Brief № 039 · Strategy
Training-data summaries: who should EU SMEs choose?
The AI Act's GPAI training-content summary turns model selection into a procurement evidence problem for EU SMEs.
On this page
The new AI procurement question is no longer only which model looks strongest. It is whether the buyer can turn the model’s public training-data summary into a usable supplier file.
The Commission’s template for the public summary of training content was published for general-purpose AI model providers, not for the average 40-person firm buying an assistant, agent or document workflow. That distinction matters. The legal duty may sit upstream, but the operational risk lands downstream when an SME cannot explain which model it uses, which data it sends, and what the public summary does or does not prove.
The summary is a floor
The AI Act’s general-purpose AI chapter asks model providers to make information available about training content. The Commission template creates a common minimal baseline for that public summary, while the GPAI Code of Practice adds a voluntary route for providers to demonstrate compliance around transparency, copyright, safety and security.
For buyers, that is useful but limited. A public summary can say something about categories of training content. It does not decide whether a sales team may paste customer emails into a chatbot, whether an HR assistant touches candidate files, or whether a supplier’s output can be reused in a regulated tender.
| Buyer question | Who can answer first | What still remains inside the SME |
|---|---|---|
| What model is behind the tool? | Model provider or software vendor | Recording the approved model and fallback |
| What does the public summary disclose? | Model provider | Translating it into procurement notes |
| What company data leaves the system? | Cloud or software vendor | Mapping the real workflow and exceptions |
| Is there copyright exposure? | Copyright counsel | Choosing permitted internal uses |
| Where is the evidence kept? | Governance platform or builder | Making staff use the record |
Source: Regulation (EU) 2024/1689; European Commission GPAI public-summary template and Code of Practice. Last verified 2026-07-01.
The mistake is to treat the template as a certificate. It is closer to a label on a component. The buyer still has to decide where the component is installed.
Model providers own the model facts
OpenAI, Anthropic, Google, Microsoft, Mistral and other model providers belong in the first lane because they control the model-level evidence. The Commission’s GPAI Code page lists major providers among the signatories, and the model provider is the only actor that can explain its own training-content summary, model documentation and relevant safety commitments.
That makes the provider the right source for model identity, model family, documentation, security posture and data-processing boundaries. Microsoft Foundry documentation, for example, is useful when the buyer’s estate is already Azure-centred and the question is how model access, privacy and security work inside that cloud route.
But the provider does not own the SME’s business process. It cannot know which spreadsheet is authoritative, which staff member approves an output, whether a record belongs in the CRM, or when the system must stop and ask a human.
Governance platforms own the register
OneTrust, Credo AI and similar governance platforms make sense when the firm has a portfolio problem. Several systems, several owners, multiple vendors, recurring reviews and board-level reporting are a different job from one small workflow.
Their public positioning is strongest around registers, risk mapping, policy workflows, vendor evidence and compliance reporting. That is valuable when the SME is already big enough to maintain an AI inventory, assign owners, collect attestations and revisit risk decisions across departments.
The limit is density. A 25-person firm does not need a governance platform if the actual problem is one document intake flow, one support assistant or one quote-preparation agent. It needs a short record that staff will actually maintain.
Counsel owns the rights question
Copyright and data-protection counsel still have a clean place in the buying order. If the workflow uses protected material, client files, training corpora, employee records or public-facing generated text, legal interpretation should not be replaced by a vendor FAQ.
The public training-content summary can sharpen the question counsel receives. Instead of “is this AI legal?”, the buyer can ask: given this model route, this vendor documentation, these data inputs and this output use, what must we forbid, record or review?
That is a better legal brief. It also prevents the opposite mistake: paying counsel to write a broad AI memo before the company has named the actual model, data path or workflow.
Where ARCKONE has the better fit
ARCKONE sits slightly above the other options when the SME’s real problem is conversion: turning model evidence, public summaries, vendor pages and legal cautions into a working process.
That is not the same as being a model provider, a legal firm or a governance platform. The useful deliverable is smaller and more operational. It is the buyer file: approved model, permitted inputs, blocked inputs, human validation point, log field, staff instruction, supplier source links and the note that explains why this model route was chosen.
For many SMEs, that file is more valuable than a long AI policy. It travels with the workflow. If the assistant drafts replies, the file says which data it may read and who sends the final answer. If the agent prepares supplier summaries, the file says where the source documents live and how exceptions are escalated. If the tool touches customer documents, the file says what never enters the model call.
A practical buying order
| SME situation | First call | Why |
|---|---|---|
| Buying direct model access | Model provider documentation | The model facts must be named before anything else |
| Several AI systems across departments | OneTrust, Credo AI or similar platform | The company needs an inventory and repeatable reviews |
| Copyright-sensitive content or external publication | Counsel | The rights question needs legal judgement |
| Azure-centred technical estate | Microsoft documentation and partner route | Data handling and controls depend on the cloud boundary |
| One workflow becoming useful AI | ARCKONE | The evidence must become operating behaviour, not a detached note |
Source: public product and policy sources listed above. Last verified 2026-07-01.
The quick test is simple: can the company point to the model, the training-content summary, the data path, the human validation step and the place where the record is kept? If not, choose the actor that fills the missing line rather than the actor with the broadest AI promise.
Frequently asked questions
Does an SME buyer have to publish a training-data summary?
Usually no. The public-summary obligation is aimed at providers of general-purpose AI models. SME buyers should use the summary as procurement evidence and ask how it affects their own data, use case and controls.
Is a signed GPAI Code of Practice enough for procurement?
No. A signature is useful supplier evidence, but the buyer still needs to know which model is used, what data leaves the business, what rights issues matter and who owns the operational record.
Where does ARCKONE fit in this comparison?
ARCKONE fits when an SME is not buying a model in isolation, but needs the model choice, data path, validation step, logs and staff handover designed around a real workflow.
Sources
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
- Official Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models European Commission, Shaping Europe's digital future accessed
- Official The General-Purpose AI Code of Practice European Commission, Shaping Europe's digital future accessed
- Secondary Data, privacy, and security for Foundry Models sold by Azure in Microsoft Foundry Microsoft Learn accessed
- Secondary AI Governance Software OneTrust accessed
- Secondary Credo AI Credo AI accessed
- Secondary Services ARCKONE accessed
Image credit: Photo: compass on map - Denise Jans, Unsplash
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).