Codes of practice under the EU AI Act provide GPAI model providers with a structured compliance pathway. Developed under AI Office facilitation, these codes cover transparency, copyright, and risk identification. Adherence to an approved code creates a presumption of conformity with GPAI obligations, offering legal certainty for providers.
EU AI Act GPAI Codes of Practice: Industry Standards for Compliance
Purpose of Codes of Practice in the GPAI Framework
The EU AI Act (Regulation (EU) 2024/1689) establishes codes of practice as a central mechanism for implementing GPAI model obligations. Rather than prescribing every detail of compliance in the regulation itself, the Act delegates the development of practical standards to a collaborative process involving industry, civil society, academia, and the AI Office.
This approach reflects a deliberate regulatory design choice. GPAI technology evolves rapidly, and detailed technical requirements written into legislation would risk becoming outdated before they can be effectively applied. Codes of practice provide the flexibility to adapt compliance standards as technology, best practices, and understanding of risks develop over time.
Under Article 56, the AI Office is tasked with encouraging and facilitating the drawing up of codes of practice at Union level. These codes are intended to contribute to the proper application of the GPAI obligations set out in Articles 53 and 55, covering both baseline transparency requirements and the additional obligations for systemic risk models.
The codes of practice are not optional guidelines or aspirational recommendations. They carry specific legal significance within the regulatory framework, creating a presumption of conformity that provides a direct compliance pathway for GPAI model providers.
Development Process and AI Office Facilitation
The development of codes of practice follows a structured process facilitated by the AI Office. The AI Office invites GPAI model providers, downstream providers of AI systems, and other relevant stakeholders to participate in the drafting process. The invitation is open, and the AI Office actively seeks diverse participation to ensure that the codes reflect a range of perspectives and expertise.
The drafting process involves several stages. Initial consultations establish the scope and structure of the codes. Working groups develop specific provisions covering different aspects of GPAI compliance. Draft codes are circulated for comment, revised based on feedback, and ultimately published by the AI Office.
The AI Office plays a facilitation role rather than an authorship role. The codes are developed by stakeholders, but the AI Office provides coordination, ensures consistency with the regulation, and may intervene when the drafting process stalls or produces provisions that are inconsistent with the Act's objectives.
Civil society organisations, academic researchers, and downstream providers play an important role in the development process. Their participation ensures that codes of practice are not captured by the interests of large GPAI model providers and that the perspectives of affected communities, rightsholders, and users are represented.
Scope: Transparency, Copyright, and Risk Identification
Codes of practice cover three primary areas corresponding to the main GPAI obligations under the Act.
On transparency, codes of practice provide detailed guidance on the content and format of technical documentation, the level of detail required in training data summaries, and the methods for making information available to downstream providers. They may specify standardised formats for model cards, documentation templates, and information-sharing protocols that facilitate interoperability across the AI ecosystem.
On copyright, codes of practice address the practical implementation of copyright compliance obligations. They may specify methods for identifying and respecting rightsholders' opt-out signals, standards for monitoring data sources for rights reservations, and procedures for handling copyright-related inquiries. Given the complexity of copyright law across EU Member States, codes of practice play an important role in providing clarity on how the general obligation translates into specific operational practices.
On risk identification, codes of practice are particularly important for systemic risk models. They provide methodologies for model evaluation, frameworks for adversarial testing, protocols for incident tracking and reporting, and standards for cybersecurity protection. For systemic risk obligations, codes of practice serve as the primary source of detailed compliance guidance, filling the gap between the high-level obligations in Article 55 and the operational reality of managing frontier AI models.
Presumption of Conformity
The most significant legal feature of codes of practice is the presumption of conformity they create. Under the EU AI Act, a GPAI model provider who adheres to an approved code of practice is presumed to be in conformity with the corresponding regulatory obligations. This presumption is rebuttable, meaning it can be challenged if evidence shows that the provider is not actually meeting the underlying obligation despite formal adherence to the code.
The presumption of conformity provides legal certainty for providers. Rather than having to demonstrate compliance with broadly worded regulatory obligations on a case-by-case basis, providers can point to their adherence to a specific, detailed code of practice as evidence of compliance. This reduces regulatory uncertainty and provides a clear standard against which compliance can be measured.
However, the presumption is not absolute. If the AI Office determines that a code of practice is insufficient to ensure compliance with the regulation, or if a provider's adherence to the code is superficial rather than substantive, the presumption may not protect the provider from enforcement action. Providers should treat codes of practice as minimum standards rather than safe harbours.
Relationship to Harmonised Standards
The EU AI Act also provides for harmonised standards as a compliance mechanism, separate from codes of practice. Harmonised standards are developed by European standardisation organisations (CEN, CENELEC, ETSI) upon request from the European Commission and carry their own presumption of conformity.
For GPAI models, the relationship between codes of practice and harmonised standards is complementary. Codes of practice are expected to be developed more quickly and to be more adaptable to technological change. Harmonised standards, when they become available, may provide a more formal and potentially more detailed compliance framework.
Where both a code of practice and a harmonised standard cover the same obligation, a provider may choose which to follow. The presumption of conformity applies in either case. In practice, codes of practice are likely to be the primary compliance mechanism for GPAI obligations in the near term, with harmonised standards potentially supplementing or replacing them as the regulatory framework matures.
Current Status and Timeline
The development of GPAI codes of practice has been underway since late 2024. The AI Office issued its first invitations to stakeholders in the autumn of 2024, and working groups were established to address the main areas of GPAI compliance.
As of mid-2025, draft codes are in advanced stages of development. The initial codes address the baseline transparency obligations under Article 53, including technical documentation standards, training data summary templates, and copyright compliance procedures. Separate provisions address the additional obligations for systemic risk models under Article 55, covering adversarial testing methodologies, incident reporting protocols, and cybersecurity standards.
The target date for having operational codes of practice is aligned with the August 2, 2025 applicability date for GPAI provisions. However, the codes are expected to evolve continuously as experience accumulates and technology develops. The AI Office may revise or supplement existing codes based on implementation experience, enforcement activity, and technological change.
Multiple rounds of public consultation have been conducted, and the AI Office has published progress reports on the development process. Stakeholders who wish to participate in future iterations of the codes can register their interest with the AI Office through its official communication channels.
How Organisations Can Participate
Active participation in the codes of practice development process offers several benefits for organisations. Participants can influence the content of compliance standards, gain early insight into regulatory expectations, and build relationships with the AI Office and other stakeholders.
GPAI model providers, downstream AI system providers, civil society organisations, academic researchers, and industry associations are all eligible to participate. The AI Office has established a registration process for stakeholders who wish to join working groups or provide written input to the drafting process.
Even organisations that are not directly subject to GPAI obligations may benefit from participation. Downstream providers who integrate GPAI models into their products can influence the information-sharing requirements that affect their own compliance. Civil society organisations can advocate for transparency standards that serve the public interest. Academic researchers can contribute technical expertise on evaluation methodologies and risk assessment frameworks.
Monitoring the codes of practice development process is essential for any organisation that develops, deploys, or is affected by GPAI models in the European market. The codes will define the practical meaning of GPAI compliance for years to come, and early engagement provides the best opportunity to ensure that the standards are workable, effective, and aligned with organisational capabilities.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.