← Back to all briefings
Policy 7 min read Published Updated Credibility 94/100

EU AI Act General-Purpose AI Codes of Practice Enter Final Drafting Phase

The European AI Office has entered the final drafting phase for Codes of Practice governing general-purpose AI models under the EU AI Act. These codes will establish concrete compliance requirements for GPAI providers including transparency obligations, copyright compliance procedures, and systemic risk mitigation measures. With finalization expected by May 2026, organizations deploying general-purpose AI models in Europe must prepare for binding obligations shaping how foundation models are documented, evaluated, and monitored. Four working groups covering transparency, copyright, risk assessment, and internal governance are producing detailed technical standards that translate the AI Act's principles into actionable requirements.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Policy pillar illustration for Zeph Tech briefings
Policy, regulatory, and mandate timeline briefings

The European AI Office has moved into the conclusive drafting stage for the Codes of Practice that will govern general-purpose AI models under the EU AI Act. These codes represent the primary mechanism through which Articles 51 through 56 of the Act will translate into enforceable, day-to-day compliance requirements for providers of foundation models and large language models operating in the European market. With a finalization target of May 2026 and a compliance deadline of August 2026, the window for organizational preparation is narrowing.

Framework structure and regulatory timeline

The EU AI Act creates a layered regulatory architecture in which general-purpose AI receives its own dedicated chapter. Rather than prescribing rigid technical mandates in the legislative text, the Act delegates the creation of practical compliance standards to the Codes of Practice — a collaborative instrument drafted under the supervision of the European AI Office with input from industry, academia, civil society, and member-state authorities.

Four working groups have been meeting since September 2024. Working Group 1 addresses transparency and the provision of technical information to downstream deployers. Working Group 2 tackles copyright-related obligations, including training-data documentation. Working Group 3 focuses on systemic-risk identification and mitigation for models classified as high-capability. Working Group 4 develops internal governance frameworks and organizational accountability structures. Each group has produced iterative drafts refined through over 1,000 stakeholder submissions across three formal consultation rounds.

The codes are designed as safe-harbor provisions: providers that demonstrably comply will benefit from a presumption of conformity with the Act's GPAI requirements. This structure creates strong market incentives for adoption and establishes the codes as de facto binding standards even before formal enforcement begins.

The third draft, published in November 2025, introduced more prescriptive technical standards for model evaluation and clearer thresholds for systemic-risk classification. A fourth and final consultation round opened in January 2026, with responses due by mid-February. The AI Office has indicated that the final text will incorporate feedback from this round before formal adoption.

Transparency and documentation obligations

Transparency sits at the heart of the GPAI codes. Providers must prepare and maintain detailed technical documentation covering model architecture, training methodology, computational resources consumed during training, and performance benchmarks across standardized evaluation suites. This documentation must be available to the AI Office on request and, in a summarized form, to downstream deployers who integrate the model into their own products.

A publicly available summary of training-data content is also required. Providers must describe data sources with enough granularity to allow copyright holders to determine whether their protected works may have been used. This obligation has generated intense debate: providers argue that excessive detail could expose proprietary training pipelines, while rights-holders and civil-society groups press for meaningful transparency rather than vague categorical descriptions.

Standardized model cards are the recommended documentation vehicle. The codes specify minimum elements: performance metrics across relevant benchmarks, known failure modes, energy consumption during training and inference, and recommended safety measures for deployment. Energy-reporting requirements align with the EU's Corporate Sustainability Reporting Directive, creating a cross-regulatory link between AI governance and environmental disclosure.

Article 53 of the AI Act requires GPAI providers to respect EU copyright law, including the text-and-data-mining opt-out established by the Digital Single Market Directive. The codes elaborate on what this means in practice. Providers must implement technical measures to detect and honor opt-out signals expressed through machine-readable protocols such as robots.txt, the TDMRep metadata standard, and emerging AI-specific headers.

Detailed record-keeping is mandated: providers must maintain logs demonstrating that opt-out signals were identified and processed within specified timelines. These records must be available for regulatory review. The codes also introduce a complaint-and-redress mechanism through which copyright holders can raise concerns about unauthorized use of their works. Providers must establish accessible channels, acknowledge inquiries within five business days, and provide substantive responses within 30 calendar days.

Training-data provenance documentation must be detailed enough to support meaningful copyright assessment without requiring full dataset disclosure. The balance struck in the third draft favors categorical descriptions supplemented by statistical summaries — for example, the proportion of training data sourced from licensed datasets, public-domain works, and web-crawled content. Providers may protect genuinely proprietary methodological details under trade-secret provisions, but the burden of justification falls on the provider.

Systemic risk provisions for high-capability models

Models exceeding 10^25 floating-point operations in cumulative training compute are presumed to present systemic risks and face additional obligations. The AI Office retains discretion to classify further models based on capability assessments independent of the compute threshold — a provision designed to capture future architectures that achieve high capability through efficiency improvements rather than raw scale.

Systemic-risk providers must conduct structured risk assessments evaluating potential negative impacts on public health, safety, fundamental rights, democratic processes, and critical infrastructure. The codes prescribe specific evaluation methodologies: red-teaming exercises covering chemical, biological, radiological, and nuclear scenarios; adversarial testing for jailbreak resistance; and scenario analyses addressing foreseeable misuse such as disinformation generation, non-consensual intimate imagery, and cyber-offense tool creation.

Incident-reporting obligations require notification to the AI Office within 72 hours of a serious incident. Providers must also maintain internal tracking systems and conduct post-incident reviews. Ongoing monitoring mandates continuous evaluation of model behavior in deployed contexts, including tracking emergent capabilities and misuse patterns reported by downstream deployers.

Implications for providers and deployers

GPAI providers face significant compliance investments. Building and maintaining technical documentation systems, copyright-compliance infrastructure, and continuous monitoring pipelines requires dedicated headcount and tooling. Early movers that invested in responsible-AI governance during 2024 and 2025 are better positioned; organizations that deferred preparation face compressed timelines and higher costs.

Downstream deployers benefit from improved transparency. Standardized model cards reduce information asymmetries, enabling more informed risk assessments and facilitating deployers' own obligations under the Act's risk-based classification system. Deployers should actively engage their GPAI suppliers to understand what documentation will be available and on what timeline.

The Brussels effect is already visible: several major U.S.-based GPAI providers have indicated they will apply code-compliant practices globally rather than maintaining separate governance regimes for different markets. This spillover strengthens the codes' influence well beyond the EU's borders and may set a de facto global baseline for GPAI governance.

Competitive dynamics may shift as compliance costs create barriers for smaller providers. The codes include proportionality provisions — simplified pathways for lower-risk models — but the fundamental burden remains substantial for any provider whose model crosses the systemic-risk threshold.

GPAI providers should complete gap assessments comparing current documentation and governance practices against the third draft's requirements. Priority areas include training-data provenance records, copyright opt-out processing infrastructure, and model-evaluation documentation. Organizations that have not yet implemented machine-readable opt-out recognition should begin technical development immediately.

Downstream deployers should audit their GPAI supply chains and open discussions with providers about forthcoming documentation. Understanding what information will be available under the codes helps deployers build their own compliance frameworks and anticipate regulatory inquiries.

Legal teams across the GPAI value chain should submit responses to the fourth consultation round before the mid-February deadline. Organizational input at this stage can still influence the final text on practical implementability questions.

All affected organizations should monitor the AI Office's publication calendar closely. The finalized codes will be accompanied by implementation guidance that clarifies ambiguities in the regulatory text — guidance that may materially affect compliance strategies.

Assessment and outlook

The GPAI Codes of Practice are among the most consequential regulatory instruments in the global AI governance environment. By converting the AI Act's high-level principles into concrete technical and organizational requirements, they define the practical framework through which the world's first thorough AI regulation will operate for foundation-model providers.

The iterative, multi-stakeholder drafting process has produced requirements that are more nuanced and implementable than early observers expected, but the compressed preparation window between code finalization and the compliance deadline will test organizational readiness. Providers that treat the codes as a compliance-checkbox exercise risk falling behind competitors that embed the underlying principles into genuine governance practice.

Looking ahead, the codes' real impact will depend on consistent interpretation and credible enforcement by the AI Office. With a small but growing staff and limited precedent, the Office faces a steep learning curve. Its early enforcement signals — expected in late 2026 — will set the tone for the regulatory relationship between the EU and the global GPAI industry for years to come.

See also

Selected articles on related subjects.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • AI Policy Implementation Guide

    Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

  • Digital Markets Compliance Guide

    Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

  • Semiconductor Industrial Strategy Policy Guide

    Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published
Coverage pillar
Policy
Source credibility
94/100 — high confidence
Topics
EU AI Act · General-Purpose AI · Codes of Practice · AI Regulation · GPAI Compliance · European AI Office
Sources cited
3 sources (artificialintelligenceact.eu, digital-strategy.ec.europa.eu, euractiv.com)
Reading time
7 min

Cited sources

  1. EU AI Act — General-Purpose AI Model Obligations (Article 51) — artificialintelligenceact.eu
  2. AI Office Launches Drafting of Codes of Practice for General-Purpose AI — ec.europa.eu
  3. GPAI Code of Practice: Third Draft and Stakeholder Reactions — euractiv.com
  • EU AI Act
  • General-Purpose AI
  • Codes of Practice
  • AI Regulation
  • GPAI Compliance
  • European AI Office
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.