GPAI Code of Practice: What It Requires and How It Relates to August 2026

# GPAI Code of Practice: What It Requires and How It Relates to August 2026 This page covers what the GPAI Code of Practice requires, how it maps to Articles 52 and 53 of the EU AI Act, and what downstream vendors need to know when their upstream AI providers have signed it. --- ## What the EU AI Act Actually Says The EU AI Act distinguishes between general-purpose AI (GPAI) models and the applications built on top of them. The relevant provisions are Articles 51 through 55, which together define who is a GPAI provider, what they must do, and how compliance is assessed. **Article 51** establishes two tiers of GPAI model: standard models and models with systemic risk (those trained on more than 10^25 FLOPs, or designated by the AI Office). The obligations differ significantly between these tiers. **Article 53** sets out the core obligations for all GPAI providers regardless of tier. These include drawing up and maintaining technical documentation, providing information and documentation to downstream providers who integrate the model into their own systems, publishing a summary of training data in compliance with EU copyright law, and putting in place a policy on copyright compliance. Providers of open-weight models with a standard risk profile can satisfy most of Article 53 through a limited set of conditions. **Article 55** adds obligations specifically for providers of GPAI models with systemic risk. These include performing model evaluations, assessing and mitigating systemic risks, reporting serious incidents to the AI Office, and maintaining cybersecurity protections appropriate to the risk level. **Article 52** covers transparency obligations for certain AI systems interacting with humans, including chatbots and deepfake-generating systems. Where a GPAI model is integrated into such a system, both the GPAI provider and the deployer have layered obligations. --- ## Who This Applies To GPAI obligations fall primarily on **providers**: the companies that develop and place a GPAI model on the EU market or put it into service. If you are building on top of someone else's model (OpenAI, Anthropic, Mistral, Google, Cohere, and similar), you are a **downstream provider**, not the GPAI provider. This matters because: - The GPAI provider bears the primary obligation under Articles 53 and 55. - Downstream providers receive the benefit (or risk) of whatever their upstream provider has committed to. - Deployers (companies using a model in a specific context without modifying it) have separate obligations mainly under Articles 26 and 52. There is no size exemption for GPAI obligations. A startup with a product built on a frontier model is a downstream provider and inherits the information and documentation obligations that flow from Article 53(1)(b). --- ## What the GPAI Code of Practice Is The EU AI Office is developing a GPAI Code of Practice under Article 56. The Code is designed to serve as the operative compliance framework for GPAI providers until harmonised technical standards are published, which is not expected before 2027. Under Article 56(5), GPAI providers who adhere to the Code of Practice benefit from a **presumption of conformity** with the obligations set out in Articles 53 and 55. This is the same mechanism used elsewhere in the AI Act: follow the approved code or standard, and regulators presume you are compliant until shown otherwise. The Code drafting process has involved GPAI providers, civil society, and technical experts across multiple iterations. As of mid-2026, the finalised Code covers: - **Transparency and documentation:** what technical documentation must be produced and in what form it must be shared with downstream providers. - **Copyright policy:** what a compliant copyright policy looks like, including training data provenance requirements. - **Systemic risk assessment:** evaluation methodologies for high-capability models, including red-teaming requirements and capability thresholds. - **Incident reporting:** what constitutes a serious incident, how it is classified, and the reporting timeline to the AI Office. - **Cybersecurity:** baseline requirements for protecting model weights and inference infrastructure. For downstream vendors, the Code is important for one specific reason: if your upstream provider has signed and is adhering to the Code, they have committed to producing the documentation and downstream information you are entitled to under Article 53(1)(b). You should be able to point to that commitment in your own compliance record. --- ## Key Deadlines **February 2, 2025** Article 5 prohibitions came into force. These cover unacceptable-risk AI practices including social scoring by public authorities and certain biometric categorisation uses. These are already in effect. **August 2, 2026** GPAI obligations under Articles 51 to 55 and Article 50 transparency obligations become enforceable. This is the most significant near-term date for most EU AI Act compliance teams. If you are building on a GPAI model, you need to have confirmed your upstream provider's compliance posture before this date. **December 2, 2027** Obligations for high-risk AI systems listed in Annex III become fully enforceable. If your product falls into an Annex III category (HR screening, credit scoring, education systems, critical infrastructure, and similar), this is your primary hard deadline for full compliance. --- ## What to Do Now **1. Identify which GPAI models you use upstream.** List every API or model integration in your stack. For each one, determine whether the provider has signed the GPAI Code of Practice and whether they have published the documentation required under Article 53. **2. Request the Article 53 documentation package from your upstream provider.** This should include technical documentation, training data summary, and copyright policy. If your provider cannot supply this before August 2026, that is a material compliance risk. **3. Assess whether any of your products also trigger Article 52 transparency obligations.** If your product presents AI-generated content to users or includes a conversational interface, you have independent transparency obligations regardless of what your upstream provider has done. **4. Map your products against Annex III categories.** If any product falls into an Annex III category, start the conformity assessment process now. December 2027 is closer than it appears when you account for documentation, testing, and registration requirements. **5. Document your reliance on upstream Code adherence.** If your upstream provider is covered by the Code and claims the presumption of conformity, record that. Regulators will expect you to show that you verified your provider's status and did not simply assume compliance. --- ## Use the Free ActComply Risk Screener The fastest way to determine which of these obligations apply to your specific system is to run it through the ActComply risk screener. It maps your product against the EU AI Act's risk categories, identifies which articles apply, and flags your nearest deadlines. It is free and takes under five minutes: [https://www.getactcomply.com/check](https://www.getactcomply.com/check)

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener
GPAI Code of Practice: What It Requires and How It Relates to August 2026 | ActComply