Skip to content

GPAI Code of Practice

The General-Purpose AI Code of Practice is a voluntary tool prepared under the facilitation of the European Commission's AI Office pursuant to Article 56 of Regulation (EU) 2024/1689 (AI Act), and aimed at giving practical effect to the obligations under Articles 53 and 55 of the AI Act for providers of general-purpose AI models.

Adherence to the Code constitutes for GPAI providers an "adequate voluntary tool to demonstrate compliance" with the AI Act — according to the formulation adopted by the Commission and the Member States on 1 August 2025. It does not amount to a presumption of conformity in the technical sense — that status is reserved, under Article 40 of the AI Act, to European harmonised standards whose adoption is still ongoing (CEN-CENELEC mandate).

Identifiers

Field Value
Full denomination General-Purpose AI Code of Practice
Facilitator European Commission — AI Office
Legal basis Article 56 of Regulation (EU) 2024/1689 (AI Act)
Version Final version of 10 July 2025
Adequacy confirmation 1 August 2025, Commission + AI Board + Member States
Official languages All EU official languages (24 languages)
Adherence Voluntary — non-signatory providers must demonstrate compliance through alternative adequate means
Signature procedure Signatory Form to be sent to EU-AIOFFICE-CODE-SIGNATURES@ec.europa.eu
Coordination Signatory Taskforce, chaired by the AI Office, with operational Vademecum

Structure

The Code is organised in three chapters addressed to different recipients:

Chapter Recipients AI Act provision implemented
Transparency All providers of GPAI models Art. 53(1), points (a) and (b) + Annex XI + Annex XII
Copyright All providers of GPAI models Art. 53(1), point (c)
Safety and Security Providers of GPAI with systemic risk Art. 55

The Code is supplemented by:

  • Commission Guidelines on the scope of GPAI obligations (18 July 2025), clarifying the Commission's interpretation of key concepts (GPAI, provider, placing on the market, significant modifications, open-source exemption);
  • Official Template for the publication of the summary about the content used for training under Art. 53(1), point (d) of the AI Act (24 July 2025) — a directly binding obligation, distinct from the measures of the Code;
  • Official Q&As ("GPAI Q&A" and "Code of Practice Q&A") published by the AI Office;
  • EU SEND platform, the official channel for the submission of documents to the AI Office (in particular Safety and Security Frameworks and Model Reports for providers of GPAI with systemic risk).

Scope of application

Recipients

The Code is addressed to providers of GPAI models within the meaning of Article 3(63) of the AI Act. The Commission Guidelines of 18 July 2025 set out an indicative operational criterion:

A model is considered a GPAI if its training compute exceeds 10²³ FLOP and it is capable of generating language (text or audio), text-to-image, or text-to-video.

Providers of GPAI with systemic risk are additional recipients of the Safety and Security Chapter. Under Article 51 of the AI Act, a model is presumed to pose systemic risks if its training compute exceeds 10²⁵ FLOP. Such providers have the additional obligation to notify the Commission within two weeks of meeting (or becoming aware that they will meet) such threshold, under Article 52(1) of the AI Act.

Open-source exemption

Under Article 53(2) of the AI Act, the documentation obligations under Art. 53(1), points (a) and (b), do not apply to providers releasing models under a free and open-source licence with parameters (including weights), architecture and usage information publicly available. The exemption does not apply to GPAI with systemic risk, which remain fully subject to the obligations of Art. 55 of the AI Act.

Material scope

The Code specifically implements:

  • the obligations of transparency and documentation (Art. 53(1), points (a)-(b));
  • the obligations on copyright (Art. 53(1), point (c));
  • the specific obligations for providers of GPAI with systemic risk (Art. 55).

The Code does not replace the Regulation, does not replace harmonised standards once published, and does not affect obligations arising from other EU acts — in particular GDPR, Data Act, and Directive (EU) 2019/790 on copyright in the Digital Single Market.

Application status and timeline

Date Event
1 August 2024 AI Act enters into force
10 July 2025 Final version of the Code published by the AI Office
18 July 2025 Commission Guidelines on the scope of GPAI obligations published
24 July 2025 Official Template for the summary of training data published
1 August 2025 Adequacy of the Code confirmed by Commission, AI Board and Member States
2 August 2025 GPAI obligations enter into application (Articles 53 and 55 AI Act)
2 August 2026 Commission's enforcement powers enter into application (including penalties)
2 August 2027 Compliance deadline for GPAI models already on the market before 2 August 2025

For signatories:

  • adherence constitutes a means to demonstrate compliance with Articles 53 and 55 of the AI Act;
  • reduced administrative burden and increased legal certainty;
  • the AI Office focuses its supervisory activity on monitoring adherence to the Code;
  • adherence may be considered as a mitigating factor when determining administrative fines under Article 101 of the AI Act.

For non-signatories:

  • obligation to demonstrate compliance through alternative adequate means;
  • subjection to a larger number of requests for information and requests for access by the AI Office, including requests for gap analysis comparing measures with those of the Code;
  • enforcement not facilitated by structured cooperation with the AI Office.

Formal status

The Code was confirmed as an adequate tool by the Commission, the AI Board and the Member States on 1 August 2025. The consolidation by way of a formal implementing act under Article 56(6) of the AI Act, which could grant the Code general validity within the Union, remains an element still being defined in actual practice.

Cross-references with the regulatory system

With the AI Act

Reference AI Act provision Subject
Legal basis of the Code Art. 56 Drawing-up of the Code by the AI Office; possible approval by implementing act
Application recital Recital 117 Function of the Code as a central compliance tool pending harmonised standards
Definition of GPAI provider Art. 3(3) and (63) Recipients of the Code
Transparency obligations Art. 53(1), points (a)-(b) + Annexes XI and XII Transparency Chapter of the Code
Copyright obligations Art. 53(1), point (c) Copyright Chapter of the Code
Training data summary obligation Art. 53(1), point (d) Directly binding obligation, implemented by the Commission's Template (not the Code)
Open-source exemption Art. 53(2) Exclusion from documentation obligations for non-systemic open-source models
Systemic risk threshold Art. 51 Trigger for the Safety and Security Chapter
Notification obligation for systemic models Art. 52(1) Notification to the Commission within two weeks of meeting the threshold
Systemic risk obligations Art. 55 Safety and Security Chapter of the Code
Harmonised standards Art. 40 Instrument that, once published, will provide presumption of conformity
Administrative fines Art. 101 Adherence to the Code may be relevant as a mitigating factor

With the GDPR

The Code does not replace GDPR obligations. When GPAI providers process personal data during training, fine-tuning, deployment or inference, Regulation (EU) 2016/679 applies in full (cf. GDPR fact sheet, section "Cross-references with the AI Act"). In particular:

  • the documentation required by the Transparency Chapter is complementary to the records of processing activities under Art. 30 GDPR and to the privacy notices under Arts. 13-14 GDPR;
  • the Copyright Chapter policy interacts with the legal bases for processing under Art. 6 GDPR and with the opt-out reservations from text and data mining under Art. 4 of Directive (EU) 2019/790;
  • signatories of the Safety and Security Chapter remain subject to GDPR security obligations under Art. 32 GDPR and to data protection impact assessments under Art. 35 GDPR.

With the Data Act

The Code does not regulate access to training data generated by connected products (Data Act perimeter). GPAI providers who are also data holders within the meaning of the Data Act remain subject to data access and portability obligations regardless of adherence to the Code.

The Copyright Chapter of the Code gives practical effect to Art. 53(1), point (c), of the AI Act, which presupposes compliance with the opt-out reservations from text and data mining established by Article 4 of Directive (EU) 2019/790 on copyright in the Digital Single Market. In December 2025 the Commission launched a public consultation on machine-readable rights reservation protocols, implementing Measure 1.3 of the Copyright Chapter.

Relationship with harmonised standards

The AI Act provides for a gradual transition from the Code to European harmonised standards:

  1. Current phase (2025-) — Code of Practice as the main compliance tool for GPAI providers, in the absence of published harmonised standards;
  2. Transitional phase — Coexistence of Code + harmonised standards as they are published;
  3. Final phase — Harmonised standards as the main instrument, capable of granting presumption of conformity under Art. 40 of the AI Act; the Code may remain as a complementary operational reference.

Harmonised standards are being developed at CEN-CENELEC under the Commission's mandate (cf. Standards fact sheet of the website).

Official sources

Section index

Last revision: 27 April 2026