Vancouver, Canada — The European Union’s AI Office has published its most detailed guidance yet on the regulatory expectations for foundation models under the EU Artificial Intelligence Act (AI Act), marking a pivotal moment in the staged rollout of the bloc’s sweeping AI framework. The guidance, aimed at both upstream developers and downstream deployers, clarifies that compliance responsibilities extend through the entire AI value chain, with an emphasis on high-risk applications such as identity verification, Know Your Customer (KYC) processes, fraud detection, and biometric authentication.
While foundation models have been widely celebrated for their adaptability and efficiency, the EU AI Office has made it clear that their general-purpose nature is no excuse for regulatory gaps. Whether these models are developed by a major U.S. tech firm, an EU-based AI lab, or an open-source consortium, any deployment in high-risk contexts within the EU will be subject to strict performance, transparency, and governance obligations.
The AI Office’s latest guidance is particularly significant for regulated industries, where downstream services integrate foundation models into decision-making processes that affect individuals’ legal rights, financial access, or physical security. In these scenarios, compliance is not just a matter of upstream assurances; it requires active oversight and testing by downstream deployers.
Understanding the EU’s Regulatory Position on Foundation Models
Foundation models are large-scale, pre-trained AI systems that can be adapted for a wide range of applications. They form the backbone of many downstream services, from automated loan assessments to biometric border controls. Under the AI Act, the developers of these models must meet transparency and documentation requirements. Still, the deployers who adapt them for specific purposes, particularly in high-risk sectors, must conduct their risk assessments, conformity checks, and monitoring.
The EU AI Office has now formally stated that compliance is a shared responsibility: upstream developers cannot “wash their hands” of downstream risks, and downstream deployers cannot rely solely on vendor claims of compliance.
This shared responsibility framework is intended to close loopholes where responsibility could otherwise be passed between parties, leading to gaps in oversight. It mirrors principles in other EU regulatory frameworks, such as GDPR’s joint controller obligations. It is expected to fundamentally change how AI model procurement, integration, and lifecycle management are approached in the EU market.
Key Elements of the New Guidance
1. Mandatory Technical Documentation Transfer
Developers must provide downstream deployers with detailed information about a foundation model’s architecture, training methodology, dataset sources, risk profiles, and performance metrics across relevant demographic groups. Downstream deployers must keep these records, adapt them to their operational context, and include them in their conformity assessment filings.
2. No Liability Laundering Through Contracts
While contracts may allocate operational responsibilities, they cannot eliminate legal obligations under the AI Act. Both parties remain directly accountable to regulators.
3. Context-Specific Testing Requirements
Even if a foundation model has been tested by its developer, downstream deployers must test it under real-world conditions relevant to their application. For example, a model used for verifying ID documents must be tested with authentic local document types, lighting conditions, and demographic variations.
4. Continuous Monitoring and Drift Detection
Deployers must monitor for model drift (changes in performance over time), especially when models are updated or retrained by the upstream developer.
5. Public AI Database Registration
High-risk deployments of foundation models must be listed in the EU’s public AI database, including details on both upstream and downstream entities.
Sector-Specific Compliance Implications
Financial Services
Banks using AI-driven fraud detection or credit scoring models must integrate AI governance checks into their vendor risk management processes. Procurement teams will need to request complete compliance documentation and ensure that models are tested for fairness, explainability, and reliability under operational conditions.
Identity and KYC Providers
These providers are in the direct path of enforcement, as identity verification is a designated high-risk use case. A KYC platform adapting a foundation model for biometric face matching will need to run localized accuracy tests, integrate human-in-the-loop reviews for borderline cases, and ensure that demographic bias is eliminated or mitigated.
E-Commerce
Platforms using AI to verify seller identities, detect counterfeit goods, or flag fraudulent transactions must confirm that the models they use meet the AI Act’s transparency and testing requirements.
Border and Travel Security
Government agencies and airlines using foundation models for passenger verification must confirm that systems work reliably across all demographic groups, avoid over-reliance on a single vendor’s performance claims, and maintain independent audit logs.
Case Study 1: Cross-Border Banking and Shared Liability
A large EU-based bank uses a biometric verification service that incorporates a U.S.-developed foundation model. The bank’s vendor provides a compliance statement. Still, under the new guidance, the bank must independently validate the model’s accuracy and fairness in its operational environment, including for customers in rural EU regions whose identity documents may be older or less machine-readable.
Case Study 2: E-Commerce Fraud Detection
A central e-commerce platform integrates a foundation language model to scan communications between buyers and sellers for scam patterns. While the upstream developer provides a list of known biases and error rates, the platform must conduct its testing to ensure that cultural and linguistic differences across EU member states do not lead to false positives that unfairly penalize legitimate sellers.
Strategic Recommendations from Amicus International Consulting
For Downstream Deployers
- Maintain a Model Registry — Track all foundation models in use, their origins, versions, and compliance documentation.
- Integrate AI Governance into Procurement — Require AI Act compliance proof as part of vendor onboarding.
- Test Locally, Not Just Globally — Conduct independent testing tailored to your operational jurisdiction and demographic profile.
- Create Feedback Loops — Develop processes that enable customers and end users to challenge or appeal AI-driven decisions.
For Upstream Developers
- Standardize Documentation — Provide a compliance packet for downstream partners containing all required technical and risk information.
- Support Downstream Testing — Offer tools and datasets to help deployers run localized performance checks.
- Communicate Updates Proactively — Notify downstream clients when retraining or model updates could alter compliance status.
Geopolitical and Competitive Context
The EU’s foundation model guidance is part of a broader trend in global AI regulation. The U.S. and UK are focusing on voluntary frameworks, while Singapore and Canada have begun shaping mandatory compliance rules. However, none currently match the AI Act’s enforceable obligations for foundation models.
This creates a competitive advantage for companies that meet EU standards early, as they will be prepared for similar frameworks elsewhere. Conversely, vendors who cannot meet the EU’s documentation and testing requirements risk losing access to one of the world’s largest markets.
Long-Term Outlook
Foundation models are likely to remain at the center of both innovation and regulatory scrutiny. As the AI Act moves toward full enforcement in 2026, the EU AI Office is expected to issue additional guidance refining the shared responsibility model and possibly expanding obligations for models with systemic impact.
For identity verification, KYC, and financial services, the guidance means compliance work must start now, not in 2026. The ability to demonstrate early adoption of AI Act principles could serve as both a regulatory shield and a market differentiator.
Amicus International Consulting advises all affected businesses to treat the AI Office’s guidance as a baseline for global AI governance strategy. The most resilient organizations will integrate upstream and downstream compliance into a single operational framework, ensuring that no part of the AI lifecycle is left without oversight.
Contact Information
Phone: +1 (604) 200-5402
Email: info@amicusint.ca
Website: www.amicusint.ca
