EU AI Act GPAI Code of Practice 2026: What Developer Teams Need to Know
Post #1 in the sota.io EU AI Act GPAI Compliance Series
With 58 days until August 2, 2026, the EU AI Act's most complex chapter — general-purpose AI (GPAI) model regulation — enters enforcement mode. Unlike the high-risk AI system provisions that have dominated compliance discussion, the GPAI chapter introduces a parallel track: a voluntary-but-binding Code of Practice (CoP) that GPAI providers are expected to sign and implement.
If your team builds products on top of foundation models (GPT-4o, Claude, Llama, Mistral, Gemini) — or if your company trains or fine-tunes a model — the GPAI Code of Practice directly shapes what you must document, test, and disclose.
This post is the first in a five-part series covering the GPAI CoP from a developer's perspective.
What Is the GPAI Code of Practice?
The GPAI Code of Practice is a self-regulatory instrument created under the EU AI Act to operationalize the GPAI chapter's requirements. The EU AI Office — the newly established EU body responsible for GPAI oversight — launched the CoP drafting process in November 2024, inviting GPAI providers, civil society, and researchers to co-author the implementation details.
As of June 2026, the CoP has gone through four drafting rounds, with the final text expected in July 2026 — just before the August 2 enforcement date.
Why does this structure exist? The EU legislators recognized that GPAI technology moves faster than traditional legislative cycles. Rather than hardcoding technical requirements into statute (which would be obsolete before they took effect), the Act delegates the "how" to a living CoP. Providers that sign and follow the CoP get a compliance presumption — essentially a safe harbor — against many of the GPAI chapter's obligations.
Who signs it? As of spring 2026, major signatories include Google, Meta, Microsoft, OpenAI, Mistral AI, Anthropic, and dozens of smaller European AI companies. Signing is not legally mandatory, but non-compliance with the underlying obligations is — and the CoP is the clearest path to demonstrating compliance.
The Two Tiers: General GPAI vs. Systemic Risk
The GPAI chapter distinguishes two tiers of providers based on model scale and risk profile:
Tier 1 — All GPAI Model Providers
Any provider that trains and offers a GPAI model used in downstream products must meet baseline obligations:
| Obligation | Description |
|---|---|
| Technical documentation | Model card with training data scope, capabilities, limitations, architecture |
| Copyright compliance | Training data policy; copyright reservation notice compliance |
| Downstream transparency | Provide information to downstream deployers about model capabilities and limitations |
| Register with EU AI Office | Model registration in the EU AI Act database |
These obligations apply regardless of model size. A mid-size European AI startup fine-tuning Llama for healthcare must comply.
Tier 2 — Systemic Risk GPAI Models
Models exceeding 10^25 FLOPs (floating-point operations) of training compute — or that the EU AI Office designates as systemic risk by other criteria — face additional obligations:
| Additional Obligation | Description |
|---|---|
| Systemic risk assessment | Identify potential large-scale societal, economic, or democratic risks |
| Adversarial testing | Red team and probe the model for dangerous capabilities |
| Incident reporting | Notify EU AI Office of serious incidents |
| Cybersecurity measures | Protect model weights from unauthorized access |
| Energy reporting | Report energy consumption annually |
The 10^25 FLOP threshold currently applies to models like GPT-4, Claude 3+, Gemini Ultra, and Llama 3.x 70B+ variants. Most company-internal fine-tunes or retrieval-augmented systems fall below this threshold.
What the CoP Actually Requires (Developer View)
The Code of Practice structures its requirements into three pillars:
Pillar 1: Transparency Measures
GPAI providers must publish a model card and make it accessible to downstream deployers. The CoP specifies minimum content:
- Training data provenance: What datasets were used? What jurisdiction? What copyright opt-out mechanism was applied?
- Capability description: What tasks can the model perform? At what accuracy? In which languages?
- Known limitations: What failure modes exist? Hallucination rate? Factual accuracy on which benchmarks?
- Intended use and out-of-scope use: What use cases were tested? What uses should be avoided?
- Update cadence: When was the model last updated? How are breaking changes communicated?
For developers building on top of third-party GPAI models, the transparency obligation flows downstream via EU AI Act Art.50 — you must disclose to your users that AI-generated content is AI-generated. The GPAI provider's model card gives you the factual inputs for those disclosures.
Pillar 2: Copyright Compliance
This is the most legally complex CoP pillar. GPAI providers must:
- Document training data sources — what data was used and what rights were obtained
- Honor copyright reservation notices — if a rights holder opted out via
robots.txt,TDM-reservedHTTP headers, or the EU's technical standard (once finalized), the GPAI provider must have honored those opt-outs - Track unresolved claims — maintain a register of copyright complaints and document resolution
For downstream developers, this matters because EU law could expose you to liability if you deploy a model trained on unlicensed data to produce content in a commercial context. The CoP's copyright transparency requirements give you visibility into your exposure.
Pillar 3: Safety and Systemic Risk
For Tier 2 (systemic risk) models, the CoP requires an ongoing safety program:
- Capability evaluation: Test for dangerous capabilities before model release and after fine-tuning — e.g., CBRN (chemical, biological, radiological, nuclear) information generation, cyberattack assistance
- Red teaming protocol: Structured adversarial testing, minimum scope defined by EU AI Office guidelines
- Incident reporting: Serious incidents (as defined by the GPAI chapter) must be reported to the EU AI Office within specified timeframes
Developers integrating Tier 2 models get their own obligation: report incidents you encounter to the provider, who then reports to the EU AI Office. Your incident reporting workflow must include a channel to upstream your model provider.
The Enforcement Landscape
Who enforces the GPAI chapter? Unlike the high-risk AI system provisions (enforced by national market surveillance authorities), the GPAI chapter is enforced at the EU level by the EU AI Office within the European Commission. This centralized enforcement is intentional — frontier AI models are global products, not local ones.
Penalties under the GPAI chapter are steep. The EU AI Act (Art.101) provides for fines against GPAI providers of up to €15 million or 3% of worldwide annual turnover, whichever is higher, for breaches of the GPAI obligations. For a company with €1 billion in revenue, that's €30 million. These fines apply to GPAI providers, not to downstream deployers — but the GPAI provider's compliance record directly affects your risk profile as a downstream builder.
Practical Developer Checklist: August 2 GPAI Readiness
Before August 2, 2026, teams building on GPAI models should complete:
If you are a GPAI model provider:
- Register your model(s) with the EU AI Office registry
- Publish compliant model card with full transparency documentation
- Audit training data for copyright compliance; document opt-out mechanism
- Assess whether your model's training compute exceeds 10^25 FLOPs
- For Tier 2 models: conduct pre-enforcement red team exercise; establish incident reporting channel to EU AI Office
- Sign the GPAI Code of Practice (or document your alternative compliance approach)
If you are a downstream developer deploying third-party GPAI models:
- Verify your model provider has published a compliant model card
- Document which GPAI models are in your stack and their version history
- Implement Art.50 disclosures: users must know when they are interacting with AI or receiving AI-generated content
- Establish an incident reporting channel: if you encounter a serious model failure, you must be able to notify your provider
- Review your provider's copyright transparency disclosures before using model outputs in commercial content
The Sovereign Infrastructure Angle
The GPAI Code of Practice has an often-overlooked infrastructure dimension. When the EU AI Office conducts investigations or requests information from GPAI providers, it may also examine where model training infrastructure and model weights are stored.
Under the US CLOUD Act, US cloud providers can be compelled to produce stored data — including model weights — to US law enforcement without notifying the EU data subject. For GPAI providers with European users, storing model infrastructure on US cloud services creates a jurisdiction gap that the EU AI Office has begun examining in its CoP enforcement guidance.
What this means for developers: If you are a European GPAI provider or fine-tuner, running your training infrastructure on EU-sovereign compute (Hetzner, OVHcloud, Scaleway — or a platform like sota.io that deploys exclusively on EU infrastructure) eliminates this gap. Your model weights, training logs, and evaluation records remain within EU legal jurisdiction.
The Drafting Timeline: What Changed Across the Four Drafts
The CoP went through significant evolution between its first draft (November 2024) and the final version expected in July 2026:
| Draft | Date | Key Change |
|---|---|---|
| Draft 1 | Nov 2024 | Baseline framework; heavy industry pushback on copyright requirements |
| Draft 2 | Feb 2025 | Copyright pillar narrowed; Tier 2 threshold confirmed at 10^25 FLOPs |
| Draft 3 | Jun 2025 | Incident reporting timelines aligned with GPAI Act text; sandbox provisions added |
| Draft 4 | Apr 2026 | Energy reporting requirements finalized; SME carve-outs narrowed |
| Final | Jul 2026 | Expected: residual copyright framework; final red teaming protocols |
Each draft added specificity and tightened requirements. If your compliance program was scoped to Draft 1, it needs a substantial refresh before August 2.
What's Next in This Series
Over the next four posts, we'll go deeper into each compliance dimension:
- Post #2/5: GPAI Transparency Documentation — the model card in detail: what to include, how to structure it, what downstream deployers need from it
- Post #3/5: GPAI Copyright Compliance — training data audits, opt-out mechanisms, and what "unresolved claims" tracking looks like in practice
- Post #4/5: Systemic Risk Assessment — the red teaming protocol, capability evaluation scope, and what constitutes a "serious incident" under the GPAI chapter
- Post #5/5: GPAI Compliance Stack — putting it together: registry, model card, incident reporting, and infrastructure choices for August 2 readiness
Deploy EU AI Act GPAI Compliance on EU Infrastructure
sota.io is a managed PaaS that runs exclusively on Hetzner Germany — no US parent, no CLOUD Act exposure. Deploy your AI applications, model APIs, and compliance tooling on EU-sovereign infrastructure with a one-command setup.
58 days to August 2, 2026. Start with your model card documentation this week.
# Deploy your GPAI compliance API on EU infrastructure
git push sota main
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.