to the high-impact capabilities of GPAI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chain’. Currently, there is uncertainty about which models, including open-source models, will ultimately fall into this category, and there is potential for revisions to the EU AI Act in this regard to accommodate advancements in the state of art. The EU AI Act currently specifies that a GPAI model shall be presumed to have high-impact capabilities when the cumulative amount of computation used for its training, measured in floating-point operations, exceeds 10(^25). The Commission can classify a GPAI model as having systemic risk based on the criteria specified in Annex XIII, which include factors such as the number of parameters, the quality or size of the dataset, the amount of computation used for training, the input and output modalities of the model, its benchmarks and evaluations, its capabilities, its potential high impact on the internal market due to its reach, and the number of registered end-users.
Providers of GPAI models made available under free and open-source licences are still subject to the requirements in Article 53(c) and (d) to established a policy to comply with Union law on copyright and to draw up and make publicly available ‘a sufficiently detailed summary about the content used for training of the GPAI model, according to a template provided by the AI Office’.
The prohibitions on certain types of AI systems pursuant to Article 5 (such as those used for subliminal techniques and manipulation of people’s behaviour, social scoring, and real-time remote biometric identification, categorisation, and emotion recognition, aside from specific exceptions) apply irrespective of the licensing model, including free and open-source releases.
Lastly, it’s crucial to remember that the exemption does not apply to providers who monetise their open-source AI products (see Recital 103). The Centre for Data Innovation, a group that looks at how data, technology, and public policy work together, has pointed out an important warning, stating that ‘any company trying to make money from its open-source AI products, like by charging for technical support or using ads to pay for expenses, wouldn’t be able to benefit from this exemption’. The Commission Guidance includes some examples of how this provision should be understood, which generally seems to support this broad interpretation, confirming that ‘monetisation should be understood as encompassing not only the provision of the model against a price but also other types of monetisation strategies’. However, it does specify that ‘paid services or support…made available alongside the model, without any purchase obligation’ would not be considered a relevant ‘monetisation’ for the purposes of dis-applying the exemption, ‘as long as the model’s usage and free and open access are guaranteed’.
The EU AI Act also exempts AI systems or AI models, including their output, specifically developed and put into service for the sole purpose of scientific research and development (Article 2); however, a recital clarifies that ‘that exclusion is without prejudice to the obligation to comply with this Regulation where an AI system falling into the scope of this Regulation is placed on the market or put into service as a result of such research and development activity’.
Considerations for organisations evaluating the implementation of open-source AI technologies
Given the above, businesses that plan to develop or use open-source AI technologies should be aware that there are limited exemptions from the compliance obligations under the EU AI Act, where it otherwise applies.
However, there can be benefits to leveraging open-source technologies. One consideration may be the cost savings on licence fees (notwithstanding that the computing requirements may still be expensive and that some open-source models may be hosted as a cost-per-query service). Open-source models may also offer more flexibility, enabling businesses to modify code to suit specific requirements, and some people believe they are more secure, as the community development model allows for greater scrutiny of potential vulnerabilities. For open-source models that are run locally on a company’s own infrastructure, companies may also be able to avoid sending data to external servers.
Notwithstanding the potential benefits, as with other kinds of open-source software, businesses need to be aware that:
• Licences for open models will typically disclaim warranties and indemnities.
• Licences need to be carefully reviewed for issues such as compatibility with other licences or difficult termination provisions. Terms of this nature will limit how a business may be able to exploit any developments it makes to or by using open-source AI.
• Businesses need to take particular care to look out for licences that contain hardcore copyleft provisions that require the disclosure of the source code of any modified work, including any proprietary elements.
• Where models are not subject to stringent transparency requirements, businesses may have less visibility over aspects such as the datasets used to train the models.
Businesses should develop an overall compliance and risk strategy for using open-source AI models that is integrated into wider AI and open-source organisational policies.
