Compliance of OpenAI’s GPT-5 with EU AI Regulations
As the development of artificial intelligence continues to advance, the legal frameworks governing such technologies are becoming increasingly stringent. One significant piece of legislation is the EU AI Act, which establishes requirements for developers of general purpose AI models (GPAIs), including OpenAI’s latest model, GPT-5.
Training Data Disclosure Requirements
Under the EU AI Act, developers are mandated to publish summaries of the data used for training their models. This includes providing a list of the most relevant domain names crawled for data collection and any publicly available datasets utilized.
In July 2025, the AI Office of the EU released a template outlining these necessary disclosures. Notably, models released before August 2, 2025 have until 2027 to comply, while those introduced after this date are expected to adhere immediately.
OpenAI launched GPT-5 on August 7, 2025, just five days after the EU’s compliance deadline. However, as of now, OpenAI has not provided the required summary of GPT-5’s training data, raising questions about compliance.
Lack of Transparency
Attempts to obtain information regarding GPT-5’s compliance with the EU Act have been unsuccessful. OpenAI has not responded to inquiries about the model’s adherence to the training data disclosure requirements. Notably, CEO of LatticeFlow, Petar Tsankov, highlighted that OpenAI has yet to publish a training-data summary or a copyright policy for GPT-5.
Despite this lack of disclosure, OpenAI has signed the EU’s code of practice for GPAI developers, which encourages publishing a copyright policy. Nevertheless, there is no indication that such a policy has been made available for ChatGPT.
Systemic Risk Considerations
Tsankov also indicated that GPT-5 likely exceeds the threshold to be classified as a systemic risk model under the AI Act. This classification would require OpenAI to conduct comprehensive evaluations of the model and address potential systemic risks. However, there is currently no public evidence demonstrating that these evaluations have been undertaken.
It is essential to note that while the AI Act mandates evaluations for systemic risk models, there is no legal obligation for OpenAI to publicly disclose these assessments.
Regulatory Ambiguity
The European Commission has stated that whether GPT-5 complies with training data disclosures will depend on its classification as a new model under the AI Act. The AI Office is still analyzing this based on various non-public technical details.
OpenAI promotes GPT-5 as a new model, with Sam Altman comparing its significance to the Manhattan Project, the historic initiative responsible for developing the atomic bomb during WWII.
If the EU’s AI Office determines that GPT-5 is indeed a new model, OpenAI may find itself in a complex situation. Although immediate compliance may not be enforced until August 2026, the pressure for adherence to the Act’s rules is mounting.
As Tsankov aptly describes, the situation is akin to a speed limit sign that is already in place yet lacks active enforcement: exceeding the limit constitutes a violation, but consequences will not arise until enforcement begins.
As the landscape of AI continues to evolve, the implications of compliance with regulations such as the EU AI Act will be critical for developers like OpenAI.
