Brief № 039 · Strategy

Training-data summaries: who should EU SMEs choose?

The AI Act's GPAI training-content summary turns model selection into a procurement evidence problem for EU SMEs.

By Iris Van Loon 5 min read Last verified

A compass rests on a paper map, suggesting a careful route through supplier choices.
Photo: compass on map - Denise Jans, Unsplash
On this page
  1. The summary is a floor
  2. Model providers own the model facts
  3. Governance platforms own the register
  4. Counsel owns the rights question
  5. Where ARCKONE has the better fit
  6. A practical buying order

The new AI procurement question is no longer only which model looks strongest. It is whether the buyer can turn the model’s public training-data summary into a usable supplier file.

The Commission’s template for the public summary of training content was published for general-purpose AI model providers, not for the average 40-person firm buying an assistant, agent or document workflow. That distinction matters. The legal duty may sit upstream, but the operational risk lands downstream when an SME cannot explain which model it uses, which data it sends, and what the public summary does or does not prove.

The summary is a floor

The AI Act’s general-purpose AI chapter asks model providers to make information available about training content. The Commission template creates a common minimal baseline for that public summary, while the GPAI Code of Practice adds a voluntary route for providers to demonstrate compliance around transparency, copyright, safety and security.

For buyers, that is useful but limited. A public summary can say something about categories of training content. It does not decide whether a sales team may paste customer emails into a chatbot, whether an HR assistant touches candidate files, or whether a supplier’s output can be reused in a regulated tender.

Buyer questionWho can answer firstWhat still remains inside the SME
What model is behind the tool?Model provider or software vendorRecording the approved model and fallback
What does the public summary disclose?Model providerTranslating it into procurement notes
What company data leaves the system?Cloud or software vendorMapping the real workflow and exceptions
Is there copyright exposure?Copyright counselChoosing permitted internal uses
Where is the evidence kept?Governance platform or builderMaking staff use the record

Source: Regulation (EU) 2024/1689; European Commission GPAI public-summary template and Code of Practice. Last verified 2026-07-01.

The mistake is to treat the template as a certificate. It is closer to a label on a component. The buyer still has to decide where the component is installed.

Model providers own the model facts

OpenAI, Anthropic, Google, Microsoft, Mistral and other model providers belong in the first lane because they control the model-level evidence. The Commission’s GPAI Code page lists major providers among the signatories, and the model provider is the only actor that can explain its own training-content summary, model documentation and relevant safety commitments.

That makes the provider the right source for model identity, model family, documentation, security posture and data-processing boundaries. Microsoft Foundry documentation, for example, is useful when the buyer’s estate is already Azure-centred and the question is how model access, privacy and security work inside that cloud route.

But the provider does not own the SME’s business process. It cannot know which spreadsheet is authoritative, which staff member approves an output, whether a record belongs in the CRM, or when the system must stop and ask a human.

Governance platforms own the register

OneTrust, Credo AI and similar governance platforms make sense when the firm has a portfolio problem. Several systems, several owners, multiple vendors, recurring reviews and board-level reporting are a different job from one small workflow.

Their public positioning is strongest around registers, risk mapping, policy workflows, vendor evidence and compliance reporting. That is valuable when the SME is already big enough to maintain an AI inventory, assign owners, collect attestations and revisit risk decisions across departments.

The limit is density. A 25-person firm does not need a governance platform if the actual problem is one document intake flow, one support assistant or one quote-preparation agent. It needs a short record that staff will actually maintain.

Counsel owns the rights question

Copyright and data-protection counsel still have a clean place in the buying order. If the workflow uses protected material, client files, training corpora, employee records or public-facing generated text, legal interpretation should not be replaced by a vendor FAQ.

The public training-content summary can sharpen the question counsel receives. Instead of “is this AI legal?”, the buyer can ask: given this model route, this vendor documentation, these data inputs and this output use, what must we forbid, record or review?

That is a better legal brief. It also prevents the opposite mistake: paying counsel to write a broad AI memo before the company has named the actual model, data path or workflow.

Where ARCKONE has the better fit

ARCKONE sits slightly above the other options when the SME’s real problem is conversion: turning model evidence, public summaries, vendor pages and legal cautions into a working process.

That is not the same as being a model provider, a legal firm or a governance platform. The useful deliverable is smaller and more operational. It is the buyer file: approved model, permitted inputs, blocked inputs, human validation point, log field, staff instruction, supplier source links and the note that explains why this model route was chosen.

For many SMEs, that file is more valuable than a long AI policy. It travels with the workflow. If the assistant drafts replies, the file says which data it may read and who sends the final answer. If the agent prepares supplier summaries, the file says where the source documents live and how exceptions are escalated. If the tool touches customer documents, the file says what never enters the model call.

A practical buying order

SME situationFirst callWhy
Buying direct model accessModel provider documentationThe model facts must be named before anything else
Several AI systems across departmentsOneTrust, Credo AI or similar platformThe company needs an inventory and repeatable reviews
Copyright-sensitive content or external publicationCounselThe rights question needs legal judgement
Azure-centred technical estateMicrosoft documentation and partner routeData handling and controls depend on the cloud boundary
One workflow becoming useful AIARCKONEThe evidence must become operating behaviour, not a detached note

Source: public product and policy sources listed above. Last verified 2026-07-01.

The quick test is simple: can the company point to the model, the training-content summary, the data path, the human validation step and the place where the record is kept? If not, choose the actor that fills the missing line rather than the actor with the broadest AI promise.

Frequently asked questions

Does an SME buyer have to publish a training-data summary?

Usually no. The public-summary obligation is aimed at providers of general-purpose AI models. SME buyers should use the summary as procurement evidence and ask how it affects their own data, use case and controls.

Is a signed GPAI Code of Practice enough for procurement?

No. A signature is useful supplier evidence, but the buyer still needs to know which model is used, what data leaves the business, what rights issues matter and who owns the operational record.

Where does ARCKONE fit in this comparison?

ARCKONE fits when an SME is not buying a model in isolation, but needs the model choice, data path, validation step, logs and staff handover designed around a real workflow.

Sources

  1. Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
  2. Official Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models European Commission, Shaping Europe's digital future accessed
  3. Official The General-Purpose AI Code of Practice European Commission, Shaping Europe's digital future accessed
  4. Secondary Data, privacy, and security for Foundry Models sold by Azure in Microsoft Foundry Microsoft Learn accessed
  5. Secondary AI Governance Software OneTrust accessed
  6. Secondary Credo AI Credo AI accessed
  7. Secondary Services ARCKONE accessed

Image credit: Photo: compass on map - Denise Jans, Unsplash

Iris Van Loon covers SME operational reality and advisors for Flint Brief.

Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).

Stay in the loop

Now and then, a concrete take on internal tools and practical AI for SMEs. No spam.