🇪🇺 The EU AI Act’s GPAI Code of Practice is now the global benchmark for responsible AI model development. If your organization develops, deploys, or procures General Purpose AI models in 2026, this code directly affects your compliance obligations, your procurement checklist, and your competitive position. This plain-English guide explains every key requirement — and what you need to ask for right now.
Last Updated: May 2, 2026
When the European Union passed the EU AI Act, it created the world’s first comprehensive legal framework for Artificial Intelligence — covering everything from low-risk chatbots to high-stakes autonomous systems used in hiring, credit scoring, and critical infrastructure. But one category of AI received particular attention: General Purpose AI (GPAI) models — the foundation models like GPT-4, Claude, Gemini, and Llama that power thousands of downstream applications across every industry and geography.
These models are uniquely challenging to regulate. They are not built for a single use case — they are designed to be adapted, fine-tuned, and deployed across an essentially unlimited range of applications by an essentially unlimited number of downstream operators. Regulating them requires a different approach from regulating a specific AI application. The EU’s answer is the GPAI Code of Practice — a structured set of transparency, safety, and accountability requirements that GPAI model providers must meet to demonstrate compliance with the EU AI Act.
This guide explains the GPAI Code of Practice in plain language — covering what it is, who it applies to, what the key requirements are, and what it means for organizations that develop, deploy, or procure AI systems built on GPAI models. Whether you are a model provider navigating compliance obligations or a business leader deciding which AI vendor to trust, this guide gives you the foundational knowledge to act with confidence in 2026.
📖 New to AI terminology? Visit the AI Buzz AI Glossary — 65+ essential AI terms explained in plain English, each linking to a full in-depth guide.
1. 📋 What is the GPAI Code of Practice?
The GPAI Code of Practice is an industry-developed, EU-supervised compliance framework that translates the legal obligations of the EU AI Act into concrete, actionable technical and governance requirements for General Purpose AI model providers. It was developed through a structured multi-stakeholder process involving AI companies, civil society organizations, academic researchers, and EU regulators — making it one of the most broadly consulted AI governance documents ever produced.
The Core Purpose: The GPAI Code of Practice answers the practical question that every AI model provider was asking after the EU AI Act passed: “What exactly do we need to do to be compliant?” It translates the Act’s broad legal principles into specific, measurable technical and governance measures that can be implemented, audited, and verified.
According to the European Commission’s official EU AI Act documentation, the GPAI Code of Practice is not optional for model providers operating in the EU market. Compliance with the Code creates a presumption of compliance with the relevant GPAI provisions of the EU AI Act — making it the primary pathway to legal certainty for model providers.
The Difference Between the EU AI Act and the GPAI Code
| Dimension | EU AI Act | GPAI Code of Practice |
|---|---|---|
| Nature | Binding EU law | Industry-developed compliance framework supervised by EU regulators |
| Scope | All AI systems placed on or used in the EU market | Specifically GPAI model providers |
| Language | Legal principles and obligations | Specific technical and governance measures |
| Compliance Effect | Legal obligation — non-compliance = penalties | Compliance creates presumption of EU AI Act conformity |
| Developed By | European Parliament and Council | Industry, civil society, and academic stakeholders under EU supervision |
2. 🎯 Who Does the GPAI Code Apply To?
The GPAI Code of Practice applies to any organization that develops and places on the EU market a General Purpose AI model — regardless of where in the world that organization is headquartered. This extraterritorial reach is one of the most significant aspects of the EU AI Act’s GPAI provisions and has direct implications for US, UK, and Asian AI companies serving European markets.
The Three Tiers of GPAI Provider
The Code distinguishes between GPAI providers based on the scale and potential impact of their models, applying proportionate requirements to each tier:
| Provider Tier | Definition | Examples | Compliance Level |
|---|---|---|---|
| Systemic Risk GPAI | Models trained with compute exceeding 10²⁵ FLOPs | GPT-4, Claude 3, Gemini Ultra | Full Code obligations including adversarial testing |
| Standard GPAI | Models below the systemic risk threshold placed on EU market | Smaller proprietary models, many open weights models | Core transparency and documentation requirements |
| Open Source GPAI | Models released under open license with publicly available weights | Llama 3, Mistral, Falcon | Reduced obligations — primarily documentation |
The systemic risk threshold — 10²⁵ FLOPs of training compute — is a technical measure of model scale. In practical terms, it captures the largest frontier models produced by major AI laboratories. As compute efficiency improves, this threshold is expected to be revised periodically to ensure it continues to capture the most capable and potentially impactful models.
3. 📖 The Four Pillars of the GPAI Code
The GPAI Code of Practice is organized around four interconnected pillars, each addressing a different dimension of responsible GPAI model development and deployment. Together, they represent the most comprehensive set of AI accountability requirements ever codified in a major regulatory framework.
Pillar 1: Transparency and Copyright
The first pillar requires GPAI model providers to publish detailed information about their models — enabling downstream operators, researchers, and regulators to understand what the model is, how it was built, and what its known limitations are. The primary instrument for this is the model technical documentation — a structured document that must cover:
- Training Data Summary: A high-level description of the types and sources of data used to train the model, including the geographic distribution of data sources and the time period covered.
- Data Governance Measures: The steps taken to ensure training data quality, identify and mitigate bias, and respect intellectual property rights — including which copyright frameworks govern data collection.
- Compute Used for Training: The total training compute in FLOPs — the primary metric for determining whether the model crosses the systemic risk threshold.
- Model Architecture: A description of the model’s architecture type, parameter count (where disclosed), and key technical design decisions.
- Known Limitations and Risks: A documented assessment of the model’s known failure modes, biases, and capability limitations — aligned with the principles of our guide on AI Model Cards.
- Intended and Prohibited Uses: A clear statement of the use cases the model was designed for and the use cases the provider explicitly prohibits.
The copyright dimension of Pillar 1 is particularly significant. Providers must document their compliance with EU copyright law in training data collection — including their implementation of the Text and Data Mining (TDM) exception and any opt-out mechanisms they have honored. This connects directly to the broader AI and Copyright questions that organizations across the content industry are actively navigating in 2026.
Pillar 2: Safety and Security
The second pillar addresses the technical safety of GPAI models — focusing on the measures providers must take to identify, assess, and mitigate risks that their models may pose when deployed across diverse downstream applications.
Safety Evaluations
Providers of GPAI models — particularly those at the systemic risk tier — must conduct structured safety evaluations before model release and at defined intervals post-release. These evaluations must cover:
- Dangerous Capability Assessment: Systematic testing for whether the model possesses capabilities that could enable serious harm — including biological, chemical, nuclear, or radiological (CBRN) weapons assistance, serious cyberattack enablement, and autonomous goal-pursuit capabilities that could evade human oversight.
- Misuse Potential Assessment: Evaluation of how the model’s capabilities could be deliberately exploited by malicious actors through adversarial prompting, fine-tuning, or jailbreaking — connecting directly to the LLM Red Teaming methodologies that responsible AI teams should already be practicing.
- Systemic Risk Assessment: For models above the systemic risk threshold, a broader assessment of risks at the societal and critical infrastructure level — covering potential impacts on democratic processes, financial system stability, and public safety.
Adversarial Testing (Red Teaming)
Systemic risk GPAI providers are specifically required to conduct structured adversarial testing — commonly known as red teaming — before major model releases. This testing must go beyond internal teams to include independent external evaluators who can bring adversarial perspectives that internal teams may miss due to familiarity bias.
Cybersecurity Measures
The Code requires providers to implement cybersecurity controls protecting both the model itself and the infrastructure supporting its deployment — aligned with the framework we cover in our guide on the NIST Cyber AI Profile. This includes protecting model weights from unauthorized access or modification, securing training pipelines from data poisoning attacks, and implementing access controls that prevent unauthorized fine-tuning or extraction of model capabilities.
Pillar 3: AI Literacy and Transparency to Downstream Users
The third pillar addresses the relationship between GPAI model providers and the downstream operators who build applications on top of their models. Providers must ensure that downstream operators have the information and tools they need to deploy the model responsibly.
What Providers Must Give Downstream Operators
- Technical Documentation: Sufficient technical information for downstream operators to understand the model’s capabilities, limitations, and appropriate use cases — enabling them to conduct their own AI Risk Assessment before deployment.
- Usage Policies: Clear, enforceable terms governing permitted and prohibited uses of the model — including sector-specific restrictions (e.g., no autonomous medical diagnosis, no autonomous legal advice) that downstream operators must pass through to their own end users.
- Safety Guidance: Specific guidance on the safety measures downstream operators should implement when deploying the model — including recommended system prompt structures, output filtering approaches, and human oversight requirements for high-risk use cases.
- Update Notifications: Timely notification when the model is updated in ways that affect its capabilities, safety characteristics, or policy constraints — giving downstream operators the opportunity to re-evaluate their applications before the change takes effect.
- Incident Reporting Channels: A mechanism for downstream operators to report safety incidents, unexpected model behaviors, or discovered vulnerabilities back to the provider — closing the feedback loop that is essential for continuous safety improvement.
AI Literacy Requirements
Providers must ensure that their documentation and communications enable downstream operators to build the AI literacy necessary for responsible deployment — a requirement that aligns directly with the EU AI Act Article 4 AI literacy obligations that apply to all organizations deploying AI systems.
Pillar 4: Data Governance
The fourth pillar focuses on the governance of training data — one of the most complex and contested dimensions of GPAI model development. The fundamental challenge is that frontier models are trained on data at a scale that makes comprehensive individual data review impossible. The Code addresses this through a framework of proportionate due diligence measures:
- Data Source Documentation: Providers must maintain records of the categories and sources of training data sufficient to enable post-hoc investigation of data quality, bias, and copyright compliance issues. This aligns with the Datasheets for Datasets documentation approach.
- Bias Assessment: Providers must assess training data for known demographic, geographic, and linguistic biases — and document both the biases identified and the mitigation measures applied.
- Personal Data Minimization: Where training data includes personal data, providers must document their legal basis for processing under GDPR and their technical and organizational measures to minimize the personal data retained in the trained model.
- Copyright Compliance Documentation: Providers must document their compliance with EU copyright law — including their implementation of the TDM opt-out mechanism and any licensing arrangements entered into with content creators.
🔒 Building an AI governance framework? Browse the AI Buzz Governance & Security Hub — 30+ in-depth guides covering OWASP, NIST, ISO 42001, AI risk management, and enterprise AI security frameworks.
4. ⚡ The Systemic Risk Requirements in Detail
For GPAI models that cross the systemic risk threshold, the Code imposes additional requirements that go beyond the standard obligations. These represent the most stringent AI governance requirements ever imposed by a major regulatory framework, and understanding them is essential for any organization evaluating whether to build on frontier models.
| Systemic Risk Requirement | What It Requires | Governance Connection |
|---|---|---|
| Adversarial Testing | Structured red team evaluation before major releases, including external independent evaluators | LLM Red Teaming methodology |
| Incident Reporting | Mandatory reporting of serious incidents to EU AI Office within defined timeframes | AI Incident Response playbook |
| Cybersecurity Evaluation | Annual third-party cybersecurity assessment of model infrastructure and access controls | NIST Cyber AI Profile |
| Energy Reporting | Disclosure of training and inference energy consumption data to support sustainability accountability | Green AI and Environmental Impact |
| Model Capability Tracking | Ongoing monitoring of model capabilities as they evolve post-deployment through fine-tuning and adaptation | AI Monitoring and Observability |
5. 🏢 What This Means for Organizations That Buy or Deploy GPAI Models
The GPAI Code of Practice is primarily directed at model providers — but its requirements flow directly downstream to every organization that deploys applications built on GPAI models. Understanding what the Code requires from providers gives buyers and deployers a powerful framework for their own AI vendor due diligence process.
The Buyer’s Checklist: What to Ask Your GPAI Provider
If your organization deploys any application built on a GPAI model — including commercial AI tools from major providers — you should be able to answer these questions before deployment:
- Is the model GPAI Code of Practice compliant? Has the provider published a compliance statement or registered with the EU AI Office?
- What is the model’s technical documentation? Can the provider share the documentation required under Pillar 1 — including training data description, known limitations, and intended use cases?
- Has the model undergone adversarial testing? What red team evaluation was conducted before the model was released, and what were the findings?
- What are the prohibited use cases? Does the provider’s usage policy prohibit the specific application you are building, and have you reviewed those restrictions with your legal team?
- What is the incident reporting process? If you discover a safety issue with the model in your deployment, what is the mechanism for reporting it to the provider?
- How is the model updated, and how will you be notified? If the provider makes changes to the model that affect its safety characteristics or capability profile, will you receive advance notice?
- What data does the model use from your interactions? Is your organization’s data or your users’ data used to train or fine-tune the model — and what is the legal basis for this under GDPR?
6. 🌍 The Global Impact of the GPAI Code
The GPAI Code of Practice does not stop at the EU’s borders. Its influence is already extending globally through three mechanisms that every AI leader should understand.
The Brussels Effect
The Brussels Effect — the well-documented phenomenon whereby EU regulations become de facto global standards because multinational companies find it more efficient to apply a single global compliance standard than to maintain separate standards for each market — is already operating on the GPAI Code. Major AI providers are aligning their global model development practices to the Code’s requirements rather than maintaining EU-specific variants of their models.
Regulatory Convergence
Regulators in the United Kingdom, Canada, Japan, South Korea, and Brazil have all publicly referenced the EU AI Act and the GPAI Code in their own AI policy development processes. The GPAI Code’s four-pillar structure — transparency, safety, downstream operator obligations, and data governance — is emerging as the consensus framework for GPAI regulation globally.
Procurement Requirements
Large enterprise and government procurement organizations are beginning to require GPAI Code compliance as a condition of AI vendor selection — accelerating adoption beyond the EU’s direct regulatory reach. Organizations that complete their AI Vendor Due Diligence process will increasingly find GPAI Code compliance as a baseline expectation rather than a differentiator.
7. ⏱️ The Enforcement Timeline and Penalties
Understanding the enforcement timeline is critical for organizations planning their compliance roadmap. The EU AI Act’s GPAI provisions have a phased enforcement schedule that creates different urgency levels for different obligations:
| Timeline | Milestone | Action Required |
|---|---|---|
| August 2025 | GPAI provisions of EU AI Act came into force | All GPAI providers serving EU market must have compliance roadmap in place |
| Q1 2026 | GPAI Code of Practice finalized and published | Providers begin formal compliance implementation against Code requirements |
| August 2026 | Full GPAI Code compliance expected | All required documentation, safety evaluations, and governance measures in place |
| Ongoing | EU AI Office oversight and enforcement | Continuous compliance maintenance, incident reporting, and annual evaluations |
The Penalty Framework
Non-compliance with the EU AI Act’s GPAI provisions carries significant financial penalties. For GPAI model providers that fail to meet their obligations, the maximum penalty is €15 million or 3% of global annual turnover — whichever is higher. For the largest AI companies, this percentage-based calculation produces penalties that dwarf the flat cap, making compliance a straightforward financial imperative as well as a legal obligation.
The Compliance Investment Calculation: For a GPAI provider with €1 billion in global revenue, a 3% penalty exposure represents €30 million — significantly more than the cost of building a comprehensive compliance program. The economics of compliance are unambiguous for any provider operating at meaningful scale in the EU market.
8. 🔗 How the GPAI Code Connects to Your Broader AI Governance Stack
The GPAI Code of Practice does not operate in isolation. For organizations building a comprehensive AI governance program, it connects directly to a stack of complementary frameworks that together provide complete coverage of AI risk, compliance, and accountability:
- EU AI Act: The parent legal framework that the GPAI Code implements — see our complete guide on the EU AI Act Explained.
- ISO/IEC 42001: The international AI management system standard whose governance structure complements the GPAI Code’s requirements — see our guide on ISO/IEC 42001 Explained.
- NIST AI RMF: The US federal AI risk management framework whose GOVERN, MAP, MEASURE, and MANAGE functions map closely to the GPAI Code’s four pillars.
- AI System Bill of Materials: The documentation approach for tracking all components of an AI system — a foundational requirement for GPAI Code compliance covered in our guide on the AI-SBOM.
- The AI Audit Checklist: The practical compliance verification framework for organizations preparing for regulatory review — see our AI Audit Checklist.
🏁 Conclusion: The GPAI Code as Competitive Advantage
The GPAI Code of Practice is widely discussed as a compliance burden — but the most sophisticated organizations in the AI ecosystem are recognizing it as something more valuable: a competitive differentiator. AI providers that achieve and transparently communicate GPAI Code compliance build a level of trust with enterprise buyers, government procurement teams, and regulated-industry customers that non-compliant competitors simply cannot match.
In an AI market where trust is the scarcest and most valuable commodity, the organizations that invest in the transparency, safety evaluation, downstream operator support, and data governance that the GPAI Code requires will earn a durable competitive advantage — not just regulatory clearance. The code is not the ceiling of responsible AI development. For the best organizations in the market, it is the floor.
📌 Key Takeaways
| ✅ | Takeaway |
|---|---|
| ✅ | The GPAI Code of Practice translates the EU AI Act’s legal obligations for General Purpose AI model providers into specific, measurable technical and governance requirements. |
| ✅ | The Code applies to any organization placing GPAI models on the EU market — regardless of where in the world the organization is headquartered. |
| ✅ | The four pillars of the Code are: Transparency and Copyright, Safety and Security, Downstream Operator Obligations, and Data Governance. |
| ✅ | Models above the 10²⁵ FLOPs systemic risk threshold face additional requirements including adversarial testing, mandatory incident reporting, and annual cybersecurity evaluations. |
| ✅ | Non-compliance penalties reach €15 million or 3% of global annual turnover — making compliance a clear financial imperative for any provider operating at scale. |
| ✅ | The Brussels Effect is already driving GPAI Code adoption beyond the EU — with regulators in the UK, Canada, Japan, and Brazil referencing it in their own AI policy frameworks. |
| ✅ | Organizations that deploy applications built on GPAI models should use the Code’s requirements as a structured framework for AI vendor due diligence. |
| ✅ | GPAI Code compliance connects directly to ISO 42001, the NIST AI RMF, the AI-SBOM framework, and the broader AI governance stack every organization should be building in 2026. |
🔗 Related Articles
- 📖 EU AI Act Explained: A Beginner-Friendly Compliance Guide and Checklist
- 📖 ISO/IEC 42001 Explained: Building an AI Management System
- 📖 The AI Audit Checklist: How to Prove Your Company is Compliant in 2026
- 📖 AI Vendor Due Diligence Checklist: How to Evaluate AI Tools Before You Share Data
- 📖 LLM Red Teaming for Beginners: Test Your AI Before Attackers Do
❓ Frequently Asked Questions: EU AI Act GPAI Code of Practice
1. Does the GPAI Code of Practice apply to companies that only use AI models — not build them?
Mostly no. The Code primarily targets “model providers” — organizations that train and release General Purpose AI models. However, if your company fine-tunes a foundation model and releases it to third parties, you cross the threshold from “user” to “provider” and inherit significant obligations — including transparency documentation and copyright compliance.
2. What is the difference between a “systemic risk” model and a standard GPAI model under the Code?
Scale and capability. A standard GPAI model must meet basic transparency and copyright obligations. A “Systemic Risk” model — defined by exceeding 10^25 FLOPs of training compute — faces a significantly heavier burden, including mandatory red teaming, incident reporting to the European AI Office, and adversarial testing under NIST COSAiS equivalent controls.
3. Can a company sign the Code of Practice voluntarily before it becomes mandatory?
Yes — and many leading AI providers already have. Early signatories gain preferential treatment in EU procurement processes and are presumed compliant when the Code becomes legally binding. It also signals to enterprise clients that your model meets the transparency standards required for AI Vendor Due Diligence reviews.
4. How does the GPAI Code handle open-source models — are they fully exempt?
Partially. Open-source models below the systemic risk threshold receive significant exemptions from transparency and copyright obligations. However, if an open-source model crosses the systemic risk compute threshold, all exemptions are removed and full compliance is required — regardless of whether the weights are publicly available or the developer is a commercial entity.
5. What happens if a GPAI model causes a serious incident — who is legally responsible under the Code?
The model provider bears primary responsibility for reporting the incident to the European AI Office within 15 days. If the incident was caused by a downstream deployer modifying the model, liability is shared — but the provider must still maintain an AI Incident Response playbook and a documented AI System Bill of Materials proving exactly which version of the model was involved.
Leave a Reply