Last reviewed: April 10, 2026
Jurisdictions covered: EU (primary), US, UK, and China (comparison)
Reading time: 19 minutes
Open Source AI and the EU AI Act: What the Exemptions Actually Cover
A developer in Berlin publishes a fine-tuned language model on Hugging Face under an MIT licence. A company in Amsterdam integrates Meta’s Llama into a hiring tool. A research institute in Lyon releases its proprietary model under Apache 2.0.
Each of these people assumes the EU AI Act treats open-source AI differently. They are right — but not in the way they expect.
The AI Act does include specific provisions for open-source AI. Article 53(2) exempts open-source GPAI models from two of the four baseline GPAI obligations. But the exemption has conditions that disqualify most commercially relevant models, it vanishes entirely for models with systemic risk, and it provides zero relief when open-source components are deployed in high-risk AI systems. The exemptions are narrower, more conditional, and more contested than most coverage suggests.
This article maps exactly which exemptions apply, which do not, and what developers, companies, and model providers each need to do.
Key Takeaways
- The EU AI Act applies to open-source AI. Article 53(2) provides a partial exemption for GPAI models only — not for AI systems generally. Prohibited practices (Art. 5) apply to all AI systems regardless of licence.
- The exemption covers only 2 of 4 baseline GPAI obligations. Technical documentation and downstream information sharing are exempted. Training data summaries and copyright compliance are not.
- Most “open-source” models do not qualify. The licence must permit unrestricted use, parameter access, modification, and redistribution. Llama’s 700M MAU threshold, DeepSeek’s use-based restrictions, and BLOOM’s RAIL conditions all disqualify.
- Systemic risk overrides everything. Models above the 10^25 FLOPs threshold lose the open-source exemption entirely, regardless of licence. Llama 3.1 405B and DeepSeek-V3 both likely exceed this.
- Deployers get no exemption. If you build a high-risk system using an open-source model, you face the same obligations as if you built it from scratch.
Does the EU AI Act Apply to Open-Source AI?
Yes. The AI Act applies to all AI systems placed on the EU market or used within the EU, regardless of licence. Open-source status does not create a blanket exemption.
What exists is a partial exemption for a specific category: GPAI models released under qualifying open-source licences. This exemption lives in Article 53(2) and applies only to model-level provider obligations. It does not extend to:
- AI system obligations (Chapter III) — if your AI system is classified as high-risk under Annex III, full obligations apply regardless of whether the underlying model is open-source
- Prohibited practices (Art. 5) — all eight bans apply to every AI system, open-source or not
- Transparency obligations (Art. 50) — disclosure requirements for systems interacting with people, generating deepfakes, or performing emotion recognition still apply
The exemption benefits the model provider, not the downstream deployer. This distinction matters for the three scenarios we walk through below.
What Exactly Does Art. 53(2) Exempt?
GPAI models that qualify for the open-source exemption are exempt from two of four baseline obligations under Art. 53(1):
| GPAI Obligation | Exempt for Open Source? | What This Means |
|---|---|---|
| (a) Technical documentation | Yes — exempt | No obligation to prepare and maintain the technical documentation described in Annex XII |
| (b) Downstream information | Yes — exempt | No obligation to provide information and documentation to downstream AI system providers |
| (c) Copyright compliance policy | No — still required | Must implement a policy to comply with EU copyright law, including the text and data mining opt-out (Art. 4, Directive 2019/790) |
| (d) Training data summary | No — still required | Must publish a sufficiently detailed summary of training data using the Commission’s template (published July 24, 2025) |
The exemption removes the documentation burden — not the transparency or copyright obligations. Open-source GPAI providers still must publish training data summaries and maintain copyright compliance policies, even if they are individual developers releasing models on GitHub.
For the full GPAI obligation framework, see our GPAI obligations guide.
What Qualifies as “Open Source” Under the AI Act?
This is where the complexity starts. The AI Act does not adopt any existing definition of open source. It creates its own standard in Art. 53(2): the model must be “released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available.”
Four licence requirements must be met simultaneously:
1. Use — the licence must permit use of the model without restriction
2. Access to parameters — weights, architecture information, and usage documentation must be publicly available
3. Modification — the licence must permit modification of the model
4. Redistribution — the licence must permit distribution of the model and derivatives
These requirements are stricter than they appear. A licence that permits use but caps it at 700 million monthly active users (Llama) fails criterion 1. A licence that permits use but prohibits certain applications (BLOOM’s RAIL conditions, DeepSeek’s use-based restrictions) also fails criterion 1.
How Does This Compare to the OSI Definition?
The Open Source Initiative finalized OSAID v1.0 (Open Source AI Definition) in October 2024. It requires four freedoms — use, study, modify, share — plus access to three components: data information, code, and parameters.
| Requirement | EU AI Act Art. 53(2) | OSAID v1.0 | “Open Weights” |
|---|---|---|---|
| Use without restriction | Required | Required | Varies |
| Access to parameters/weights | Required (publicly available) | Required (OSI-approved terms) | Yes (this is the defining feature) |
| Modification | Required | Required | Usually permitted |
| Redistribution | Required | Required (“Share”) | Usually permitted |
| Access to training code | Not required | Required | Not required |
| Training data information | Not required for exemption (but summary required under Art. 53(1)(d)) | Required (descriptions, provenance, not actual data) | Not required |
| No monetization | Required (Recital 102) | Not a condition | Not a condition |
The AI Act is narrower in some ways (no-monetization condition) and broader in others (does not require training code or data information for the exemption itself). Neither the AI Act nor OSAID requires access to the actual training data — only information about it.
OSAID itself has been controversial. Critics including OSI co-founder Bruce Perens argue that not requiring training data access enables “openwashing.” The OSI Executive Director departed in September 2025, and the definition has not been updated since v1.0.
Our view: The three definitions — AI Act, OSAID, and “open weights” — overlap but do not align. For compliance purposes, only the AI Act’s own standard matters. A model can satisfy OSAID and still fail the AI Act test (if monetized), or pass the AI Act test while OSAID purists reject it (if training code is not shared).
What Disqualifies a Licence?
The AI Act and Commission Guidelines (July 2025) identify specific disqualifying conditions:
- Non-commercial use restrictions — a licence permitting only non-commercial use fails criterion 1
- Research-only restrictions — same failure
- User-size thresholds — a licence that restricts use above a certain user count (Llama’s 700M MAU) fails criterion 1
- Mandatory commercial licensing — requiring a separate commercial licence for certain uses fails
Permissible conditions that do NOT disqualify:
- Attribution requirements
- Copyleft / share-alike provisions
- Safety-oriented restrictions — the Commission’s July 2025 Guidelines added a late provision allowing restrictions that “reasonably restrict usage in applications or domains” where use could pose significant health, security, or safety risks
When Does Monetization Kill the Exemption?
Recital 102 is direct: “AI components provided against a price or otherwise monetised, including through the provision of technical support or other services, including through a software platform, related to the AI component, or the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, should not benefit from the exemptions.”
Four monetization patterns disqualify:
1. Dual licensing — releasing the model as open-source for some users while charging others
2. Weight access fees — charging for access to model parameters
3. Hosted-access dependency — providing the model primarily through a paid API or cloud service where the open-source release is functionally secondary
4. Personal data conditioning — requiring users to provide personal data processed for commercial benefit (beyond security, compatibility, or interoperability)
This condition has no equivalent in standard open-source licensing. A company could release a model under Apache 2.0 — satisfying all four licence criteria — and still lose the exemption if it monetizes the model directly or indirectly. The monetization condition is the sleeper issue in the AI Act’s open-source treatment: it catches business models that appear open but are commercially driven.
When Does Systemic Risk Override the Exemption?
The open-source exemption does not apply to GPAI models with systemic risk (Art. 51). A model is classified as systemic risk if it:
- Exceeds 10^25 FLOPs of cumulative training compute, or
- Is designated by the Commission based on criteria including high-impact capabilities, reach, or number of registered users
For systemic risk models, the full GPAI obligation set applies — including all Art. 53(1) obligations plus the additional Art. 55 requirements (adversarial testing, incident tracking, cybersecurity protections, energy consumption reporting). The licence is irrelevant once the threshold is crossed.
As of April 2026, the Commission has not published guidance on how to count FLOPs for Mixture-of-Experts (MoE) architectures — a gap that creates uncertainty for models like DeepSeek-V3 (671B total parameters, 37B active per token) and Mistral Large 3 (675B total, 41B active MoE). If total FLOPs are counted, both likely exceed the threshold. If only active-parameter FLOPs count, they may fall below it. The Commission is empowered to adopt delegated acts on measurement methodology (Art. 53(5)) but has not yet done so.
For the full systemic risk framework, see our GPAI obligations guide.
Which Models Actually Qualify for the Exemption?
This is the question practitioners want answered. We assessed seven prominent model families against the AI Act’s Art. 53(2) criteria:
| Model | Licence | Unrestricted Use? | Params Public? | Modify/Redistribute? | Monetization? | Est. FLOPs | >10^25? | Qualifies? |
|---|---|---|---|---|---|---|---|---|
| Mistral 7B / Mixtral / Mistral Large 3 | Apache 2.0 | Yes | Yes | Yes | Apache = no monetization gate | <10^25 (smaller models) | No (most) | Yes |
| Qwen 2.5 (Alibaba) | Apache 2.0 | Yes | Yes | Yes | No monetization gate | ~10^24 | No | Yes |
| Gemma 4 (Google) | Apache 2.0 (new, Apr 2026) | Yes | Yes | Yes | No monetization gate | <10^25 (est.) | No | Yes |
| Falcon 40B (TII) | Apache 2.0 | Yes | Yes | Yes | No monetization gate | <10^24 | No | Yes |
| Llama 3.1 405B (Meta) | Meta Community License | No — 700M MAU cap, competitor clause | Yes | Restricted | Indirect monetization | ~3.8×10^25 | Yes | No (licence + systemic risk) |
| DeepSeek-V3 (DeepSeek) | MIT (code) + DeepSeek License (weights) | No — use-based restrictions | Yes | Conditional | Indirect | ~2.7×10^25 | Likely yes | No (licence + likely systemic risk) |
| BLOOM 176B (BigScience) | OpenRAIL-M | No — behavioural restrictions | Yes | Conditional | No gate | ~10^23 | No | Likely no (licence) |
The pattern is clear: only models released under genuinely permissive licences (Apache 2.0, MIT without additional restrictions) qualify. Custom licences with use-based restrictions, user-size thresholds, or competitor clauses fail.
Google’s shift from the restrictive Gemma Terms of Use (Gemma 2) to Apache 2.0 (Gemma 4, April 2, 2026) and Mistral’s consolidation under Apache 2.0 (December 2025) suggest competitive pressure is pushing toward genuinely open licensing — possibly influenced by the AI Act’s incentive structure.
These assessments reflect licence terms and publicly available compute estimates as of April 2026. The Commission’s measurement methodology for MoE FLOPs is pending. Organizations should verify current licence terms before relying on this assessment.
What Happens When Open-Source Models Enter High-Risk Systems?
The Art. 53(2) exemption benefits the GPAI model provider. It does not benefit the downstream deployer.
If an organization takes an open-source GPAI model — even one that qualifies for the exemption — and deploys it in a high-risk AI system under Annex III, the full Chapter III obligations apply. Risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), conformity assessment (Art. 43), and human oversight (Art. 14) are all required.
The supply chain dynamics matter here. Under Art. 25, a deployer who substantially modifies an AI system — including by fine-tuning a model beyond its intended purpose or rebranding it — becomes a provider with full provider obligations. The Commission’s July 2025 Guidelines indicate that fine-tuning exceeding one-third of the base model’s training compute may trigger this provider shift. This threshold comes from non-binding guidelines, not the Regulation itself, but it signals how the AI Office interprets the rule.
Three Scenarios: What Do You Actually Need to Do?
Scenario 1: Individual Developer Releasing a GPAI Model
You train a 7B-parameter model and publish it on Hugging Face under MIT licence. You do not charge for it. You do not restrict its use.
Your obligations:
- You are a GPAI provider under Art. 53
- Your model likely qualifies for the open-source exemption (MIT meets all four criteria, no monetization, well below 10^25 FLOPs)
- You are exempt from technical documentation (Art. 53(1)(a)) and downstream information (Art. 53(1)(b))
- You must still publish a training data summary using the Commission’s template
- You must still maintain a copyright compliance policy
- Prohibited practices apply to your model’s use
What to do: Publish the training data summary alongside your model on Hugging Face. Document your copyright compliance approach. The Hugging Face + Mozilla + Linux Foundation guide provides a practical walkthrough.
Scenario 2: Company Building a Product on an Open-Source Model
You integrate Mistral 7B (Apache 2.0) into a hiring tool that screens job applications. You deploy it for EU clients.
Your obligations:
- You are not the GPAI provider — Mistral AI is
- Your hiring tool is a high-risk AI system under Annex III (employment, worker management)
- The open-source exemption provides you no relief — full Chapter III obligations apply
- You must complete a conformity assessment, implement risk management, ensure data governance, provide human oversight, and register in the EU database
- If you fine-tune Mistral 7B using more than one-third of its original training compute, the Commission may consider you a new GPAI provider
What to do: Treat this exactly as you would a proprietary model. The open-source licence helps your procurement cost. It does not reduce your compliance burden.
Scenario 3: Organization Releasing a Proprietary Model as Open Source
Your company develops a proprietary model, then decides to release it under Apache 2.0 to build an ecosystem.
Your obligations:
- You become a GPAI provider the moment you make the model available
- If your licence meets all four criteria and you do not monetize: Art. 53(2) exemption applies
- If you offer a paid API alongside the open release, or use a dual licence (free for some, paid for enterprise): the monetization condition in Recital 102 likely disqualifies the exemption
- If your model exceeds 10^25 FLOPs: no exemption regardless
- Training data summary and copyright compliance still required
What to do: Choose your licensing strategy carefully. Apache 2.0 qualifies. Your business model determines whether the exemption sticks — the moment you monetize the model, even indirectly, you may lose it.
How Does the PLD Treat Open-Source AI?
The Product Liability Directive (2024/2853) creates a parallel but narrower exemption. Article 2(2) excludes “free and open-source software that is developed or supplied outside the course of a commercial activity.”
The key difference: the PLD exemption turns on commercial activity, not licence terms. A model released under Apache 2.0 by a commercial entity (Mistral, Google, Alibaba) is covered by the PLD — even if it qualifies for the AI Act’s open-source GPAI exemption. Only truly non-commercial FOSS falls outside the PLD’s scope.
This means an open-source model can simultaneously qualify for reduced AI Act obligations (if the licence meets Art. 53(2) criteria) while remaining fully subject to product liability (if the provider is a commercial entity). The two exemptions do not align.
How Do Other Jurisdictions Treat Open-Source AI?
| Dimension | EU | US | UK | China |
|---|---|---|---|---|
| Open-source exemption? | Partial (Art. 53(2), GPAI models only) | No federal AI law; no distinction | No exemption in voluntary framework | No exemption — all public-facing models must file with CAC |
| Who benefits? | GPAI model providers meeting licence + monetization criteria | N/A | N/A | N/A |
| Systemic risk override? | Yes (10^25 FLOPs) | N/A (no binding threshold) | No binding threshold | Compute thresholds drafted but not published |
| High-risk downstream? | Full obligations regardless | Varies by state | Principles apply equally | Filing required regardless |
| PLD/liability exemption? | Non-commercial FOSS only (PLD Art. 2(2)) | State-by-state; product/service distinction unsettled for software | Under review | No specific exemption |
The EU is the only jurisdiction that creates a formal regulatory distinction for open-source AI models. The US treats all models alike under existing law (FTC authority, state-level rules). The UK’s voluntary framework applies principles equally. China requires CAC filing for all publicly available generative AI services regardless of licence — 796 services have filed as of February 2026.
What Should You Do?
1. Determine your role. Are you a GPAI model provider, a downstream AI system provider, or a deployer? The open-source exemption only helps GPAI model providers. If you deploy open-source models in high-risk systems, the exemption provides no relief.
2. Assess your licence against the four criteria. Does it permit unrestricted use, parameter access, modification, and redistribution? If any criterion fails, the exemption does not apply. Use the model table above as a starting point.
3. Check the systemic risk threshold. If your model’s training compute exceeds 10^25 FLOPs, the exemption disappears. Watch for the Commission’s delegated acts on MoE FLOPs counting methodology.
4. Evaluate your monetization model. Even with a qualifying licence, monetizing the model — through paid APIs, dual licensing, hosted-access fees, or personal data conditioning — can disqualify the exemption under Recital 102.
5. Monitor Commission guidance. The definition of “open source” under the AI Act is not identical to OSAID, traditional open-source definitions, or “open weights.” The Commission may issue further guidance. The Digital Omnibus (trilogue expected April 28, 2026) does not change the open-source provisions, but future legislative amendments could.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. The EU AI Act’s open-source provisions involve contested interpretations that may evolve with Commission guidance and enforcement practice. Organizations should consult qualified legal counsel. Reg Intel is not a law firm and does not provide legal services.
Last verified: April 10, 2026
Sources
Official Sources
- Regulation (EU) 2024/1689 — EU AI Act, Art. 53(2)
- Commission Guidelines on GPAI Model Provider Obligations, C(2025) 5045, July 2025
- GPAI Code of Practice — Final, July 10, 2025
- Training Data Summary Template, July 24, 2025
- OSAID v1.0 — Open Source AI Definition, October 28, 2024
Analysis and Commentary
- Hugging Face + Mozilla + Linux Foundation, “What Open-Source Developers Need to Know”, August 4, 2025
- Orrick, “The EU AI Act: Application to Open-Source Projects”, updated July 25, 2025
- OpenForum Europe, “Understanding the AI Act & Open Source: Key Updates”, March 2025
- FOSS Force, “Avoid OSAID? Brock and Perens Reflect on a Year of Open Source AI Debate”, September 2025
- WCR Legal, “How AI Models Are Actually Licensed”, March 2026
- Lewis Silkin, “The Latest on the Digital Omnibus on AI”, April 1, 2026
Data Sources
- Meta Llama Community License: 700M MAU threshold, competitor clause. Source: WCR Legal analysis
- Gemma 4 Apache 2.0 licence: Google blog announcement, April 2, 2026
- Mistral 3 Apache 2.0: Mistral announcement, December 2025
- DeepSeek-V3 training compute: Technical report, 2.788M H800 GPU hours
- CAC filing statistics: 796 national filings as of February 28, 2026. Source: CAC, March 17, 2026