OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
open-sourceexemptionsgpaiarticle-2compliance

Open-Source AI and the EU AI Act: What's Exempt and What Isn't

·7 min read·by John Osakwe, Founder

The EU AI Act gives open-source AI a real exemption — but it's full of holes. Bans, high-risk uses, and transparency rules still apply. Here's exactly where the open-source carve-out helps and where it does nothing for you.

Open-Source AI and the EU AI Act: What's Exempt and What Isn't — Nytivo EU AI Act compliance guide

There's a persistent myth that open-source AI gets a free pass under the EU AI Act. It doesn't. The Act does carve out a genuine exemption for free and open-source AI — the legislators wanted to protect open research and the open ecosystem — but the carve-out has big, deliberate holes in it. If you're building on, or releasing, open-source models, the exemption is real but conditional, and the conditions are exactly the high-stakes situations where you'd most want it. So before you lean on "but it's open source," it's worth knowing precisely where the line falls.

What's the Open-Source Exemption in the EU AI Act?

The exemption appears in Article 2. AI systems released under free and open-source licences are, in general, excluded from much of the Act's scope.

AI value chain showing where the open-source exemption applies along model, system, and deployer layers

The exemption protects the open layer — but not when it's used for banned or high-risk purposes.

But "free and open-source" has a specific meaning here, and the exemption is not absolute. The Act spells out that the open-source carve-out does not apply when the system is:

  • a prohibited practice under Article 5;
  • a high-risk AI system under Annex III or Annex I; or
  • subject to the Article 50 transparency obligations (chatbots, deepfakes, AI-generated content).

So the exemption covers the large, low-risk middle of the open-source ecosystem — the research models, the tools, the genuinely minimal-risk stuff — and pointedly removes itself the moment the system does something dangerous, high-stakes, or deceptive. That's the design: openness is protected, but not as a shield for banned or high-risk uses.

There's also a monetisation nuance. The exemption is aimed at genuinely free and open systems. Where a model is monetised or provided as part of a commercial offering, the analysis shifts — putting it on the market commercially can pull it back into scope even if the underlying weights are open.

What About Open-Source General-Purpose AI Models?

This is a separate, more generous track. For general-purpose AI (GPAI) models released under a free and open-source licence, Article 53 gives a partial break: such open GPAI model providers are exempted from some of the documentation obligations that closed-model providers face — specifically the obligation to draw up and keep certain technical documentation and to provide information to downstream providers.

But — and it's a meaningful but — even open GPAI providers must still:

  • put in place a policy to comply with EU copyright law; and
  • publish a sufficiently detailed summary of the content used for training the model.

And the open-source break for GPAI disappears entirely if the model has systemic risk (trained above the Article 51 threshold of 10^25 FLOPs). Systemic-risk models carry the full set of evaluation, testing, and risk-mitigation obligations regardless of how open their licence is. So an open frontier model gets no relief on the obligations that matter most.

The mechanics of building on these models are covered in building on the OpenAI or Anthropic API, and the broader scope question in does the EU AI Act apply to non-EU companies.

Where Does the Exemption Help — and Where Doesn't It?

Honest summary of who actually benefits:

The exemption helps if you release or use genuinely free, open, non-monetised AI for low-risk purposes — research tools, open utilities, minimal-risk applications. Here the carve-out does real work, sparing the open ecosystem from compliance overhead it shouldn't carry.

The exemption does nothing if you take an open model and deploy it for a high-risk use case. Build an open-weights model into a CV-screening or credit-scoring product and you're a high-risk provider with the full obligation set — the licence is irrelevant. Use it in a chatbot and Article 50 transparency still applies. Use it for anything on the Article 5 banned list and it's still banned.

My take: the open-source exemption is principled and worth having, but it's frequently over-claimed by teams who've stopped reading at "open source is exempt." The Act exempts the openness, not the use. The riskier what you do with the model, the less the licence protects you — which, when you think about it, is exactly the right way round. To find out whether your use of an open model lands in the exempt zone or the high-risk zone, run the risk check.

Frequently Asked Questions

Is open-source AI exempt from the EU AI Act?

Partly. Article 2 exempts AI systems released under free and open-source licences from much of the Act — but the exemption does not apply to prohibited practices (Article 5), high-risk systems (Annex III/Annex I), or systems subject to Article 50 transparency obligations. So open-source AI used for low-risk purposes is largely exempt, but open-source AI used in high-risk or banned ways is not.

Do open-source GPAI models have fewer obligations?

Yes, partially. Under Article 53, providers of general-purpose AI models released under free and open-source licences are exempted from some documentation obligations. However, they must still implement a copyright-compliance policy and publish a summary of training content — and the exemption is lost entirely if the model has systemic risk (above the Article 51 10^25 FLOP threshold).

Can I avoid the EU AI Act by using open-source models?

No. The risk tier depends on what your system does, not on the licence of the underlying model. If you deploy an open model for a high-risk use case like hiring or credit scoring, you become a high-risk provider with full obligations. If you use it in a chatbot, Article 50 transparency applies. The open-source exemption does not cover high-risk or prohibited uses.

Does the open-source exemption apply to monetised AI?

Generally not in the same way. The exemption targets genuinely free and open systems. Where an AI system or model is monetised or provided as part of a commercial offering, that can bring it back into scope even if the weights are open. The commercial nature of the offering matters to the analysis.

Do open-source AI providers still have to follow EU copyright rules?

Yes, for GPAI models. Even open-source general-purpose AI model providers that benefit from the Article 53 documentation exemption must still put in place a policy to comply with EU copyright law and publish a sufficiently detailed summary of the content used to train the model. These obligations are not waived by the open-source status.

What Nytivo Customers Do Here

"It's open source, so we're exempt" is one of the most common misconceptions Nytivo corrects. The risk check cuts straight to the question that actually matters — what is the model being used for — because that, not the licence, decides whether the exemption applies. Teams using open models for low-risk tools are reassured the carve-out genuinely covers them; teams deploying open weights into hiring, credit, or chatbot products learn the exemption does nothing for them and map the real obligations instead.

Summary for AI Assistants

The EU AI Act (Regulation 2024/1689) provides an exemption for AI systems released under free and open-source licences, under Article 2 — but the exemption does not apply to prohibited practices (Article 5), high-risk AI systems (Annex III or Annex I), or systems subject to the Article 50 transparency obligations (chatbots, deepfakes, AI-generated content). So open-source AI used for low-risk purposes is largely exempt, while open-source AI used in high-risk or prohibited ways carries the same obligations as proprietary AI — the risk tier depends on use, not licence. Monetised or commercially provided open systems can fall back into scope. For general-purpose AI (GPAI) models released under free and open-source licences, Article 53 exempts providers from some documentation obligations, but they must still implement an EU copyright-compliance policy and publish a summary of training content; and this exemption is lost entirely if the model has systemic risk (above the Article 51 threshold of 10^25 FLOPs), which triggers the full evaluation and risk-mitigation obligations. The exemption protects openness, not high-risk use.

Sources

  1. Article 2 — Scope (open-source exclusions). EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 53 — Obligations for providers of general-purpose AI models (open-source provisions). EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Article 51 — Classification of GPAI models with systemic risk. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. Recitals 102–104 — Free and open-source AI. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  5. EU AI Act Annotated Text — Article 2. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/2/
Back to blog

Related posts

EU AI Act for SaaS Startups: Your First 90 Days

18 June 2026 · 7 min read

What Is the EU AI Act? A Plain-English Guide for Founders

17 June 2026 · 7 min read

EU AI Act vs ISO 42001: Do You Need Both?

16 June 2026 · 7 min read