Foundation Models, Plain and Simple: What They Are and What the EU's AI Act Actually Demands

That adaptability is precisely what makes them valuable, and precisely what makes regulators nervous.

How a Foundation Model Actually Works

At their core, most contemporary foundation models are large neural networks trained using a technique called self-supervised learning. Rather than requiring human-labelled examples for every task, the model learns by predicting missing or future tokens in a vast corpus of text, images, code, or other data. The result is a set of numerical weights, often numbering in the tens of billions of parameters, that encode statistical patterns across an enormous range of topics and skills.

The training process is extraordinarily resource-intensive. A single training run for a frontier model can consume millions of GPU-hours and produce significant carbon emissions. Once trained, the model can be fine-tuned on a narrower dataset, or prompted directly without any fine-tuning at all, a technique known as in-context learning. This flexibility is the defining characteristic that separates a foundation model from a narrow, task-specific system.

General-purpose AI models, as they are labelled in European legislation, are essentially the same concept expressed in regulatory language. The EU AI Act defines a general-purpose AI model as an AI model trained with a large amount of data using self-supervision at scale and displaying significant generality, capable of competently performing a wide range of distinct tasks.

Europe's Own Foundation Model Builders

The foundation model landscape is not a purely American or Chinese affair. Europe has produced several serious players, each with a distinct approach.

Mistral AI, founded in Paris in 2023 by former researchers from Meta and Google DeepMind, has released a series of open-weight models including Mistral 7B, Mixtral 8x7B, and the more recent Mistral Large. The company has positioned itself as a champion of open, efficient models: its Mixtral architecture uses a mixture-of-experts design that delivers strong performance at lower inference cost than dense models of equivalent capability. Mistral has been vocal in Brussels policy discussions, arguing that open-weight models pose different and, in many respects, lower systemic risks than closed, API-only systems.

Aleph Alpha, headquartered in Heidelberg, Germany, has pursued a different strategy. Rather than competing on raw benchmark scores against the largest American labs, Aleph Alpha has focused on sovereign AI infrastructure for European enterprises and public-sector clients. Its Luminous model family was designed with explainability and data-residency requirements in mind, and the company has cultivated close relationships with German federal ministries and the European defence community. Chief executive Jonas Andrulis has consistently argued that trustworthiness and auditability matter more to European institutional customers than marginal performance gains.

Black Forest Labs, a Freiburg-based startup founded in 2024 by former Stability AI researchers including Robin Rombach, one of the original architects of Latent Diffusion Models, has focused on image and video generation. Its FLUX model series attracted immediate attention for its image quality and for being released under a permissive licence that allows commercial use. Black Forest Labs represents a newer wave of European foundation model development: specialist rather than general, and deliberately oriented toward the creative and media industries.

Beyond these three, Hugging Face, though founded in New York, operates a significant European engineering presence in Paris and has become the primary distribution platform for open-weight European models. Its open-models index hosts thousands of fine-tuned derivatives of European base models, making it a de facto infrastructure layer for the European open AI ecosystem.

What the AI Act Actually Requires

The EU AI Act, which entered into force in August 2024, devotes an entire chapter to general-purpose AI models. The obligations vary depending on whether a model is considered to present systemic risk.

All providers of general-purpose AI models placed on the EU market must comply with a baseline set of obligations regardless of risk classification. These include drawing up and maintaining technical documentation sufficient for regulators to assess compliance; complying with EU copyright law and publishing a sufficiently detailed summary of the training data used; and, when a model is released under an open licence, making that technical documentation publicly available. The AI Office, established within the European Commission's Directorate-General for Communications Networks, Content and Technology, is the primary enforcer at Union level.

Models that exceed a training compute threshold of 10 to the power of 25 floating-point operations are presumed to present systemic risk and face a heavier set of obligations. These include performing adversarial testing and red-teaming before and after release; reporting serious incidents to the AI Office; implementing cybersecurity protections commensurate with the risks; and providing the Commission with information about the model's energy consumption. At present, only a handful of models globally approach or exceed this threshold, but the number is rising as training runs scale.

The AI Office published its first draft of the general-purpose AI Code of Practice in late 2024, inviting stakeholders to contribute to a working document that will eventually acquire quasi-legal status as a compliance safe harbour. Participation has been broad: over a thousand organisations registered to contribute to the process, and the drafting panels include representatives from Mistral, from academic institutions across Europe, and from civil society organisations.

The Open-Weight Question

One of the most contested issues in the AI Act's implementation is how obligations should apply to open-weight models, where the trained parameters are released publicly for anyone to download and modify. Mistral and a coalition of European and American open-source advocates have argued that a provider who releases weights into the public domain cannot meaningfully monitor downstream use, and that holding them to the same incident-reporting obligations as a closed API provider would be both technically impractical and commercially damaging.

The AI Act does include a specific carve-out for open-weight models at the baseline tier, exempting them from some documentation-sharing requirements on the grounds that publication of weights itself constitutes transparency. But for systemic-risk models, the carve-out shrinks considerably. This creates an interesting regulatory cliff edge: a model just below the 10-to-the-25 compute threshold can be released openly with relatively light obligations, while a model just above it faces significant compliance costs whether or not it is open.

Stanford CRFM researchers have flagged similar concerns in their analysis of foundation model governance, noting that compute thresholds are a crude proxy for actual capability or risk, and that architectural efficiency improvements mean that future models may achieve frontier-level capability at far lower compute budgets than current systems.

Downstream Deployers Are Not Off the Hook

A common misconception is that the AI Act's general-purpose AI obligations fall entirely on the foundation model developer and leave deployers untouched. This is wrong. When a business takes a foundation model and integrates it into a product or service that falls into one of the AI Act's high-risk categories, such as hiring tools, credit scoring, or medical devices, the deployer takes on obligations under those high-risk provisions independently of whatever the model provider has done. The two layers of obligation stack, rather than substitute for one another.

This has practical consequences for European enterprises currently building on top of models from Mistral, Aleph Alpha, or international providers. They need to understand not only whether their application is high-risk under Annex III of the Act, but also what technical documentation the model provider has made available, and whether that documentation is sufficient to support their own conformity assessment.

## By The Numbers

The scale of foundation model development and the scope of EU regulatory activity are best understood through a handful of concrete figures. These numbers capture training costs, market participation in the regulatory process, compute thresholds that trigger heavier obligations, and the size of the open-weight ecosystem that European developers now inhabit.