The EU AI Act: Application to Open-Source Projects

3 minute read | September.13.2024

Updated July.25.2025

This update is part of our EU AI Act Series. Learn more about the EU AI Act here.

The EU AI Act only regulates certain covered AI-related technologies — AI systems and General-Purpose AI Models (GPAIMs).

We are often asked whether the AI Act’s definitions and obligations apply to open-source projects and the answer is often “yes.”

Open-Source Exception for AI Systems are Surprisingly Limited

Article 2 of the AI Act states that the regulation does not apply to AI systems released under free and open-source licenses.

However, this exception does not apply to AI systems placed on the market or put into service in the EU as Prohibited AI or High-Risk AI, or AI systems that otherwise interact directly with individuals or expose individuals to AI-generated content (Individual-User-Facing AI). Given that these types of AI systems are collectively subject to most of the obligations under the Act, the open-source AI system exception ultimately has little practical effect.

Open-Source Exception for GPAIMs is Broader, but still Limited

In contrast, the AI Act provides an exception to GPAIMs released under free and open-source licenses that allow for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage are made publicly available. This exception, however, only applies in relation to two obligations imposed on GPAIM providers: (i) drawing up technical documentation on the model, and (ii) making available certain information and documentation to providers of AI systems who intend to integrate the GPAIM into the system. Other obligations remain intact. In addition, the exemption is not available for GPAIMs with systemic risk.

What Definition of “Open-Source” is Adopted by the AI Act?

The Act does not include a definition of the concept of “open-source,” and therefore, the European Commission has some flexibility in interpreting this concept when enforcing the law.

Recital 102, which is not legally binding but is indicative of the legislators’ intent, describes open-source as software and data, including models, released under a free and open-source license “that allows them to be openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market and can provide significant growth opportunities for the Union economy.”

The open-source exemption for GPAIM, set out at Article 53(2), states that the open-source license should allow for “the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available.”

In its recently published guidelines relating to the Act’s GPAIM provider obligations, the Commission clarifies that it understands “usage” in the open-source context, “to mean that the license guarantees that the original provider will not use their intellectual property rights to restrict the use of the model, or charge for its use.”

Significantly, the guidelines go on to allow for the possibility of some usage restrictions being imposed by GPAIM providers in their licenses. Specifically, licensors may include “safety-oriented” terms that “reasonably restrict usage in applications or domains” where model use could pose a significant risk to public interests like health, security and safety. This position was not included in the original draft guidelines circulated by the Commission and thus represents a change in position for the regulator.

What Does This Mean for Your Open-Source AI Strategy?

Organizations that develop or plan to develop or use open-source AI technologies should consider the following:

The open-source exemptions to the AI Act are limited, so compliance with the AI Act may be required even if an AI system or model is licensed under a free and open-source license.
An organization may nonetheless still benefit from a lessened compliance burden where AI systems it develops or deploys are subject to free and open-source licenses, and are not otherwise monetized (including through the provision of technical support or other services).
There can also be other benefits of releasing open-source AI systems and models (including bolstering innovation and deployment, enhancing the provider’s reputation and spotlighting other paid services offered by the provider), as well as using open-source AI systems and models (including potential cost and time savings, ease of availability and heightened insights into model parameters, weights and architecture).
However, just like any open-source software, there are also potential drawbacks:
- Open-source licenses will typically disclaim all warranties and liabilities.
- An increasing number of providers are releasing models under “open-source” licenses that actually impose a fair number of restrictions uncommon in traditional open-source software licenses (e.g., additional commercial terms for large companies). The European Commission has indicated that some limited restrictions may be permitted in relation to open-source GPAI models. However, since the regulator has now clarified its interpretation of “open-source”, we can expect strict application of its approach.
- Open-source AI systems and models are often made available on public websites and repositories, which presents a heightened risk for downloading harmful files.
- Licenses may include copyleft provisions or quick termination triggers that could impact the long-term viability of the solution or IP rights and configurations.
- It may be difficult to answer questions regarding the data used to train the AI system or model, or how the AI technology works. This issue might be mitigated, however, if the model in question is a GPAIM and the provider has adhered to the GPAIM Code of Practice and/or has published a summary of the content used for training the model (the template form is now available).

Regardless of the strategy the organization chooses in relation to open-source AI technologies, it will be important to ensure the AI compliance components are properly integrated with other related compliance procedures, including those relating to general open-source software.

Want to know more? Reach out to a member of our team.

The EU AI Act Series: Key Takeaways for Companies Using and Developing AI

Authors

Julia Apostle 合伙人, Technology Transactions, Cyber, Privacy & Data Innovation

巴黎

See my bio

D:+33153537500
E: japostle@orrick.com

Practice:

Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation
Artificial Intelligence (AI)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Julia Apostle 合伙人

巴黎

Julia counsels on compliance issues in relation to European and French tech and data regulations, including:

the GDPR;
the Digital Services Act;
the EU AI Act and the regulation of AI more generally,
the Data Act;
the Cyber Resilience Act;
the NIS2 Directive;

and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, product counseling and regulatory engagement.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick. Julia also teaches a course on AI contracts for the Master's program in AI Law at a leading French university and acts as a mentor for students.

Sarah Schaedler 合伙人, Technology & Innovation, Technology Transactions

旧金山

See my bio

D:+1 415 773 5474
E: sschaedler@orrick.com

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
知识产权
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sarah Schaedler 合伙人

旧金山

Sarah’s practice focuses on structuring and negotiating the intellectual property aspects of complex corporate transactions, including mergers and acquisitions, business divestitures and commercial transactions where software and technology are the principal assets. Sarah also advises on intellectual property and technology contracts related questions in the context of Artificial Intelligence (AI).

Sarah routinely advises on carve-outs and business separation transactions and helps clients with structuring and implementing their intellectual property and technology separation roadmap.

Sarah has counseled several companies in their preparation for a divestiture and understands the issues a buyer is focused on in the context of intellectual property matters. She regularly helps companies implement remediation steps around their intellectual property assets to help them to a successful closing.

She has significant experience advising private equity funds on investments involving companies that are driven by technology & innovation, as well as intellectual property reliant consumer product companies and companies that are stepping into digitalization.

Sarah is also a member of Orrick’s AI leadership group and involved in thought leadership projects related to AI matters on corporate transactions.

Educated and trained in Germany, France and the United States, Sarah’s international experience provides her with additional knowledge on cross-border transactions and international matters.