GPAI Code of Practice: What Signatories Must Do in Practice

The GPAI Code of Practice was published on July 10, 2025 — and for companies building or deploying large language models and foundation models in the EU, it changed the compliance landscape almost overnight. If you provide a general-purpose AI model, this Code is now your primary compliance reference. If your company signed it, you gain a presumption of compliance with the EU AI Act. If you did not, you must demonstrate compliance through other means.

This article explains what the Code actually requires, what signing means legally, and what practical obligations signatories have taken on across the Code's four measures.

What Is the GPAI Code of Practice?

The GPAI Code of Practice is a voluntary technical and governance framework developed under Article 56 of the EU AI Act (Regulation (EU) 2024/1689). It was coordinated by the European AI Office and produced through a multi-stakeholder process involving more than 1,000 organizations — model providers, researchers, civil society groups, downstream deployers, and public authorities.

The Code's central legal purpose is to create a presumption of conformity. When a GPAI model provider follows the Code, it is presumed to comply with Articles 53 and 55 of the EU AI Act — the articles that govern standard GPAI obligations and systemic-risk GPAI obligations respectively. That presumption is rebuttable, meaning a national authority or the AI Office can still challenge compliance, but it places the burden of proof on the enforcer rather than the provider.

This is not a safe harbour in the strict legal sense. But in practice, it is the closest thing to one available under the EU AI Act for GPAI providers.

Legal Basis: Articles 53, 55, and 56

Before examining what the Code requires, it helps to understand the three articles it connects.

Article 53 sets out the standard obligations for all GPAI model providers. These include maintaining technical documentation, providing information to downstream providers, publishing a summary of training data used, and complying with EU copyright law.

Article 55 applies an additional layer of obligations to GPAI models that pose systemic risk. These providers must conduct model evaluations and adversarial testing, report serious incidents to the AI Office, ensure cybersecurity protections commensurate with the risk, and report on their energy consumption.

Article 56 gives the AI Office the authority to facilitate the preparation of codes of practice, and states that following a code creates the presumption of compliance. Crucially, Article 56(9) clarifies that providers who do not follow the Code must demonstrate compliance through other means — including harmonized technical standards once those are adopted, or through documented compliance with the regulation directly.

The Four Measures of the Code

The Code structures its obligations into four thematic measures. Each measure applies differently depending on whether the provider is above or below the systemic risk threshold.

Measure 1: Transparency and Copyright

Every GPAI model provider — regardless of size or risk classification — must implement the transparency and copyright measure.

In practice, this means:

Providing downstream providers and users with adequate information to understand the model's capabilities and limitations
Publishing a sufficiently detailed summary of training data, including the types of data sources used and, where feasible, the geographic and temporal scope
Having a documented copyright compliance policy that covers the provider's approach to text and data mining exceptions under EU copyright law
Maintaining and making available a general summary of training data content for each model version

The documentation here is not a simple checklist. The AI Office expects providers to produce genuinely informative summaries — not generic statements that training data was "scraped from the internet." The Code specifies that the summary should allow downstream providers to make informed decisions about how they integrate the model into their own products.

Measure 2: Safety and Security Framework

The safety and security measure applies to all signatories and addresses both model-level safety and cybersecurity protections.

Concrete obligations under this measure include:

Establishing internal governance procedures for identifying, assessing, and mitigating safety risks in the model development lifecycle
Implementing cybersecurity measures appropriate to the nature and risk profile of the model
Maintaining records of internal safety testing results
Ensuring that deployed models include safeguards against misuse for generating harmful content categories defined in the Code

Providers must be able to demonstrate these measures through documentation. The AI Office can request this documentation under Article 88 of the Act, and the Code requires that it be maintained in a way that supports regulatory review.

Measure 3: Systemic Risk Framework

This measure applies only to models that cross the systemic risk threshold: 10²⁵ floating-point operations (FLOPs) used in training. The threshold is defined in Article 51(2) of the EU AI Act and applies regardless of whether the model has been formally designated as systemic risk by the AI Office.

For signatories above this threshold, additional obligations include:

Conducting model evaluations against a defined set of capability categories, including assessments of potential for use in weapons of mass destruction, large-scale critical infrastructure attacks, and cyberoffensive capabilities
Performing adversarial testing (red-teaming) against these capability categories before model deployment and at defined intervals after
Reporting serious incidents — defined as actual or reasonably foreseeable adverse effects at scale — to the AI Office within defined timeframes
Publishing annual safety reports covering the results of evaluations, testing findings, and any significant incidents
Reporting energy consumption for training and inference operations

The FLOPs threshold is the key dividing line. Most models currently in production from startups and mid-size AI companies fall below 10²⁵ FLOPs and therefore face only the Measures 1 and 2 obligations. The frontier models from the largest providers — including those from major US labs operating in the EU — are the primary targets of Measure 3.

Measure 4: Governance Measures

The governance measure applies to all signatories and focuses on organizational accountability rather than model-specific technical requirements.

Requirements include:

Designating a responsible function or individual with oversight of GPAI compliance
Establishing internal policies and review procedures for model releases
Maintaining a point of contact for the AI Office and national authorities
Participating in the AI Office's monitoring and evaluation activities, including responding to information requests within the timeframes specified in the Code

This measure is often underestimated. It requires providers to build durable institutional processes — not just document current models but establish the infrastructure to comply continuously as models evolve.

What Signing Actually Means

Signing the Code creates a legal presumption in your favor, but it does not eliminate your compliance obligations. Signatories are expected to implement the measures fully, not simply to declare adherence.

The AI Office has indicated it will monitor implementation through a combination of self-reporting, independent audits, and direct information requests under Article 88. Providers who sign but fail to implement may face enforcement action, and the AI Office can withdraw the presumption of compliance for providers who are found to be non-conformant.

For providers considering whether to sign, the strategic calculation is relatively straightforward. Signing gives you a structured framework with specific obligations, the presumption of compliance, and engagement with the AI Office's ongoing guidance process. Not signing means you must demonstrate compliance independently — through harmonized standards, through direct documentation of your conformity with Articles 53 and 55, or through another code of practice recognized by the AI Office.

Who Has Signed — And Who Has Not

As of publication, a substantial number of major GPAI model providers have engaged with the Code, including many of the large US-based foundation model companies that operate in the EU market. Several providers have signed with reservations on specific provisions, particularly around mandatory incident reporting timelines and the specificity of training data summaries.

Some providers have publicly stated they are evaluating the Code before signing, citing concerns about commercial sensitivity of training data disclosures and the scope of cybersecurity documentation requirements.

The strategic implication of non-signature is worth noting: non-signatories are not excused from obligations under Articles 53 and 55. They simply must demonstrate compliance through other means, which in practice requires more documentary work rather than less — because they cannot rely on the Code's structured framework as evidence of compliance.

Timelines

The GPAI obligations under Articles 53 and 55 entered into force on August 2, 2025. The Code was published on July 10, 2025, giving providers a narrow window to align their practices before the legal obligations became enforceable.

The AI Office is conducting ongoing reviews of Code implementation and has indicated it will publish updated guidance as harmonized technical standards for GPAI models are developed.

How DilAIg Supports GPAI Compliance Documentation

GPAI compliance under the Code is heavily documentation-intensive. Measures 1 through 4 all require providers to maintain structured records — from training data summaries to safety testing logs to governance procedures.

DilAIg's 50-question audit generates the technical documentation your organization needs to demonstrate compliance, structured around the specific requirements of the EU AI Act and the GPAI Code of Practice. Whether you are preparing for an AI Office information request, conducting an internal compliance review, or onboarding downstream providers who need transparency information, DilAIg gives you audit-ready documentation from a single structured process.

Start your compliance audit at dilaig.com or contact us to discuss your GPAI compliance needs.

FAQ: GPAI Code of Practice

Does signing the GPAI Code of Practice mean I am automatically compliant with the EU AI Act? No. Signing creates a rebuttable presumption of compliance with Articles 53 and 55 — but only if you actually implement the Code's measures. It does not cover other parts of the Act that may apply to your business.

What happens if my model crosses the 10²⁵ FLOPs threshold after I sign? You become subject to Measure 3 obligations, including systemic risk evaluations and incident reporting. The Code requires providers to notify the AI Office when their training compute crosses the threshold.

Can I comply with the EU AI Act without signing the Code? Yes. Article 56(9) explicitly preserves this option. You must demonstrate compliance with Articles 53 and 55 through other means — documented technical standards, internal compliance assessments, or another recognized code.

How detailed does the training data summary need to be? The Code does not specify a word count, but it requires the summary to be genuinely informative for downstream providers. Generic statements about data provenance are unlikely to satisfy this requirement. The AI Office has indicated it will scrutinize the quality of training data summaries closely.

What is the AI Office's role in enforcing the Code? The AI Office can request documentation from signatories under Article 88, conduct model evaluations under Article 89, and take measures against systemic risk models under Article 91. It can also impose fines directly on GPAI providers under Article 93.

Is the Code legally binding once signed? The Code is a voluntary instrument, but compliance with it creates legal presumptions under the AI Act. Failure to implement after signing exposes a provider to both enforcement action and loss of the compliance presumption.

Key Takeaways

The GPAI Code of Practice was published July 10, 2025 and creates a presumption of compliance with EU AI Act Articles 53 and 55 for signatories
The Code has four measures: transparency and copyright; safety and security; systemic risk framework; governance — the first two and fourth apply to all providers, Measure 3 only to models above 10²⁵ FLOPs
Signing is not automatic compliance — providers must actually implement each measure and maintain the required documentation
Non-signatories must demonstrate compliance independently, which typically requires more documentary work than following the structured Code framework
GPAI obligations have been enforceable since August 2, 2025
The AI Office has Article 88–93 enforcement powers and can request documentation, conduct evaluations, and impose fines directly on GPAI providers