Introduction
The EU’s General-Purpose AI Code of Practice matters because it is likely to become a key reference point for how providers of general-purpose AI models show that they are ready to comply with the AI Act.
Although the Code is formally voluntary, it is intended to help signatories demonstrate compliance with the AI Act’s GPAI obligations and, in the European Commission’s own terms, provide a clearer route to legal certainty. That makes it more than a policy footnote. For many businesses developing, integrating, or relying on advanced AI models, it may quickly become the practical benchmark against which governance, documentation, and risk controls are judged.
The point for businesses is a simple one. Even if the Code does not itself create new binding obligations, it is still likely to shape regulatory expectations, internal compliance frameworks, and market practice. The real question, therefore, is not just whether the Code is voluntary as a matter of form, but whether it will operate in practice as the default standard for demonstrating compliance readiness under the AI Act.
1. What is the GPAI Code of Practice?
The General-Purpose AI Code of Practice is a voluntary compliance tool designed to help providers of general-purpose AI models meet their obligations under the EU AI Act. Published on 10 July 2025, it sits alongside the Commission’s guidance on key GPAI concepts and is intended to translate broad legal obligations into a more workable compliance framework. The European Commission and the AI Board have confirmed that the Code is an adequate voluntary means by which GPAI providers may demonstrate compliance with the AI Act.
The Code is divided into three chapters: Transparency, Copyright, and Safety and Security. The Transparency and Copyright chapters are relevant to providers of general-purpose AI models more broadly and are intended to help organisations document key information and put in place policies that align with EU copyright law. The Safety and Security chapter, by contrast, is directed only at the small group of providers whose models fall within the AI Act’s regime for general-purpose AI models with systemic risk.
2. Where does it fit in the AI Act compliance framework?
Within the AI Act framework, the starting point is that the binding obligations are set by the Regulation itself, not by the Code. For providers of general-purpose AI models, those obligations became applicable on 2 August 2025. The Commission has also clarified that providers placing GPAI models on the EU market must comply with the relevant transparency and copyright obligations from that date, while providers of GPAI models with systemic risk are subject to additional requirements, including notification and safety-related obligations.
The GPAI Code of Practice does not have legislative status. It is a voluntary compliance tool, developed through a multi-stakeholder process, and is intended to help providers operationalise the AI Act’s requirements in practice. At the same time, the Commission and the AI Board have confirmed that the Code is an adequate voluntary tool through which GPAI providers may demonstrate compliance with the AI Act. The Commission has also stated expressly that signatories may gain greater legal certainty and reduce administrative burden by relying on it.
Alongside the Code, the Commission has issued separate guidelines on the scope of GPAI obligations, aimed at clarifying who falls within scope and how those obligations should be interpreted across the AI value chain. Compliance therefore appears to operate on two levels: first, hard-law obligations contained in the AI Act itself; and second, non-binding but highly influential instruments, such as the Code and the Commission’s interpretive guidance, which are likely to shape supervisory expectations in practice.
3. Why the Code may improve legal certainty
The GPAI Code of Practice may improve legal certainty because it turns broad statutory duties into a more concrete compliance pathway. The AI Act sets out the binding obligations, but the Code helps providers understand what those obligations may look like in operational terms: what should be documented, how copyright-related policies might be organised, and what safety and security practices may be expected for the most advanced models. In that respect, the Code may help narrow the gap between legislative text and day-to-day compliance implementation.
It may also reduce administrative burden. The Commission has expressly stated that providers who voluntarily sign the Code may use it to demonstrate compliance with the AI Act, and that doing so may provide more legal certainty and trust than attempting to prove compliance through other means. The Code also offers a common reference point for providers and regulators alike. Used alongside the Commission’s GPAI guidelines, it helps align legal interpretation with practical implementation across the AI value chain.
4. Why it may also deepen soft-law dependence
The strongest criticism of the GPAI Code of Practice is that, although it is formally voluntary, it may become difficult to ignore in practice. The Commission describes the Code as a voluntary tool, but it has also confirmed that it is an adequate means for providers to demonstrate compliance with the AI Act. That gives the Code a distinctive status: it is not binding law, but it may nevertheless become the most credible and administratively efficient route for showing compliance readiness. For many providers, particularly those operating at scale, adherence may therefore become less a genuine choice and more a practical expectation.
That pressure may be even greater for non-signatories. The Commission’s own Q&A makes clear that providers who do not adhere to the Code must demonstrate compliance through other “adequate means”, report the measures they have implemented to the AI Office, and explain how those measures ensure compliance, for example by carrying out a gap analysis against the Code itself. In other words, the Code may still function as the reference benchmark even for those who choose not to sign it.
5. What businesses should do now
Businesses should treat the publication of the GPAI Code of Practice as an opportunity to reassess where they sit in the AI value chain and how they intend to evidence compliance. The first step is to determine whether the organisation is, in fact, a provider of a general-purpose AI model for AI Act purposes, using the Commission’s GPAI guidelines as the starting point for that scoping exercise. From there, businesses should consider whether adherence to the Code is the most efficient compliance route, or whether they intend to rely on other adequate means to demonstrate compliance.
In practical terms, that means reviewing internal model documentation, copyright compliance policies, and broader risk-governance processes against the expectations reflected in the Code. Providers working on the most advanced models should also assess carefully whether their systems could fall within the separate regime for GPAI models with systemic risk, since that brings additional safety and security expectations.
Conclusion
The GPAI Code of Practice is likely to improve legal certainty, at least in practical terms. It gives providers a more structured way to translate the AI Act’s broad GPAI obligations into documentation, governance, and risk-management steps that can be explained to regulators and other stakeholders. At the same time, that certainty comes through a hybrid compliance model: the binding obligations remain in the AI Act, while much of their day-to-day operational meaning may be shaped by a non-binding but institutionally endorsed code.
The more important question, therefore, is no longer whether soft law matters in the EU’s AI framework. It does. The real issue is how much practical regulatory weight the Code will carry as supervision intensifies and the Commission’s enforcement phase begins on 2 August 2026.
Disclaimer
This article does not constitute legal advice and is not intended to provide an exhaustive analysis of the topic. For information or guidance on this matter, you should seek legal counsel. You may contact us for appropriate assistance.
