Journal article
The regulation of fine-tuning: federated compliance for modified general-purpose AI models
- Abstract:
- This paper addresses the regulatory and liability implications of modifying general-purpose AI (GPAI) models under the EU AI Act and related legal frameworks. We make five principal contributions to this debate. First, the analysis maps the spectrum of technical modifications to GPAI models and proposes a detailed taxonomy of these interventions and their associated compliance burdens. Second, the discussion clarifies when exactly a modifying entity qualifies as a GPAI provider under the AI Act, which significantly alters the compliance mandate. Third, we develop a novel, hybrid legal test to distinguish substantial from insubstantial modifications that combines a compute-based threshold with consequence scanning to assess the introduction or amplification of risk. Fourth, the paper examines liability under the revised Product Liability Directive (PLD) and tort law, arguing that entities substantially modifying GPAI models become “manufacturers” under the PLD and may face liability for defects. The paper aligns the concept of “substantial modification” across both regimes for legal coherence and argues for a one-to-one mapping between “new provider” (AI Act) and “new manufacturer” (PLD). Fifth, the recommendations offer concrete governance strategies for policymakers and managers that propose a federated compliance structure, based on joint testing of base and modified models, implementation of Failure Mode and Effects Analysis and consequence scanning, a new database for GPAI models and modifications, robust documentation, and adherence to voluntary codes of practice. The framework also proposes simplified compliance options for SMEs while maintaining their liability obligations. Overall, the paper aims to map out a proportionate and risk-sensitive regulatory framework for modified GPAI models that integrates technical, legal, and wider societal considerations.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Version of record, pdf, 1.8MB, Terms of use)
-
- Publisher copy:
- 10.1016/j.clsr.2025.106234
Authors
- Publisher:
- Elsevier
- Journal:
- Computer Law & Security Review More from this journal
- Volume:
- 60
- Article number:
- 106234
- Publication date:
- 2025-12-02
- DOI:
- EISSN:
-
2212-4748
- ISSN:
-
2212-473X
- Language:
-
English
- Keywords:
- Pubs id:
-
2349488
- Local pid:
-
pubs:2349488
- Deposit date:
-
2026-04-29
- ARK identifier:
Terms of use
- Copyright holder:
- Hacker and Holweg
- Copyright date:
- 2025
- Rights statement:
- © 2025 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).
If you are the owner of this record, you can report an update to it here: Report update to this record