1. What the GPAI Code of Practice Is: Voluntary Compliance Pathway Under Article 56
Article 56 of the EU AI Act mandates the EU AI Office to facilitate the development of a GPAI Code of Practice. The Code is formally voluntary — no provision of the EU AI Act requires a GPAI provider to sign it. However, the Code's legal effect makes voluntary non-participation a costly choice.
Under Article 56(2), compliance with the Code of Practice creates a presumption of conformity with the corresponding Chapter V obligations. This presumption means that a market surveillance authority or the EU AI Office cannot simply assert non-compliance — it must rebut the presumption by demonstrating specific Code provisions were not followed. For a signatory with well-documented compliance, this is a very high bar to clear.
The Code is not a certification scheme — there is no independent audit or certification body. Instead, signatories self-attest to implementation of the Code's measures and document their compliance. The EU AI Office can verify implementation through its Article 68 investigation powers and can exclude providers from the presumption of conformity if their documented implementation is found inadequate.
Practical reality: For large GPAI providers deploying into EU markets, the GPAI Code of Practice is the de facto compliance standard. The EU AI Office designed it in close consultation with industry specifically to provide a workable compliance pathway. A major provider choosing not to sign would face substantial uncertainty about whether its alternative compliance measures will be accepted — uncertainty that most legal and compliance teams cannot tolerate.
2. Timeline: Drafting Process August 2024 – May 2025, Operational August 2025
EU AI Office launches Code of Practice drafting process. Call for participants issued. Four working groups established with multi-stakeholder membership: AI providers, deployers, civil society, academic researchers, national authorities.
First drafts of working group outputs published for public consultation. EU AI Office receives over 400 written submissions. First plenary session held in Brussels.
Second drafts published incorporating consultation feedback. Working groups on Safety/Security and Copyright produce most significant revisions following industry pushback on training data disclosure requirements.
Third and near-final drafts published. EU Parliament and Council observers provide formal observations. Systemic risk model provisions strengthened following academic input on adversarial testing methodology.
Final GPAI Code of Practice published by EU AI Office. Signatory window opens. Major providers begin internal sign-off processes.
Code of Practice becomes operational simultaneously with GPAI chapter (Chapter V) applicability under the EU AI Act. Providers who have signed benefit from presumption of conformity from this date.
First annual revision cycle. Working groups reconvene to assess implementation experience and propose amendments. High-risk AI provisions and Code of Practice reviewed in parallel.
3. Four Working Groups: What Each Covers
The GPAI Code of Practice was structured around four working groups, each addressing a distinct compliance domain. Each working group produced sector-specific guidance documents, measurement frameworks, and implementation templates that are incorporated by reference into the Code.
Transparency
Arts. 13, 53(1)(a), 53(1)(c)Technical documentation standards for GPAI models, the specific content required in Annex XI, and the format and content of information packages provided to downstream providers and deployers. WG1 produced the Transparency Template — a standardized documentation format adopted by all major signatories — and the Downstream Information Package specification.
Copyright
Arts. 53(1)(d), TDMA DirectiveMethodology for publishing training data copyright compliance summaries, standards for handling rights-holder opt-out requests, record-keeping requirements for training data provenance, and procedures for responding to infringement allegations. WG2 produced the most contentious Code provisions, with final text requiring a 'machine-readable training data summary' rather than the broader 'all training sources' disclosure initially proposed.
Risk Assessment
Arts. 9, 51, 55(1)(a)Methodology for identifying, evaluating, and documenting GPAI model risks including output accuracy, bias, dual-use potential, cybersecurity vulnerabilities, and capability thresholds. WG3 produced the GPAI Risk Assessment Framework — a structured methodology adopted as the standard approach for Code compliance and referenced by TraceGov.ai's GPAI risk module.
Safety and Security
Arts. 55(1)(b), 55(1)(c), 55(1)(d)Adversarial testing (red-teaming) requirements for systemic risk models, incident detection and reporting procedures, notification obligations to the EU AI Office under Article 55, cybersecurity measures including model integrity protection, and energy consumption reporting methodology. WG4 provisions apply primarily to systemic risk GPAI providers but include baseline safety measures for all signatories.
4. What Signing Means: Presumption of Conformity with Chapter V Obligations
Signing the GPAI Code of Practice is a public commitment by the GPAI provider to implement all Code measures within the timelines specified for each provision. The signing creates three distinct legal effects:
Presumption of conformity
Article 56(2) creates a rebuttable presumption that the signatory complies with the corresponding Chapter V obligations. Market surveillance authorities cannot presume non-compliance — they must demonstrate specific Code provision failures. This shifts the burden of proof significantly in enforcement proceedings.
EU AI Office cooperation status
Signatories gain preferred cooperation status with the EU AI Office, including advance notification of planned enforcement actions, consultation on regulatory clarifications, and access to the EU AI Office's technical expert network for compliance questions.
Commitment to annual review participation
Signatories commit to participating in the annual Code revision process through their relevant working group. This gives signatories a structural voice in shaping future Code requirements — a significant strategic advantage over non-signatories who are subject to revised requirements without having shaped them.
5. Who Has Signed: Major Provider Status as of March 2026
| Provider | Status | Signed Date | Notes |
|---|---|---|---|
| OpenAI | Signed | August 2025 | Full signatory; reservations noted on WG2 copyright summary granularity |
| Google DeepMind | Signed | August 2025 | Full signatory; active WG3 and WG4 participant |
| Anthropic | Signed | August 2025 | Full signatory; no reservations |
| Meta AI | Signed with reservations | September 2025 | Reservation on open-source model applicability to WG4 provisions |
| Microsoft | Signed | August 2025 | Signed as deployer and downstream provider; Azure AI services |
| Mistral AI | Signed | August 2025 | Full signatory; active WG1 participant |
| Cohere | Signed | October 2025 | Full signatory |
| Aleph Alpha | Signed | August 2025 | Full signatory; only EU-headquartered major signatory |
| Stability AI | Signed | November 2025 | Signed post-restructuring |
The EU AI Office maintains the authoritative public register at ec.europa.eu/ai-office. As of March 2026, 147 organizations have signed in full and 23 have signed with stated reservations on specific provisions.
6. What Happens If You Don't Sign: Alternative Compliance Pathway and Its Burden
Article 56(4) explicitly states that non-signatories may comply with Chapter V through “other means.” This alternative pathway is legally available but practically demanding. The EU AI Office's compliance guidance (published January 2026) clarifies the alternative pathway requirements:
Equivalent documentation
Non-signatories must produce documentation demonstrating compliance with each Chapter V obligation to at least the standard established by the Code of Practice for that obligation. There is no shortcut — every obligation must be individually addressed.
Proactive submission
Non-signatories must proactively submit their compliance documentation to the EU AI Office on the same schedule that Code signatories report on Code implementation — annually. Failure to submit is treated as an indicator of potential non-compliance.
Higher scrutiny threshold
The EU AI Office has stated that alternative pathway compliance will receive closer scrutiny than Code compliance. Where the Code establishes a defined methodology for an obligation (e.g., the GPAI Risk Assessment Framework), a non-signatory using a different methodology must justify why that methodology is equivalent.
No presumption benefit
In enforcement proceedings, non-signatories cannot invoke the Article 56(2) presumption of conformity. Enforcement starts from a neutral position rather than a presumption of compliance.
7. Review and Update Cycle: Annual Revision Process
Article 56(5) requires the EU AI Office to review the GPAI Code of Practice annually and update it as necessary to reflect technological and regulatory developments. The annual revision process follows a defined structure:
- EU AI Office issues annual review report analysing implementation experience from the previous year
- Working groups reconvene with updated membership to propose amendments based on implementation challenges and new regulatory guidance
- Proposed amendments go to public consultation (minimum 4 weeks)
- EU AI Office reviews consultation responses and issues revised Code
- Signatories have 90 days to update their compliance implementations to reflect changes
- Non-signatories on the alternative pathway must update their documentation on the same 90-day timeline
TraceGov.ai Code of Practice monitoring: TraceGov.ai automatically tracks GPAI Code of Practice revision cycles. When a revised Code is published, the system computes the delta between the current and previous version and generates a prioritized list of compliance updates required for your organization's AI system portfolio — giving you the full 90-day update window rather than discovering changes at revision deadline.
8. Relationship to Systemic Risk Model Additional Requirements
The GPAI Code of Practice addresses both standard and systemic risk GPAI providers, but its obligations are substantially different for each category. For standard GPAI providers, the Code covers Transparency (WG1) and Copyright (WG2) obligations. For systemic risk providers, all four working group obligations apply.
The systemic risk provisions are where the Code has the most regulatory teeth. WG4 establishes specific requirements for adversarial testing that the EU AI Act (Article 55(1)(a)) leaves relatively open-ended — “perform model evaluations, including adversarial testing.” The Code fills this gap with: minimum test scenario categories, frequency requirements (pre-deployment plus annual), minimum tester qualification standards, and reporting format for EU AI Office submission.
For systemic risk providers, Code compliance is effectively mandatory because the alternative pathway requires justifying why a different adversarial testing methodology is equivalent to the Code standard — a burden that practically requires demonstrating equivalent rigour to the Code methodology, which effectively means following it anyway.
9. FAQ
Is signing the GPAI Code of Practice mandatory?+
Signing is formally voluntary under Article 56. However, the presumption of conformity created by signing makes it the practical compliance standard. Non-signatories must demonstrate equivalent compliance through their own documentation, which faces higher scrutiny and provides no enforcement presumption benefit. For systemic risk providers especially, non-signing creates substantial compliance uncertainty.
What are the four GPAI Code of Practice working groups?+
The four working groups are: (1) Transparency — technical documentation standards and downstream provider information; (2) Copyright — training data compliance, rights-holder opt-out, and training data summaries; (3) Risk Assessment — methodology for identifying and evaluating GPAI model risks; and (4) Safety and Security — adversarial testing, incident reporting, and cybersecurity for systemic risk models.
Which major providers have signed the GPAI Code of Practice?+
As of March 2026, signatories include OpenAI, Google DeepMind, Anthropic, Meta AI (with reservations), Microsoft, Mistral AI, Cohere, Aleph Alpha, and Stability AI. The EU AI Office maintains the authoritative public register. 147 organizations have signed in full and 23 have signed with reservations on specific provisions.
What happens if a GPAI provider does not sign the Code of Practice?+
Non-signatories must comply with Chapter V through an alternative documented pathway: producing equivalent documentation for each obligation, submitting it to the EU AI Office annually, justifying any methodology differences from the Code, and receiving no presumption of conformity in enforcement proceedings.
When is the GPAI Code of Practice revised?+
The Code operates on an annual revision cycle under Article 56(5), with the first revision due August 2, 2026. Working groups reconvene, public consultation is conducted, and the EU AI Office approves the revised Code. Signatories have 90 days to update their compliance implementations after each revision.
Related Resources
Monitor Your GPAI Code of Practice Compliance
TraceGov.ai tracks Code of Practice revision cycles, maps your model portfolio to relevant Code provisions, and alerts you to compliance updates within the 90-day update window.
Start GPAI Compliance Monitoring →