Open source and the EU AI Act is one of the most misunderstood topics in current compliance discussions. Many teams hear "open source" and assume full exemption. In practice, obligations depend on role, deployment context, and whether systems/models are placed on market or used in high-impact workflows.
The key distinction: publication vs deployment
Publishing code or weights under an open license is not the same as deploying an AI system in a consequential context. Even where certain open-source pathways reduce direct obligations, organizations may still incur deployer or provider responsibilities depending on commercialization, integration depth, and use impact.
Practical risk scenarios for open-source adopters
Direct embedding in customer-facing product
If outputs affect users materially, governance expectations increase.Fine-tuning or substantial modification
Role and responsibility can shift when behavior is materially altered.Use in rights-sensitive workflows
Employment, eligibility, or safety-adjacent contexts may trigger stronger controls regardless of licensing model.
SME control baseline for open-source AI
- maintain model/system inventory with source provenance,
- document intended purpose and known limitations,
- define approved and prohibited deployment contexts,
- implement oversight and escalation controls,
- log updates and substantial modifications,
- reassess risk after major version/model changes.
Procurement and partner expectations
Even where legal exposure is limited, enterprise buyers typically expect evidence of governance maturity: transparency controls, incident pathways, and documentation quality. Open-source provenance without operating controls is rarely sufficient in diligence reviews.
Common mistakes
- Equating open source with zero compliance obligations.
- No process to reassess after model updates.
- Missing documentation of downstream deployment context.
- Treating license compliance as governance compliance.
Final takeaway
Open source can support innovation and accessibility, but it does not remove accountability for high-impact deployment choices. Treat exemptions as scoped legal conditions — and run governance as an operational discipline.