Designated Systemic-Risk Model
designated-systemic · Risk classification
A general-purpose AI model that has been formally designated by the EU AI Office under Article 51(1)(b) as posing systemic risk, regardless of whether it meets the presumption thresholds.
Definition & scope
Designation is the formal regulatory act by which a GPAI model becomes subject to Article 55 obligations. Two paths: (1) presumption — automatic when training compute ≥10²⁵ FLOPs OR EU MAU ≥45M; or (2) explicit designation by the AI Office based on Annex XIII capability indicators. Once designated, the model is listed on a public register; its provider must comply with Art. 55 within prescribed timelines. Designation can be challenged but the burden is on the provider to show non-systemic status.
Definition and the Two Designation Pathways
Designation is the formal regulatory act under Regulation (EU) 2024/1689 that converts a general-purpose AI (GPAI) model into one subject to the heightened obligations of Art. 55. Two routes coexist. The presumption path triggers automatically when cumulative training compute reaches ≥10²⁵ FLOPs or EU monthly active users reach ≥45M, a bright-line rule chosen because compute is, as Sastry et al. argue, "detectable, excludable, and quantifiable" 1. The second is explicit designation by the AI Office under Art. 51(1)(b), drawing on the qualitative capability indicators of Annex XIII. The distinction matters legally: presumption attaches by operation of fact, whereas Art. 51(1)(b) designation is a discretionary administrative decision the provider may contest, bearing the burden of rebuttal.
How the Designation Mechanism Operates
The mechanism layers a quantitative trigger over a qualitative override. Compute functions as a proxy for capability rather than a direct risk measure; Heim and Koessler caution that thresholds should "only trigger further scrutiny, not determine risk measures alone" 2, which is precisely why Annex XIII preserves a discretionary path. Once a model crosses 10²⁵ FLOPs, the provider must notify and is presumed systemic; the AI Office may also reach below the threshold using Annex XIII indicators such as parameter count, benchmark performance, and reach. Designated models are entered on a public register, and Art. 55 timelines begin. Capability-evaluation research, including Phuong et al.'s dangerous-capability evaluations finding "early warning signs" 3, supplies the evidentiary substance the qualitative path is meant to weigh.
Governance Relevance and Engaged Provisions
Designation is the gateway that activates the EU AI Act's most demanding GPAI duties. A model designated under Art. 51(1)(b) becomes bound by Art. 55, which adds model evaluation, systemic-risk assessment and mitigation, incident reporting, and cybersecurity protections on top of the baseline GPAI transparency duties. The compute trigger relies on accurate self-reporting, raising the intermediary questions explored by Heim et al., who argue "compute providers should have legal obligations" to record and report frontier training 4. Verification feasibility is likewise central: Wasil et al. survey methods that "could detect... unauthorized AI training" 5. Designation thus connects the static legal category in Regulation (EU) 2024/1689 to an enforcement chain spanning providers, cloud intermediaries, and the AI Office register.
Debates and Open Questions
Although the empirical status of the category is settled in law, its design is contested. The compute threshold is gameable: Pistillo and Villalobos identify "enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities" 6, letting providers stay below 10²⁵ FLOPs while retaining systemic capability. Definitional instability compounds this; Fernández-Llorca et al. trace how the Act's text shifted across "AI system, general purpose AI system, foundation model, and generative AI" 7, and Hulok notes autonomous generation "challenges legal categories of authorship, accountability, and control" 8. A global-equity concern also looms: Lehdonvirta et al. document a "Compute North" divide 9. Tellingly, no model has yet been designated via the explicit Art. 51(1)(b) path.
Use in governance
How instruments operationalise this concept
| Instrument | Jurisdiction | Status |
|---|---|---|
| EU AI Act | EU | in force |
Appears in topic articles
Editorial note
As of the catalog refresh date, no GPAI model has been publicly designated under the explicit pathway; all systemic-risk models so far have been by presumption thresholds. Track future designations via the AI Office register.
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 70 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- Defending Compute Thresholds Against Legal Loopholes Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Computing Power and the Governance of Artificial Intelligence Preprint✦ AIArgues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain".
- Training Compute Thresholds: Features and Functions in AI Regulation Preprint✦ AIFinds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone.
- Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe Peer-reviewed✦ AICensus of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance.
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
- Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation Preprint✦ AIArgues 'compute providers should have legal obligations' to secure infrastructure, keep records, verify activity and report frontier training as regulatory intermediaries.
- Verification methods for international AI agreements Preprint✦ AISurveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes.
+ 58 more across this concept's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Sastry, Heim, Belfield, Anderljung, Brundage, et al. (2024) Computing Power and the Governance of Artificial Intelligence, arXiv. arXiv:2402.08797 — Argues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain". ↩
- Heim & Koessler (2024) Training Compute Thresholds: Features and Functions in AI Regulation, arXiv. arXiv:2405.10799 — Finds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone. ↩
- Mary Phuong, Matthew Aitchison, Elliot Catt, et al. (Google DeepMind) (2024) Evaluating Frontier Models for Dangerous Capabilities, arXiv (cs.LG). arXiv:2403.13793 — Pilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating. ↩
- Lennart Heim, Tim Fist, Janet Egan, Sihao Huang, Stephen Zekany, Robert Trager, Michael A. Osborne, Noa Zilberman (2024) Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation, arXiv (cs.CY). arXiv:2403.08501 — Argues 'compute providers should have legal obligations' to secure infrastructure, keep records, verify activity and report frontier training as regulatory intermediaries. ↩
- Akash R. Wasil, Tom Reed, Jack William Miller, Peter Barnett (2024) Verification methods for international AI agreements, arXiv (cs.CY). arXiv:2408.16074 — Surveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes. ↩
- Matteo Pistillo, Pablo Villalobos (2025) Defending Compute Thresholds Against Legal Loopholes, arXiv (cs.CY). arXiv:2502.00003 — Identifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds. ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Martina Hulok (2025) The EU model of AI governance: regulating artificial intelligence through law and policy, ERA Forum. 10.1007/s12027-025-00869-1 — Analyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'. ↩
- Lehdonvirta, Wú & Hawkins (2024) Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe, AIES Proceedings. 10.1609/aies.v7i1.31683 — Census of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance. ↩
- Regulation (EU) 2024/1689, Art. 51(1)(b) + Annex XIII
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/designated-systemic — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Social-science evidence — the “so-what”
What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The category is real and coherently defined in primary law but the qualitative-designation instrument is so far unexercised. Article 51(1)(b) is the qualitative route — a GPAI model may be classified as systemic-risk "based on a decision of the Commission, ex officio or following a qualified alert from the scientific panel, [where] it has capabilities or an impact equivalent to" the high-impact threshold, "having regard to the criteria set out in Annex XIII" — deliberately decoupled from the 10^25 FLOP presumption that underpins the Article 51(2) path, giving the Commission/AI Office a compute-independent lever (Commission Guidelines, 2025; Annex XIII covers parameters, dataset quality/size, number of users, autonomy/tool-use, modalities and market reach). Caveat: as of mid-2026 there is no public record of any model designated via the (b) decision path — the regime has operated through the 51(2) compute presumption and provider self-notification, with Commission enforcement only beginning 2 August 2026 — so the distinct "designated" category remains a coherent-but-dormant legal construct rather than a demonstrated practice. (The dormancy claim is an absence-of-public-record observation, not a positively documented fact.)
Sources: EU AI Act Art. 51(1)(b), 51(2) & Annex XIII (Reg. (EU) 2024/1689, OJ L 2024/1689); European Commission 2025 (Guidelines on the scope of obligations for GPAI model providers under the AI Act, published 18 July 2025)
There is no impact evaluation showing that the (b)-designation regime, or the obligations it triggers, reduces systemic harm. The core obligation — Article 55 state-of-the-art model evaluation and adversarial testing, operationalised via the voluntary GPAI Code of Practice (AI Office, 2025) — rests on dangerous-capability evaluation science that is itself documented as facing fundamental limits: evaluations can establish lower bounds on capabilities but cannot establish upper bounds, reliably forecast future capabilities, or robustly assess autonomous-system risk (Barnett & Thiergart 2024, arXiv:2412.08653), and their predictive value for deployment risk is contested (Mukobi 2024, arXiv:2408.02565). The evidence that this governance lever works is essentially absent: the designation mechanism is unexercised, and its downstream evaluation obligations lack any replicated demonstration of harm reduction.
Sources: EU AI Act Art. 55 (Reg. (EU) 2024/1689); EU AI Office 2025 (General-Purpose AI Code of Practice, final version, published 10 July 2025); Mukobi 2024 (Reasons to Doubt the Impact of AI Risk Evaluations, arXiv:2408.02565); Barnett & Thiergart 2024 (What AI evaluations for preventing catastrophic risks can and cannot do, arXiv:2412.08653)