The GPAI Code of Practice: what it means for model providers

The Code of Practice is a voluntary but strategically important compliance pathway for general-purpose AI (GPAI) model providers. Adherence to the Code creates a presumption of conformity with the transparency and documentation obligations in Article 53.

The third draft (March 2025) covers transparency obligations, copyright policy, technical documentation for downstream providers, and specific measures for GPAI models with systemic risk (Article 55) including adversarial testing, incident monitoring, cybersecurity, and energy-efficiency reporting.

A GPAI model is classified as having systemic risk if its cumulative training compute exceeds 10^25 FLOPs, or if the Commission designates it based on capability assessments. Models with systemic risk face additional obligations: model evaluation per state-of-the-art benchmarks, adversarial red-teaming, tracking and reporting serious incidents, and ensuring adequate cybersecurity protection.

The AI Office monitors compliance and can request documentation, conduct evaluations, and ultimately impose fines of up to €15 million or 3% of global annual turnover.

If you integrate a GPAI model into your application, the model provider's compliance with the Code of Practice affects your own risk posture. Verify that your GPAI suppliers provide sufficient technical documentation, usage policies, and copyright compliance summaries.

ActLoom tracks GPAI model provider obligations alongside your deployment-specific high-risk requirements, giving you a complete view of the compliance chain.