EU AI Act Art.69: Codes of Conduct — Voluntary Application of Requirements, AI Office Facilitation, and SME Access (2026)
EU AI Act Article 69 closes the Chapter IX governance and enforcement framework with a forward-looking instrument that extends the regulation's reach beyond its mandatory scope: voluntary codes of conduct that encourage providers of AI systems — particularly those not classified as high-risk — to apply some or all of the Chapter III requirements on their own initiative. Where the AI Act's mandatory provisions establish a compliance floor for high-risk systems, Art.69 creates the architecture for raising that floor voluntarily across the broader AI ecosystem.
The article reflects a deliberate policy choice embedded throughout Regulation (EU) 2024/1689: that mandatory requirements calibrated to risk levels will always leave a gap between the systems that must comply and the systems that should comply in the interest of trustworthy AI development. Most AI systems deployed across the EU are not classified as high-risk. Many are not even subject to the transparency obligations of Art.50. Art.69 is the mechanism through which Commission and Member State facilitation can encourage these systems' providers to adopt governance practices — risk management, data quality, transparency, human oversight — as voluntary commitments, with the regulatory framework providing templates, guidance, and recognition for those who do.
For developers, Art.69 is materially relevant in two directions. First, if your AI system is not high-risk, voluntary adoption of a recognised code of conduct signals trustworthiness to customers, regulators, and procurement bodies without triggering the full conformity assessment machinery. Second, if you are building AI systems for EU public sector deployment, voluntary code adherence is increasingly becoming a procurement differentiator — public authorities are beginning to require Art.69 code alignment in tender specifications even where the system is not technically high-risk.
Art.69 became applicable on 2 August 2025 as part of the phased entry into force of Regulation (EU) 2024/1689.
Art.69 in the Chapter IX Architecture
Art.69 is the final article of Chapter IX and functions as a transition from the reactive enforcement framework (Art.57–68) to voluntary governance infrastructure:
| Article | Function | Relationship to Art.69 |
|---|---|---|
| Art.9 | Risk management system — mandatory for high-risk AI | Art.69 codes may extend risk management to non-high-risk systems voluntarily |
| Art.10 | Data governance — mandatory for high-risk AI | Art.69 codes may apply data quality requirements beyond mandatory scope |
| Art.13 | Transparency and provision of information — mandatory for high-risk AI | Art.69 codes may extend transparency obligations to all AI systems the provider deploys |
| Art.14 | Human oversight — mandatory for high-risk AI | Art.69 codes may implement human oversight mechanisms for non-high-risk systems as voluntary commitment |
| Art.50 | Transparency obligations for certain AI systems | Does not apply to all AI systems — Art.69 codes can extend transparency requirements where Art.50 does not reach |
| Art.56 | Codes of Practice for GPAI models — facilitated by AI Office | Art.56 and Art.69 operate in parallel: Art.56 is the GPAI-specific track; Art.69 is the non-GPAI voluntary commitment framework |
| Art.68 | AI regulatory sandboxes — controlled testing | Post-sandbox providers often use Art.69 codes to formalise voluntary compliance commitments adopted during sandbox dialogue |
| Art.69 | Codes of conduct — voluntary application of requirements | This guide |
Art.69(1): Commission and Member State Facilitation Mandate
Art.69(1) places an active facilitation obligation on both the Commission and Member States: they shall encourage and facilitate the drawing up of voluntary codes of conduct for providers of AI systems that are not subject to the mandatory requirements of Chapter III, Section 2.
The facilitation mandate has three key dimensions:
Scope of voluntary application. Art.69(1) codes may apply some or all requirements from Chapter III, Section 2 (requirements for high-risk AI systems: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, cybersecurity) and Section 3 (obligations of providers, importers, distributors, and deployers). The selection is voluntary — a provider may choose to adopt only the risk management and transparency requirements without committing to the full conformity assessment pathway.
Provider-led, not regulator-imposed. The codes of conduct are drawn up by providers and relevant entities — not mandated by Commission implementing acts. The Commission's role is to facilitate (provide templates, host consultations, publish guidance) and encourage (reference voluntary code adoption in public communications and procurement frameworks), not to impose specific content. This distinguishes Art.69 from the Art.56 Codes of Practice framework, where AI Office facilitation produces normative documents with conformity presumption effect.
Deployer participation. Art.69(1) explicitly extends the voluntary framework to deployers of AI systems, not just providers. This is significant: the deployment layer is where most AI risk materialises in practice, and a code of conduct that covers both provider development practices and deployer operational protocols is materially more protective than a provider-only commitment. Providers are encouraged to structure their Art.69 codes to address deployer obligations alongside provider obligations.
Applicable Commission guidance. The Commission has the authority to establish templates and guidelines for Art.69 codes, including technical specifications for implementing Chapter III requirements in non-high-risk system contexts. Providers should monitor EAIS (European AI Strategy) communications and AI Office publications for Commission-issued Art.69 templates as they become available.
Art.69(2): Civil Society and Deployer Involvement
Art.69(2) establishes a participatory design requirement for Art.69 codes: Commission and Member States shall facilitate drawing up codes with the aim of fostering voluntary application, and the process of developing those codes should, where appropriate, involve:
- Natural persons who interact with or are affected by the AI systems the code covers
- Civil society organisations representing the interests of those persons
- Deployers of the AI systems, particularly where the code covers operational practices at the deployment layer
The participation requirement is qualified by "where appropriate" — it applies to the code development process where civil society involvement is feasible and relevant to the system types covered. A code covering low-risk recommendation systems for e-commerce may involve fewer civil society actors than a code covering AI-assisted hiring tools or credit scoring, where affected persons have a direct material interest in the governance standards applied.
Why participation matters for Art.69 code credibility. Codes of conduct developed without input from affected persons are structurally vulnerable to criticism as self-regulatory capture — industry-designed commitments that serve provider interests without meaningful accountability to those affected. Commission and Member State facilitation of participatory code development is therefore both a governance quality requirement and a legitimacy signal. Procurement bodies and regulatory authorities are likely to give greater weight to Art.69 codes that can demonstrate stakeholder involvement in their development and review processes.
Art.69(3): Environmental Sustainability Voluntary Commitments
Art.69(3) creates an explicit space for environmental sustainability within voluntary codes of conduct — a provision that reflects the broader EU regulatory trajectory toward mandatory environmental due diligence in AI development:
Codes of conduct may include voluntary commitments relating to:
- AI system development practices: energy-efficient training methodologies, infrastructure selection based on renewable energy sourcing
- Training processes: data minimisation approaches that reduce compute requirements, model compression and distillation to reduce training footprint
- Testing procedures: reducing redundant evaluation runs, efficient testing infrastructure
- AI system use and deployment: inference efficiency, workload scheduling to align with renewable energy availability
The environmental sustainability provision is entirely voluntary — Art.69 creates no mandatory reporting or disclosure obligation regarding AI environmental impact. However, the inclusion of environmental sustainability as an explicit Art.69 dimension signals that future Commission guidance on Art.69 code templates will likely include a sustainability section. Providers designing Art.69 codes now should consider including environmental commitments both to align with regulatory direction of travel and to differentiate their governance posture in procurement contexts where public authorities have sustainability objectives embedded in tender evaluation criteria.
Relationship to the EU Corporate Sustainability Reporting Directive (CSRD). For providers subject to CSRD, voluntary commitments under an Art.69 code regarding AI system environmental practices may be relevant to their CSRD disclosure obligations regarding the environmental impact of their operations and value chains. Art.69 environmental commitments can provide a structured basis for CSRD-relevant disclosures without creating binding obligations beyond what CSRD already requires.
Art.69(4): SME-Tailored Access and Facilitation
Art.69(4) requires Commission and Member States to take into account the specific interests and needs of SMEs, including start-ups, when encouraging and facilitating the drawing up of codes of conduct.
The SME access provision addresses a structural participation barrier: voluntary codes of conduct are most commonly developed by large providers with dedicated legal and compliance teams who can engage in extended multi-stakeholder consultation processes. SMEs and start-ups — who represent the majority of EU AI system providers by count — frequently lack the resources to participate in code development or to implement code requirements in the ways that large-enterprise compliance frameworks assume.
Concrete SME facilitation implications. When Commission and Member States facilitate Art.69 codes:
- Simplified participation pathways: consultation processes must include mechanisms for SME participation that do not require dedicated legal representation
- Proportionate implementation guidance: code implementation guidance must provide SME-appropriate methods for meeting voluntary commitments (e.g., lightweight risk management documentation templates rather than enterprise conformity assessment processes)
- Cost-proportionate technical specifications: where codes reference technical specifications for implementing Chapter III requirements, those specifications must be practicable for providers with limited engineering resources
- Staged adoption pathways: codes may include tiered commitment levels that allow SMEs to adopt core provisions first and expand scope incrementally
Relationship to Art.68 sandbox SME priority. Art.68(2) establishes that SMEs and start-ups should be prioritised for AI regulatory sandbox participation. The Art.68 sandbox → Art.69 code pathway is particularly relevant for SMEs: sandbox participation provides the structured regulatory dialogue in which SMEs can develop the governance understanding needed to design meaningful Art.69 voluntary commitments, with NCA guidance on which Chapter III requirements are most material for their system type.
Art.69(5): Commission Templates and Update Cycles
Art.69(5) authorises the Commission to establish templates and provide guidelines for codes of conduct — a facilitation tool designed to reduce the transaction costs of code development for providers who want to adopt voluntary commitments but lack the regulatory expertise to draft them from first principles.
Commission templates: anticipated structure. Based on the Commission's approach to similar voluntary frameworks in financial services (FinTech Regulatory Sandbox guidelines) and data governance (GDPR code of conduct guidance under Art.40), Art.69 templates are likely to:
- Map each Chapter III Section 2 and 3 requirement to a corresponding voluntary commitment formulation
- Provide implementation guidance for non-high-risk system contexts where the mandatory requirement's compliance pathway (e.g., notified body conformity assessment) does not apply
- Include environmental sustainability commitment templates consistent with Art.69(3)
- Provide SME-adapted versions of each commitment consistent with Art.69(4)
Update cycles. Art.69 codes are not static instruments. The Commission's facilitation role includes supporting periodic review and update of codes as:
- The technical specifications underlying Chapter III requirements evolve (harmonised standards under Art.40, common specifications under Art.41)
- The AI Office publishes new guidance on GPAI model obligations (relevant to Art.69 codes covering systems that interact with GPAI models)
- The Commission's Art.112 review of the Regulation's application generates findings that indicate where voluntary code scope should be expanded
Providers adopting Art.69 codes should include explicit update cycle provisions: commit to reviewing code compliance against updated Commission templates and published harmonised standards at least every 24 months, or upon material changes to the AI systems covered.
Art.69 vs Art.56: Two Voluntary Tracks
The EU AI Act creates two distinct voluntary governance tracks that frequently create confusion for providers:
| Dimension | Art.56 — Codes of Practice (CoPs) | Art.69 — Codes of Conduct (CoCs) |
|---|---|---|
| Scope | GPAI models specifically | All other AI systems (non-GPAI) |
| Facilitated by | AI Office (Art.58) | Commission + Member States |
| Development process | AI Office-convened multi-stakeholder process | Provider-led, Commission-facilitated |
| Normative effect | Conformity presumption for Art.52 + Art.53 obligations if CoP approved | No direct conformity presumption under current text |
| SME provisions | Art.56(7): SME proportionality within AI Office CoP process | Art.69(4): Commission/MS must facilitate SME access specifically |
| Mandatory element | Commission can adopt implementing act as fallback if adequate CoP not produced | Entirely voluntary — no mandatory fallback |
| Environmental scope | Not explicitly addressed | Art.69(3) explicitly includes environmental sustainability |
| Deployer coverage | Provider-focused (GPAI model providers) | Explicitly includes deployers alongside providers |
| Update mechanism | AI Office annual review + 3-year Commission review cycle | Commission update cycle (frequency not specified in text) |
Key practical distinction. An Art.56 CoP is a regulatory instrument produced through a structured AI Office process and approved by Commission decision. An Art.69 CoC is a voluntary commitment drawn up by providers themselves, with Commission and Member State facilitation but without a formal approval mechanism creating regulatory recognition. This means Art.69 codes carry less formal regulatory weight than Art.56 CoPs — but they are also far more accessible: any provider can draft and publish an Art.69 code without waiting for a multi-year regulatory consultation process.
Conformity Presumption: What Art.69 Does and Does Not Provide
The prior autopilot analysis noted that Art.69 codes may provide a "conformity presumption effect." This requires careful qualification:
What Art.69 does NOT provide. Art.69, as enacted, does not create a direct conformity presumption analogous to the harmonised standards mechanism in Art.40. A provider of a high-risk AI system cannot demonstrate conformity with mandatory Chapter III requirements simply by adhering to an Art.69 voluntary code.
What Art.69 CAN provide — indirect evidential value. An Art.69 voluntary code commitment, documented and implemented, provides evidential support in several contexts:
- Market surveillance proceedings (Art.63-66): NCAs conducting market surveillance may treat demonstrated voluntary code compliance as mitigating evidence in proportionality assessments under Art.66
- Serious incident investigations (Art.65): Documented voluntary governance commitments consistent with Chapter III requirements demonstrate good-faith risk management that may affect NCA enforcement prioritisation
- Procurement evaluation: EU public sector procurement bodies may award evaluation credit for Art.69 code adherence in tender criteria
- Commission future implementing act pathway: The Commission retains the authority to adopt implementing acts that give formal recognition to particular Art.69 codes — creating a prospective conformity presumption pathway that does not yet exist but may emerge from Commission guidance
Practical implication. Providers should treat Art.69 codes as governance quality tools with indirect legal value rather than compliance substitutes. The code's value is in demonstrating systematic, documented voluntary governance — not in providing a regulatory shortcut.
CLOUD Act Intersection with Art.69 Voluntary Commitments
Voluntary codes of conduct create documentation obligations that are directly relevant to CLOUD Act risk management:
Documentation created by Art.69 code adoption. A provider that adopts an Art.69 code implementing Art.10 data governance requirements will generate:
- Data governance records documenting training data sources, quality assessments, and bias evaluations
- Technical documentation covering model architecture, training methodology, and performance metrics
- Risk management records identifying potential harms and mitigation measures
These records, created as part of voluntary code implementation, are potentially subject to CLOUD Act production orders if they are stored or processed on US-controlled cloud infrastructure. This is particularly acute for Art.69 codes that:
- Extend Art.13 transparency documentation requirements to non-high-risk systems (creating detailed model documentation)
- Implement Art.10-style data governance records (documenting data sources and processing)
- Include environmental sustainability metrics (aggregated infrastructure and energy use data)
Practical risk management. Providers adopting Art.69 codes should apply the same data residency architecture principles to voluntary documentation as they apply to mandatory technical documentation under Art.11 (which is subject to NCA access under Art.64). Specifically: store Art.69 code compliance documentation on EU-incorporated infrastructure to avoid CLOUD Act-triggered production orders from creating regulatory complications in any subsequent market surveillance proceeding where that documentation would be NCA-relevant.
Python Implementation: CoCParticipation
from enum import Enum
from datetime import date, timedelta
from dataclasses import dataclass, field
from typing import Optional
class CoCScope(Enum):
CHAPTER_III_SECTION_2_FULL = "full_chapter_iii_s2"
RISK_MANAGEMENT_ONLY = "risk_management_art9"
DATA_GOVERNANCE_ONLY = "data_governance_art10"
TRANSPARENCY_ONLY = "transparency_art13"
HUMAN_OVERSIGHT_ONLY = "human_oversight_art14"
ENVIRONMENTAL_SUSTAINABILITY = "environmental_art69_3"
CUSTOM_SELECTION = "custom"
class CoCStatus(Enum):
DRAFTING = "drafting"
STAKEHOLDER_CONSULTATION = "stakeholder_consultation"
ADOPTED = "adopted"
UNDER_REVIEW = "under_review"
SUPERSEDED = "superseded"
@dataclass
class CoCParticipation:
provider_name: str
ai_system_description: str
coc_scope: CoCScope
status: CoCStatus
adoption_date: Optional[date] = None
review_cycle_months: int = 24
includes_environmental_commitments: bool = False
includes_deployer_provisions: bool = False
civil_society_involved: bool = False
sme_adapted: bool = False
us_cloud_storage: bool = False
applicable_chapter_iii_requirements: list = field(default_factory=list)
def next_review_date(self) -> Optional[date]:
if self.adoption_date is None:
return None
return self.adoption_date + timedelta(days=self.review_cycle_months * 30)
def cloud_act_documentation_risk(self) -> str:
if not self.us_cloud_storage:
return "LOW — documentation stored on EU infrastructure"
high_doc_scopes = [
CoCScope.CHAPTER_III_SECTION_2_FULL,
CoCScope.DATA_GOVERNANCE_ONLY,
CoCScope.TRANSPARENCY_ONLY,
]
if self.coc_scope in high_doc_scopes:
return "HIGH — extensive compliance documentation on US-controlled infrastructure"
return "MEDIUM — limited documentation scope on US-controlled infrastructure"
def presumption_value(self) -> str:
if self.status != CoCStatus.ADOPTED:
return "NONE — code not yet adopted"
value = []
if self.coc_scope == CoCScope.CHAPTER_III_SECTION_2_FULL:
value.append("Strong evidential value in market surveillance proportionality assessments")
if self.civil_society_involved:
value.append("Enhanced legitimacy — civil society participation documented")
if self.includes_deployer_provisions:
value.append("Covers deployment layer — relevant in deployer-chain enforcement proceedings")
if not value:
return "Limited — narrow scope CoC may carry less evidential weight"
return "; ".join(value)
def stakeholder_gaps(self) -> list:
gaps = []
if not self.civil_society_involved:
gaps.append("Civil society involvement absent — Art.69(2) facilitation expectation not met")
if not self.includes_deployer_provisions:
gaps.append("Deployer obligations not covered — code scope limited to provider practices")
if not self.sme_adapted and self.coc_scope == CoCScope.CHAPTER_III_SECTION_2_FULL:
gaps.append("SME-adapted implementation guidance absent — Art.69(4) facilitation gap")
if self.us_cloud_storage:
gaps.append("Documentation on US cloud — CLOUD Act production order risk for compliance records")
return gaps
def governance_score(self) -> int:
score = 0
if self.status == CoCStatus.ADOPTED:
score += 30
if self.civil_society_involved:
score += 20
if self.includes_deployer_provisions:
score += 15
if self.includes_environmental_commitments:
score += 10
if self.sme_adapted:
score += 10
if not self.us_cloud_storage:
score += 15
return min(score, 100)
# Usage example
coc = CoCParticipation(
provider_name="Example AI Provider GmbH",
ai_system_description="Non-high-risk AI recommendation system for e-commerce personalisation",
coc_scope=CoCScope.CHAPTER_III_SECTION_2_FULL,
status=CoCStatus.ADOPTED,
adoption_date=date(2026, 4, 1),
review_cycle_months=24,
includes_environmental_commitments=True,
includes_deployer_provisions=True,
civil_society_involved=True,
sme_adapted=False,
us_cloud_storage=False,
applicable_chapter_iii_requirements=["Art.9 risk management", "Art.10 data governance", "Art.13 transparency", "Art.14 human oversight"],
)
print(f"Next review: {coc.next_review_date()}")
print(f"CLOUD Act risk: {coc.cloud_act_documentation_risk()}")
print(f"Governance score: {coc.governance_score()}/100")
print(f"Presumption value: {coc.presumption_value()}")
for gap in coc.stakeholder_gaps():
print(f" ⚠ Gap: {gap}")
Art.69 Compliance Checklist
| # | Item | Who | Timing |
|---|---|---|---|
| 1 | Assess whether your AI systems — particularly non-high-risk systems — benefit from voluntary adoption of Chapter III requirements: identify which requirements (risk management, data governance, transparency, human oversight) would meaningfully improve your system's trustworthiness and market positioning if adopted voluntarily | Provider | Before code development |
| 2 | Monitor Commission and Member State Art.69 facilitation outputs: check for published templates, guidelines, and model codes of conduct from the Commission AI Office and relevant national authorities — do not draft from scratch when Commission templates exist | Provider | Before code development |
| 3 | Assess whether your AI system's user base includes persons who should be represented in the code development process: if the system affects hiring decisions, credit access, health outcomes, or other high-stakes domains, civil society involvement under Art.69(2) is both appropriate and strategically valuable for code credibility | Provider | Code development phase |
| 4 | Determine whether your code should extend to deployers: if you provide your AI system to third-party deployers, a code covering deployer operational practices (human oversight, monitoring, incident response) provides materially stronger governance evidence than a provider-only code | Provider | Code development phase |
| 5 | Include an environmental sustainability section under Art.69(3): document your AI system development, training, and deployment environmental practices — energy efficiency approaches, infrastructure selection, training data minimisation — even if commitments are modest, documentation demonstrates awareness and trajectory | Provider | Code development phase |
| 6 | Design the code with SME participation in mind under Art.69(4): if your code is intended for adoption across a sector or ecosystem, include a tiered implementation pathway that allows SMEs to adopt core provisions first and expand scope incrementally — SME-inaccessible codes will have low adoption rates and corresponding low credibility as sector governance signals | Provider | Code development phase |
| 7 | Establish a code update cycle: commit to reviewing code compliance against updated Commission templates and harmonised standards at minimum every 24 months, or upon material changes to your AI systems or applicable regulatory guidance — include the review cycle commitment in the code text itself | Provider | Before adoption |
| 8 | Store all Art.69 code compliance documentation on EU-incorporated infrastructure: the documentation created through voluntary code implementation (risk assessments, data governance records, technical documentation, transparency statements) carries CLOUD Act production order risk on US-controlled infrastructure — apply the same data residency principles you apply to mandatory Art.11 technical documentation | Provider | Before adoption |
| 9 | Register your Art.69 code in procurement-relevant directories: Commission and Member State procurement frameworks are increasingly referencing voluntary code adoption as evaluation criteria — register your adopted code with relevant public sector procurement notification channels and include code adherence documentation in public sector tender responses | Provider | After adoption |
| 10 | Document the code development process contemporaneously: record the stakeholders consulted, civil society organisations involved, SME participation pathways offered, and Commission templates referenced — this process documentation is your best evidence of Art.69 compliance with the facilitation expectations embedded in paragraphs (2), (3), and (4) in any subsequent regulatory dialogue | Provider | Throughout code development |
Series Context: Chapter IX Governance and Enforcement Framework
| Article | Coverage | Post |
|---|---|---|
| Art.57 | National Competent Authorities — designation, tasks, independence | Art.57 guide |
| Art.58 | NCA enforcement powers — investigation, access, corrective measures | Art.58 guide |
| Art.59 | AI Board — composition, independence, NCA coordination | Art.59 guide |
| Art.60 | EU AI database — public registry, EUID governance, Commission management | Art.60 guide |
| Art.61 | Scientific Panel — independent experts, model evaluation, AI Office advisory | Art.61 guide |
| Art.62 | AI Office enforcement powers — corrective measures, market withdrawal, emergency action | Art.62 guide |
| Art.63 | Advisory Forum — multi-stakeholder consultation, composition, tasks, CoP input | Art.63 guide |
| Art.64 | Access to data and documentation — market surveillance authority enforcement powers | Art.64 guide |
| Art.65 | Reporting of serious incidents — provider NCA notification obligations | Art.65 guide |
| Art.66 | Market surveillance, information exchange, enforcement coordination | Art.66 guide |
| Art.67 | Union safeguard procedure — Commission review of conflicting NCA enforcement | Art.67 guide |
| Art.68 | AI regulatory sandboxes — national establishment, provider exemptions, compliance pathway | Art.68 guide |
| Art.69 | Codes of conduct — voluntary requirements, AI Office facilitation, SME access | This guide |
| Art.70 | Administrative penalties — prohibited practices, high-risk obligations, GPAI models | Art.70 guide |
EU AI Act Art.69 analysis based on Regulation (EU) 2024/1689 as published in the Official Journal of the European Union. Applicable from 2 August 2025 per Art.113(3). The voluntary codes of conduct framework described operates alongside — and does not displace — the mandatory conformity assessment obligations applicable to high-risk AI systems under Chapter III. Art.69 codes are voluntary governance commitments and do not, under the current text of the Regulation, provide a formal conformity presumption equivalent to adherence to harmonised standards under Art.40; prospective Commission implementing acts may modify this position. CLOUD Act risk analysis reflects the state of EU-US data transfer frameworks as of 2025. This guide reflects the text of the Regulation as enacted and does not constitute legal advice.