It’s not clear if OpenAI is complying with the AI Act’s training data disclosure requirements for GPT-5, the newest model powering its popular chatbot – though the EU will not start enforcing the rule until next year.
The EU’s AI law lays down a number of requirements for developers of general purpose AI models (GPAIs), like OpenAI’s GPT-5 – including requiring that they publish summaries of the data used for training them.
In July, the AI Office – the EU body which supervises GPAI developers – published a template setting out the information they must provide. The compliance tool requires a summary of the “most relevant domain names” crawled for collecting training data, as well as the names of any publicly available datasets used.
While models released before 2 August 2025 have until 2027 to comply with the disclosures, models released after that date are expected to comply immediately.
The dates are pertinent as OpenAI released GPT-5, the newest ChatGPT model, on 7 August 2025 – five days after the EU deadline. But, so far, OpenAI does not appear to have produced the required summary of GPT-5’s training data.
Euractiv was unable to find this information on its website. OpenAI also did not respond to repeated questions about the model’s compliance with these AI Act requirements or where to find information about GPT-5’s training data.
“To date, OpenAI has not published a training-data summary or a copyright policy for GPT-5,” Petar Tsankov, CEO of AI compliance company LatticeFlow, told Euractiv.
Despite this, OpenAI has signed the EU’s code of practice for general purpose AI model developers – which encourages signatories to at least publish the copyright policy they must draw up for their models. But, so far, ChatGPT’s maker does not appear to have done this.
Systemic risk
Additionally, according to Tsankov, GPT-5 also “almost certainly” exceeds the threshold to be considered a “systemic risk” model under the AI Act. This would mean OpenAI must perform “state of the art” model evaluations and deal with possible systemic risks, too. “Again, no public evidence has been shared of these steps,” he noted.
Although it’s worth noting that there is no legal requirement on OpenAI to make a public disclosure of any systemic risk evaluations that it is required to undertake under the Act.
When asked whether GPT-5 is complying with the AI Act training data disclosures, the European Commission told Euractiv that it depends whether the technology is considered a new model under the law’s rules.
It added that the AI Office is still analysing whether this is the case based on various non-public technical details.
For its part, OpenAI has marketed GPT-5 as a new model. Company boss Sam Altman even raised the AI hype stakes by comparing it to the Manhattan Project – a reference to the top secret US military-scientific programme to research and develop the atomic bomb during World War II.
Should the EU’s AI Office end up deciding that GPT-5 is indeed a new model – and, therefore, that the Act’s rules already apply on it – OpenAI can still avoid breaking a sweat because it doesn’t need to worry about compliance immediately; the AI Office will only start enforcement on this in August 2026.
“Think of it like a speed limit sign that’s already in place, but without police enforcement yet,” LatticeFlow’s Tsankov explained. “If you exceed the limit, you are technically in violation – but you won’t get in trouble until enforcement starts.”
(nl, vc)
