Article 95 of the EU AI Act directs the AI Office and Member States to encourage and facilitate voluntary codes of conduct under which providers and deployers of AI systems that are not high-risk apply some or all of the high-risk requirements, along with commitments on ethics, environmental sustainability, AI literacy and inclusive design. Codes of conduct are voluntary, distinct from the GPAI codes of practice, and increasingly function as trust signals in procurement.
EU AI Act Article 95: Voluntary Codes of Conduct for Non-High-Risk AI
Overview: The Voluntary Layer of the AI Act
Most discussion of the EU AI Act concentrates on its mandatory tiers — prohibited practices, high-risk requirements, transparency duties and the general-purpose AI regime. Article 95 governs everything underneath: the vast majority of AI systems that carry no specific obligations beyond existing law. Rather than leaving that territory unregulated, the legislator built a voluntary architecture. Article 95(1) directs the AI Office and the Member States to encourage and facilitate the drawing up of codes of conduct, including related governance mechanisms, intended to foster the voluntary application to non-high-risk AI systems of some or all of the mandatory requirements that apply to high-risk systems — adapted in light of the intended purpose and lower risk, and taking into account available technical solutions and industry best practices such as model and data cards. It is the regulation's bet that quality practices will spread by market pressure where legal pressure ends.
What Codes of Conduct Can Contain
Article 95(2) extends the menu beyond the high-risk requirements. Codes of conduct may cover voluntary commitments concerning, among other things:
- Elements of the Union's ethics guidelines for trustworthy AI
- Assessing and minimising the impact of AI systems on environmental sustainability, including energy-efficient programming and techniques for the efficient design, training and use of AI
- Promoting AI literacy, in particular for persons dealing with the development, operation and use of AI
- Facilitating inclusive and diverse design of AI systems, including through inclusive and diverse development teams and the promotion of stakeholder participation in the process
- Assessing and preventing negative impacts on vulnerable persons or groups, including persons with disabilities, and on gender equality
Article 95(3) opens authorship widely: codes may be drawn up by individual providers or deployers, by organisations representing them, or both, with the involvement of any interested stakeholders including civil society and academia, and may cover one or several AI systems. Article 95(4) requires the AI Office and Member States, when encouraging codes, to take into account the specific interests and needs of SMEs, including start-ups.
Codes of Conduct Are Not Codes of Practice
Terminology in the AI Act is treacherous here, and conflating two instruments produces real planning errors. Codes of practice under Article 56 belong to the general-purpose AI regime: facilitated by the AI Office, they operationalise the binding Chapter V obligations of GPAI model providers, and adherence to them is a recognised way to demonstrate compliance with mandatory duties until harmonised standards exist. Codes of conduct under Article 95 are the opposite construction: they attach voluntary commitments to systems that have no specific mandatory duties under the regulation. Signing a code of conduct does not create a presumption of conformity with anything, and declining to sign one breaches nothing. The commercial layer is different too — codes of conduct are where industry consortia, sector associations and large buyers will define what responsible AI means in territory the law deliberately left open.
Why Voluntary Codes Will Matter Commercially
Three forces give Article 95 codes practical weight despite their voluntary nature. First, procurement: enterprise and public buyers need a vocabulary for AI quality below the high-risk threshold, and a recognised code of conduct adherence is cheaper to evaluate than a bespoke questionnaire — expect tenders to reference codes the way they reference security frameworks today. Second, classification insurance: a provider whose system sits near an Annex III boundary, or who relies on the Article 6(3) derogation, dramatically improves its position by voluntarily operating high-risk-grade controls; if reclassification ever comes, the gap to close is small, and the documented practices weigh well with any authority reviewing the file. Third, litigation and reputation: in disputes about AI-caused harm under general liability law, adherence to — or deviation from — a published code of conduct is exactly the kind of evidence courts use to construct the standard of care. Voluntary does not mean consequence-free; it means the consequences arrive through markets and courts instead of regulators.
Who Should Consider Adopting or Drafting a Code
Providers of borderline systems and deployers in sensitive-but-not-listed contexts are the natural adopters: productivity tools that touch workplace behaviour without crossing into Annex III point 4, marketing personalisation systems near the manipulation boundary, wellness applications adjacent to health. Sector associations have the strongest drafting position — a code written by the organisations that understand a domain's failure modes will be more credible and more proportionate than externally imposed templates. SMEs should engage rather than wait: Article 95(4)'s SME clause exists because the legislator understood that codes written exclusively by large incumbents become barriers to entry dressed as ethics. And multinationals should note the export logic: a single internal code aligned with Article 95's menu can serve as the global baseline policy that satisfies the strictest market and simplifies every other one.
Practical Steps
- Inventory the systems you operate that carry no specific AI Act obligations, and identify those where failures would nonetheless harm people, reputation or customer trust
- Select code elements proportionately: data governance, logging and human oversight typically yield the most protection per unit of effort for non-high-risk systems
- Borrow the instruments the article itself names — model cards and data cards are cheap, standardised and increasingly expected by enterprise customers
- Publish what you adopt: an unpublished code is an internal policy; a published one is a market signal and a commitment device
- Join or monitor sector code initiatives, and budget modest engagement time — the drafts circulating now will harden into the procurement baseline of the next several years
- Review adopted codes annually against guidance from the AI Office and the European AI Board, which will assess and may evaluate the effectiveness of codes over time
Concrete Example
A vendor sells an AI meeting assistant that transcribes, summarises and assigns action items. Nothing in it is high-risk: no Annex III category fits, and transparency duties under Article 50 are satisfied by disclosure that users interact with AI outputs. Competing in enterprise sales, the vendor adopts a code of conduct: it applies Article 10-style data governance to its training pipeline, publishes a model card describing capabilities and limitations, implements Article 12-style logging, commits to energy-efficient training practices, and trains its staff under an AI literacy programme. None of this was required. All of it surfaces in the next procurement cycle, where a financial services buyer's vendor assessment maps directly onto the code's commitments — and the vendor closes against competitors offering assurances instead of artefacts. The code cost weeks of engineering; the differentiation persists for years.
Action Before August 2, 2026
The regulation asked the AI Office and Member States to have encouragement and facilitation mechanisms in motion, and sector initiatives are forming around the deadline's gravity. The practical move is to position deliberately: decide which of your systems deserve voluntary controls, adopt the highest-value elements now, and engage with one code initiative in your sector rather than monitoring all of them passively. When the high-risk regime fully applies on August 2, 2026, the market's attention will swing to the question Article 95 answers — what does responsible AI look like below the mandatory threshold — and the organisations holding published, operating codes of conduct will be the reference points everyone else is measured against.
Designing a Code That Actually Works
The difference between a code of conduct that protects and one that decorates lies in three design choices. First, falsifiability: commitments should be written so that an outside reviewer could check them — we log all model inferences for ninety days is verifiable; we take fairness seriously is not. Vague codes create reputational exposure without protective value, because they invite the accusation of ethics washing while offering nothing a court or buyer can credit. Second, governance: the article speaks of codes including related governance mechanisms, and that phrase deserves weight — name an owner, set a review cadence, define what happens when a commitment is breached internally, and record the exceptions. A code with no enforcement mechanism inside the organisation is a press release. Third, proportionality: adopt fewer commitments and keep them, rather than transplanting the full high-risk catalogue onto a low-risk product and abandoning it by the second quarter. The regulation itself models this attitude, repeatedly adjusting expectations to the size of the operator and the risk of the system. Organisations drafting their first code should start from their actual failure modes — what has gone wrong, or nearly gone wrong, with their AI in the past two years — and write the commitments that would have prevented those incidents. That grounding produces codes that engineering teams respect, buyers trust and authorities read as evidence of a functioning quality culture rather than an aspiration document.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.