⚖️ The EU AI Act’s GPAI rules are live — and enforcement begins August 2, 2026. This guide explains what the General-Purpose AI Code of Practice requires, which obligations apply to your organization right now, and the exact steps model providers and buyers need to take before the enforcement window opens.
Last Updated: May 22, 2026
The EU AI Act’s General-Purpose AI (GPAI) Code of Practice is no longer a future regulatory concern — it is a present operational reality. The final Code was published on July 10, 2025 by the European AI Office, and the GPAI obligations took legal effect on August 2, 2025. Every new foundation model, large language model, or general-purpose AI system placed on the EU market from that date forward must comply. The grace period for existing models runs until August 2, 2027. But the enforcement window — where the European Commission can actively impose fines, request model access, and issue model recalls — opens on August 2, 2026. For AI providers and deployers operating in or selling into the EU, that enforcement date is not a horizon. It is three months away.
Understanding the GPAI Code of Practice is no longer optional for AI governance teams, legal departments, or enterprise AI buyers. The Code operates across three chapters — Transparency, Copyright, and Safety and Security — and imposes obligations that range from detailed technical documentation requirements to adversarial testing mandates to copyright policy implementation. The European Commission and the AI Board confirmed the adequacy of the Code on August 1, 2025 — making it the authoritative voluntary compliance pathway under the AI Act. Organizations that choose not to sign must build their own bespoke compliance framework from scratch and prove to European regulators it is equally robust. That is a substantially harder position to defend under audit.
This guide covers the GPAI Code of Practice in full — what it requires across all three chapters, who it applies to and who it exempts, how it connects to the AI Act’s penalty structure, what the AI Omnibus simplification changes, and what both model providers and enterprise buyers need to do before August 2026. It closes with a practical compliance checklist and an obligations comparison table you can bring directly into your AI governance review. Whether you develop foundation models, fine-tune them, or purchase AI services from providers who do, the GPAI Code of Practice affects your compliance posture — and this guide explains exactly how.
📖 New to AI terminology? Visit the AI Buzz AI Glossary — 65+ essential AI terms explained in plain English, each linking to a full in-depth guide.
1. ⚖️ What Is the EU AI Act GPAI Code of Practice?
The General-Purpose AI Code of Practice is a voluntary compliance tool developed through a multi-stakeholder process involving nearly 1,000 participants — including AI model providers, downstream deployers, academic experts, members of civil society, and representatives from EU Member States. It was prepared by independent experts appointed by the European AI Office and published in its final form on July 10, 2025. The Commission and the AI Board subsequently confirmed its adequacy on August 1, 2025, giving it general validity within the EU as a recognized compliance pathway under the AI Act.
The Code’s purpose is to bridge the gap between when GPAI obligations came into legal effect (August 2, 2025) and when harmonized European standards for GPAI models are expected to be finalized (around 2027 or later). During this interim period, model providers can adhere to the Code to demonstrate compliance with the AI Act’s GPAI obligations — covering transparency, copyright, and safety and security. The Code is structured as a set of commitments that signatories make to the AI Office, organized into three thematic chapters, each addressing a distinct compliance area.
It is important to understand what “voluntary” means in this regulatory context — because it does not mean optional in any practical sense. Organizations that choose not to sign the Code must demonstrate compliance through alternative means, which requires building a bespoke compliance framework and explaining to the AI Office why that framework is equally robust to the Code’s requirements. The AI Office has been explicit: non-signatories face a higher burden of proof. Additionally, as from August 2, 2026, the Commission’s enforcement powers are fully active — and fines of up to €15 million or 3% of global annual turnover apply to non-compliant GPAI providers, regardless of whether they signed the Code.
Key Definition: A General-Purpose AI (GPAI) model is an AI model that displays significant generality and is capable of competently performing a wide range of distinct tasks across various domains — including text generation, image synthesis, code writing, translation, and multimodal reasoning. The AI Act’s GPAI obligations apply to any such model placed on the EU market, whether developed inside or outside the EU.
Who the Code Applies To
The GPAI Code of Practice applies to providers of GPAI models — organizations that develop, train, and place general-purpose AI models on the EU market. This includes major foundation model providers (OpenAI, Anthropic, Google DeepMind, Meta, Mistral AI, and others), as well as any organization that significantly modifies a GPAI model and thereby steps into the provider role. The GPAI Guidelines are specific about what counts as a “significant modification”: it requires more than one-third of the original model’s training compute to modify — or more than 3.33 × 10²² floating-point operations if the original compute is unknown. Organizations that merely fine-tune a model with minor adjustments do not become providers.
Providers established or located outside the EU who place GPAI models on the EU market must appoint an authorized representative within the EU. The Code applies to models distributed within the EU regardless of where the provider is headquartered — meaning US-based AI companies serving European customers are squarely within scope. The Code’s obligations vary by model capability level: all GPAI models face Transparency and Copyright chapter obligations, while only models with systemic risk face the full Safety and Security chapter requirements.
Who the Code Exempts
Open-source GPAI models are partially exempt — they are generally exempt from the heavy documentation requirements in the Transparency chapter, provided they do not pose systemic risk. However, open-source models must still adhere to the Copyright chapter requirements. A GPAI model poses systemic risk if it has been trained using a total computing power of more than 10²⁵ FLOPs — a threshold currently met by the most advanced frontier models. As of March 2026, six GPAI models have been classified as posing systemic risk by the European AI Office, with that number expected to grow as additional frontier models enter the EU market.
2. 📋 The Three Chapters: What the Code Actually Requires
The GPAI Code of Practice is organized into three chapters, each addressing a distinct compliance domain. Understanding what each chapter requires in practical terms — not just in regulatory language — is the foundation for building a compliant GPAI governance program. The obligations in each chapter are not abstract principles: they are specific commitments with defined documentation, process, and timeline requirements that the AI Office will assess during compliance reviews.
Chapter 1: Transparency
The Transparency chapter applies to all GPAI model providers — both those with and without systemic risk — with a partial exemption for open-source models that pose no systemic risk. The core commitment in this chapter is maintaining up-to-date, comprehensive documentation for every GPAI model distributed within the EU. This documentation must be prepared before the model is placed on the market and must remain current, reflecting any material changes to the model. It must be preserved for a minimum of 10 years after the model’s initial release — a significant record-keeping requirement that many organizations have not yet factored into their data governance programs.
The specific documentation requirements are structured around a Model Documentation Form defined in the Code. Providers must make their contact details publicly available so that the AI Office and downstream providers can request documentation access. When the AI Office requests documentation, providers must deliver the latest version within a designated timeframe. When downstream providers request documentation — as they need it to integrate the model into their own systems — providers must supply it within 14 days. This 14-day downstream documentation delivery obligation is operationally significant: it means GPAI providers need a documentation management system that can respond quickly to enterprise customer requests, not just regulatory inquiries.
The Transparency chapter also requires providers to publish a public summary of training data — the Template for the Public Summary of Training Content of GPAI Models, which the Commission finalized on July 24, 2025. This template requires providers to disclose an overview of the data used to train their models at a level of detail sufficient for downstream users and regulators to assess data quality, provenance, and potential bias risks. Trade secrets may be redacted from public versions, but must remain accessible to regulators in a secure inspection environment.
Chapter 2: Copyright
The Copyright chapter applies to all GPAI model providers without exception — including open-source models. It operationalizes Article 53(1)(c) of the AI Act, which requires providers to implement a policy ensuring compliance with EU copyright law. The chapter’s focus is on the rights of copyright holders who opt-out and reserve the use of their works under Article 4(3) of the Copyright in the Digital Single Market Directive — the EU’s text and data mining exception. Providers must develop and maintain a unified, regularly updated copyright policy that demonstrates compliance with this chapter’s requirements and clearly defines internal accountability structures.
The specific obligations signatories must implement cover five key areas: establishing a clear copyright compliance policy, using state-of-the-art technologies to identify and exclude protected content from training, ensuring transparency about datasets used, designating a point of contact for rightsholders, and establishing a mechanism for submitting complaints. The complaint mechanism is detailed: it must facilitate electronic submission, and providers must handle complaints fairly and promptly. This is not a passive compliance commitment — it requires active operational infrastructure to receive and respond to copyright-related complaints from rightsholders who believe their protected works appeared in training data without proper authorization.
Chapter 3: Safety and Security (Systemic Risk Models Only)
The Safety and Security chapter applies only to GPAI models classified as posing systemic risk — those trained with more than 10²⁵ FLOPs of compute. This chapter imposes the most demanding compliance requirements in the entire Code and is designed to address the potential for frontier models to produce widespread harm. Signatories must develop a comprehensive Safety and Security Framework before model release — a formal governance document that outlines evaluation triggers, risk categories, mitigation strategies, forecasting methods, and organizational responsibilities. This framework must be regularly updated in response to new risks, incidents, or significant changes in the model or its environment.
The evaluation methodology required under this chapter is rigorous: systemic risks must be identified through structured processes including inventories, scenario analysis, and consultation with internal and external experts. Those risks must then be analyzed using methods including simulations, adversarial testing, and post-market surveillance. This adversarial testing requirement directly connects to the AI security practices covered in our guide on adversarial machine learning and LLM red teaming — both of which describe the testing methodologies the Safety and Security chapter requires.
🔒 Building an AI governance framework? Browse the AI Buzz Governance & Security Hub — 30+ in-depth guides covering OWASP, NIST, ISO 42001, AI risk management, and enterprise AI security frameworks.
3. 📅 The Enforcement Timeline: What Is Active Right Now
The EU AI Act’s enforcement timeline is phased, and understanding which deadlines are active, which are approaching, and which are still pending is essential for prioritizing compliance activities in 2026. The timeline has three critical dates for GPAI providers that every governance team should have mapped against their model portfolio and organizational calendar.
| Date | Milestone | Who Is Affected | Status (May 2026) |
|---|---|---|---|
| 1 August 2024 | AI Act enters into force | All AI system providers and deployers in the EU | ✅ Passed — all compliance clocks running |
| 2 February 2025 | Prohibited AI practices banned; AI literacy obligations active | All AI system providers and deployers | ✅ Active — violations enforceable now |
| 10 July 2025 | Final GPAI Code of Practice published by AI Office | GPAI model providers | ✅ Published — available for sign-on |
| 2 August 2025 | GPAI obligations legally applicable; new models must comply | All new GPAI model providers from this date forward | ✅ Active — new models must comply immediately |
| 2 August 2026 | Full Commission enforcement powers active — fines, audits, model recalls | All GPAI model providers; high-risk AI system providers | ⚠️ 3 months away — compliance preparation window closing |
| 2 August 2026 | AI Act transparency rules (Article 50) take effect | Providers of generative AI and chatbot systems | ⚠️ 3 months away — transparency guidelines under consultation |
| 2 August 2027 | Legacy model grace period ends — pre-August 2025 models must comply | Providers of GPAI models already on market before August 2025 | 🕐 14 months — use Code of Practice as compliance bridge |
| 2 August 2028 | Extended deadline for high-risk AI in regulated products (AI Omnibus) | AI systems embedded in Annex I regulated products (medical devices, toys, etc.) | 🕐 26 months — extended by AI Omnibus political agreement |
The August 2, 2026 enforcement activation is the most critical date for most organizations. From that date, the Commission can conduct audits, request access to models and documentation, issue corrective orders, and impose fines. The collaborative, soft-touch approach the AI Office has taken with Code of Practice signatories during the first year of GPAI obligations changes meaningfully on that date — enforcement becomes the default mode rather than the exception. Organizations that have not yet signed the Code or established alternative compliance frameworks are in an increasingly exposed position with each week that passes.
The AI Omnibus: What Changed in 2025–2026
The AI Omnibus — a legislative package designed to simplify the AI Act’s implementation — was adopted on November 19, 2025, and a political agreement was reached on May 7, 2026. The Omnibus introduced several significant changes relevant to GPAI providers and enterprise buyers. The high-risk AI system compliance deadline for systems embedded in regulated products (medical devices, toys, machinery) was extended from August 2026 to August 2028 — a two-year extension reflecting the complexity of integrating AI Act requirements into existing product safety frameworks. The Omnibus also reinforced the AI Office’s powers and centralized oversight of AI systems built on GPAI models, reducing governance fragmentation. Simplified technical documentation requirements for SMEs and small mid-cap companies were extended, and access to EU-level regulatory sandboxes was broadened for innovators testing AI solutions in real-world conditions.
4. 🏢 What This Means for Enterprise AI Buyers
The GPAI Code of Practice is primarily designed for model providers — but its implications extend directly to every organization that purchases, deploys, or integrates AI services built on GPAI models. Enterprise AI buyers are downstream providers or deployers in the regulatory framework’s terminology, and the AI Act places specific obligations on them — including the right to receive documentation from their GPAI model providers within 14 days of request. If your AI vendor cannot deliver that documentation, they may not be in compliance with their GPAI obligations, which creates supply chain risk for your organization.
The practical implication is that enterprise AI procurement processes must now include GPAI compliance verification as a standard component of vendor due diligence. Before signing or renewing a contract with any AI provider whose services are built on GPAI models, your organization should ask: Has this provider signed the GPAI Code of Practice? Can they provide their Model Documentation Form? Do they have a documented copyright compliance policy? If the model involves systemic risk, what does their Safety and Security Framework include? Our AI vendor due diligence checklist covers the full set of questions enterprise buyers should ask — the GPAI Code of Practice obligations map directly to several of the highest-priority checklist items.
Contract terms also require attention. The AI Act places obligations on deployers of high-risk AI systems that are built on GPAI models — including post-market monitoring, human oversight mechanisms, and incident reporting. Deployers need to understand which GPAI model underlies each AI system they deploy, what risk classification that model carries, and whether the system’s use case would trigger high-risk AI system obligations on the deployer side. Our AI model risk management guide covers how to build the internal framework for making these assessments systematically across your AI portfolio.
Buyer Checklist Question: Ask every AI vendor this directly: “Has your underlying GPAI model signed the EU AI Act Code of Practice, and can you provide your Model Documentation Form upon request?” A vendor who cannot answer this question clearly is either not in scope, not compliant, or not prepared to be transparent about their compliance posture — all three of which are signals your procurement team needs to evaluate before contract signature.
5. 📊 GPAI Obligations by Model Type: A Comparison
Not all GPAI obligations apply to all models equally. Understanding which requirements apply to which model type is essential for both providers building compliance programs and buyers evaluating vendor risk. The following table maps the key Code of Practice obligations against the three model categories: standard GPAI models, open-source GPAI models without systemic risk, and GPAI models with systemic risk.
| Obligation | Standard GPAI | Open-Source GPAI (No Systemic Risk) | GPAI with Systemic Risk |
|---|---|---|---|
| Technical documentation (Model Documentation Form) | ✅ Required | ⚠️ Partially exempt | ✅ Required (enhanced) |
| Training data public summary | ✅ Required | ⚠️ Partially exempt | ✅ Required |
| Downstream documentation (14-day delivery) | ✅ Required | ⚠️ Partially exempt | ✅ Required |
| 10-year documentation retention | ✅ Required | ⚠️ Partially exempt | ✅ Required |
| Copyright compliance policy | ✅ Required | ✅ Required (no exemption) | ✅ Required |
| Rightsholder complaint mechanism | ✅ Required | ✅ Required (no exemption) | ✅ Required |
| Safety and Security Framework | ❌ Not required | ❌ Not required | ✅ Required — pre-market |
| Adversarial testing / red teaming | ❌ Not required | ❌ Not required | ✅ Required — ongoing |
| Systemic risk notification to AI Office | ❌ Not required | ❌ Not required | ✅ Required — mandatory |
| Post-market monitoring and incident reporting | ❌ Not required under CoP | ❌ Not required under CoP | ✅ Required — continuous |
6. 🔗 How the GPAI Code Connects to Other AI Governance Frameworks
The GPAI Code of Practice does not exist in isolation. For organizations managing AI governance across multiple frameworks, understanding how it connects to — and complements — ISO 42001, NIST AI RMF, and the broader EU AI Act high-risk system obligations is essential for building an integrated compliance program rather than maintaining parallel, disconnected compliance tracks.
ISO/IEC 42001:2023 is the international standard for AI Management Systems (AIMS) and shares significant structural overlap with the GPAI Code of Practice. ISO 42001 Annex C risk source C.2.10 requires organizations to identify security as an AI-specific risk category — which maps directly to the Code’s Safety and Security chapter obligations. ISO 42001’s Clause 9 performance evaluation requirements align with the Code’s post-market monitoring and continuous oversight commitments. Organizations pursuing ISO 42001 certification will find that a significant portion of the Code of Practice’s documentation and process requirements are already addressed within a mature AIMS. Our ISO 42001 guide covers this alignment in detail.
The NIST AI Risk Management Framework does not have a direct regulatory relationship with the EU AI Act, but its Govern, Map, Measure, and Manage functions align closely with the Code’s structure. NIST AI RMF Govern 1.7 (ongoing monitoring policies and processes) maps to the Code’s post-market monitoring requirements for systemic risk models. NIST AI RMF Measure 2.7 (security and resilience evaluation) maps to the Code’s adversarial testing requirements. Organizations using NIST AI RMF as their primary governance framework can map Code of Practice obligations to the corresponding RMF functions without significant duplication. NIST’s AI governance resources provide the control documentation structure that supports this cross-framework mapping exercise.
The EU AI Act’s high-risk system obligations interact with the GPAI Code in a critical way for deployers. If a high-risk AI system is built on a GPAI model, both the GPAI provider obligations (which the model provider must satisfy) and the high-risk system obligations (which the deployer must satisfy) apply simultaneously. Deployers need to understand whether their AI system’s use case triggers high-risk classification under Annex III of the AI Act — categories including AI used in employment, education, critical infrastructure, law enforcement, and migration management. Our EU AI Act compliance guide covers the full Annex III risk tier mapping in detail.
7. ✅ GPAI Compliance Checklist: What to Do Before August 2026
The following checklist is organized by actor type — model providers and enterprise buyers — and covers the actions that should be completed or materially progressed before the August 2, 2026 enforcement activation. It is not exhaustive but covers the controls that apply to most organizations affected by the GPAI Code of Practice in 2026.
For GPAI Model Providers
The first and most urgent action for any GPAI model provider not yet signed onto the Code is to evaluate whether signing is the right compliance pathway for your organization. The decision framework is straightforward: if you are a provider of a new GPAI model placed on the EU market from August 2025 forward, you have two choices — sign the Code, or build and document an equivalent compliance framework independently. For the vast majority of providers, signing the Code is the more efficient path, because it provides a recognized compliance presumption, access to collaborative support from the AI Office, and a structured framework that regulators understand.
Once signed (or an equivalent framework is chosen), providers must move through the three compliance chapters in sequence. The Transparency chapter obligations — Model Documentation Form, training data public summary, downstream documentation delivery infrastructure — are the most broadly applicable and should be addressed first. The Copyright chapter obligations — policy establishment, technological controls, complaint mechanism — are operationally intensive but well-defined and should be implemented concurrently with the Transparency chapter. For systemic risk model providers, the Safety and Security Framework is the most complex and time-consuming obligation — and should have been underway since August 2025. The AI Office has taken a collaborative approach during the first year, but that collaborative window closes in August 2026.
| ✅ | Action Required | Applies To | Priority |
|---|---|---|---|
| ☐ | Determine whether your organization qualifies as a GPAI model provider under the AI Act | All organizations developing AI models | 🔴 Critical |
| ☐ | Sign the GPAI Code of Practice OR document an equivalent compliance framework | GPAI model providers | 🔴 Critical |
| ☐ | Complete the Model Documentation Form and establish documentation management system | GPAI model providers (except exempt open-source) | 🔴 Critical |
| ☐ | Publish training data public summary using the Commission template (July 24, 2025) | GPAI model providers (except exempt open-source) | 🔴 Critical |
| ☐ | Implement 14-day downstream documentation delivery process for enterprise customers | All GPAI model providers | 🟠 High |
| ☐ | Establish 10-year documentation retention policy and archive infrastructure | All GPAI model providers | 🟠 High |
| ☐ | Develop unified copyright compliance policy and appoint rightsholder point of contact | All GPAI model providers | 🔴 Critical |
| ☐ | Implement electronic copyright complaint mechanism with fair and prompt handling | All GPAI model providers | 🟠 High |
| ☐ | Develop Safety and Security Framework with adversarial testing and scenario analysis | Systemic risk GPAI providers only | 🔴 Critical |
| ☐ | Notify AI Office of systemic risk classification via EU SEND platform | Systemic risk GPAI providers only | 🔴 Critical |
| ☐ | Add GPAI compliance verification to AI vendor due diligence process | Enterprise AI buyers (deployers) | 🔴 Critical |
| ☐ | Request Model Documentation Form from all AI vendors whose services use GPAI models | Enterprise AI buyers (deployers) | 🟠 High |
| ☐ | Classify deployed AI systems against Annex III high-risk categories | Enterprise AI buyers (deployers) | 🔴 Critical |
| ☐ | Update AI contracts to include GPAI compliance representations and documentation delivery SLAs | Enterprise AI buyers (deployers) | 🟠 High |
🏁 8. Conclusion: The Compliance Window Is Closing
The EU AI Act’s GPAI Code of Practice represents the most significant AI governance obligation that model providers and enterprise AI buyers face in 2026. The Code is no longer a future compliance consideration — it is a present operational requirement with a hard enforcement deadline three months away. The organizations that act now — completing documentation, signing the Code or establishing equivalent frameworks, updating vendor contracts, and classifying their AI system portfolios — are the ones that will enter August 2026 from a position of strength. The organizations that continue treating the GPAI Code as a regulatory abstraction will face a much harder conversation with the AI Office when enforcement inquiries arrive.
For enterprise AI buyers, the most actionable step is the simplest: start asking your AI vendors whether they have signed the Code and whether they can provide their Model Documentation Form. That single question reveals more about a vendor’s GPAI compliance posture than any marketing material. For model providers, the equivalent step is ensuring your documentation is complete, current, and deliverable within the required timeframes. The Code does not demand perfection from day one — the AI Office has committed to a collaborative approach with good-faith signatories. What it demands is commitment, documentation, and demonstrable progress. Every week between now and August 2, 2026 is a week that can be used to build that compliance posture — or a week that makes the enforcement window narrower.
📌 Key Takeaways
| ✅ | Takeaway |
|---|---|
| ✅ | The final GPAI Code of Practice was published July 10, 2025 and GPAI obligations became legally applicable August 2, 2025 — all new GPAI models placed on the EU market from that date must comply immediately. |
| ✅ | Full Commission enforcement powers — fines, audits, model recalls — activate on August 2, 2026. Non-compliant GPAI providers face penalties of up to €15 million or 3% of global annual turnover, whichever is higher. |
| ✅ | The Code is organized into three chapters — Transparency, Copyright, and Safety and Security — with Transparency and Copyright applying to all GPAI providers and Safety and Security applying only to models with systemic risk (trained on more than 10²⁵ FLOPs). |
| ✅ | Although the Code is “voluntary,” non-signatories must build an equivalent bespoke compliance framework from scratch and prove its adequacy to the AI Office — making the Code the practical compliance pathway for the vast majority of providers. |
| ✅ | Open-source GPAI models without systemic risk are partially exempt from the Transparency chapter but must still comply with all Copyright chapter obligations — the open-source exemption is narrower than many developers assume. |
| ✅ | As of March 2026, six GPAI models have been classified as posing systemic risk, with that number growing as additional frontier models enter the EU market — systemic risk providers face the most demanding Chapter 3 obligations. |
| ✅ | Enterprise AI buyers are downstream providers under the AI Act and have the right to receive Model Documentation Forms from their GPAI model providers within 14 days — GPAI compliance verification must become a standard component of AI vendor due diligence. |
| ✅ | The AI Omnibus (political agreement reached May 7, 2026) extended the high-risk AI system compliance deadline for Annex I regulated product categories from August 2026 to August 2028, reducing near-term compliance burden for embedded-AI product manufacturers. |
🔗 Related Articles
- 📖 EU AI Act Explained: A Beginner-Friendly Compliance Guide + Practical Checklist
- 📖 ISO/IEC 42001 Explained: A Beginner’s Guide to Building an AI Management System
- 📖 AI Vendor Due Diligence Checklist: How to Evaluate AI Tools Before You Share Data
- 📖 The AI Audit Checklist: How to Prove Your Company Is Compliant in 2026
- 📖 AI Model Risk Management (MRM) Explained: A Practical Framework for 2026
❓ Frequently Asked Questions: EU AI Act GPAI Code of Practice
1. Do I need to sign the GPAI Code of Practice if I only fine-tune a foundation model rather than training one from scratch?
It depends on the scale of your fine-tuning. The GPAI Guidelines state that only modifications requiring more than one-third of the original model’s training compute trigger provider obligations — minor fine-tuning does not. If your modifications exceed that threshold, you step into the provider role for compliance purposes. Our EU AI Act compliance guide covers how the provider-deployer boundary works across the full AI value chain.
2. What happens if my AI vendor has not signed the GPAI Code of Practice — does that create compliance risk for my organization?
Yes — if your vendor provides services built on a GPAI model and has not signed the Code or established an equivalent framework, they may not be compliant with their AI Act obligations. This creates supply chain risk for your organization, including potential inability to receive required documentation within 14 days. Our AI vendor due diligence checklist includes the specific questions to ask vendors about their GPAI compliance status before contract signature.
3. How does the GPAI Code of Practice relate to ISO 42001 certification — do they overlap?
There is significant structural overlap. ISO 42001 Clause 9 performance evaluation, Annex C risk documentation, and data governance requirements all align with Code of Practice chapter obligations. Organizations with a mature ISO 42001 AIMS will find many Code requirements already addressed. Our ISO 42001 guide covers how to map your existing AIMS controls to the GPAI Code’s documentation requirements.
4. What are the specific penalties for GPAI Code of Practice non-compliance after August 2026?
Non-compliance with GPAI model obligations under the AI Act carries fines of up to €15 million or 3% of global annual turnover — whichever is higher. These fines apply from August 2, 2026. Good-faith Code signatories who have not yet fully implemented all commitments benefit from the AI Office’s collaborative approach, though this does not eliminate fine risk entirely. Our AI audit checklist covers how to document compliance evidence that demonstrates good-faith implementation progress.
5. Does the GPAI Code of Practice apply to US companies that sell AI services to European customers?
Yes — the EU AI Act applies based on where the effect is felt, not where the provider is established. Any organization placing a GPAI model on the EU market — regardless of where they are headquartered — must comply with GPAI obligations and must appoint an authorized representative within the EU if they are not established there. This extraterritorial reach is one of the most important aspects of the AI Act for US-based AI companies. Our EU AI Act compliance guide covers the territorial scope in detail.
📧 Get the AI Buzz Weekly Digest
Weekly AI insights, tools, and strategies — delivered every Monday. Free.





Leave a Reply