EU AI Act GPAI Code of Practice 2026: What SaaS Developers Must Know Before August

Post #4 in the sota.io EU AI Act GPAI Developer Series

The EU AI Act's August 2, 2026 deadline is 65 days away. For SaaS developers who integrate general-purpose AI (GPAI) models — Claude, GPT-4, Gemini, or any other frontier model — this deadline triggers a new compliance layer: the GPAI Code of Practice.

This isn't just a document for the Anthropics and OpenAIs of the world. If your SaaS product uses any GPAI API and you deploy it to EU users, this Code shapes the contractual and technical obligations you'll need to satisfy — and the due diligence questions you must ask your AI providers before August arrives.

What Is the GPAI Code of Practice?

The GPAI Code of Practice (CoP) is a voluntary-but-consequential compliance framework developed under the EU AI Act's Article 56. The EU AI Office convened a working group of AI providers, civil society, and technical experts to produce it. The final Code is the primary mechanism through which GPAI providers demonstrate compliance with Articles 53 and 55 of the AI Act.

Key point for SaaS developers: the Code operates at the provider level (OpenAI, Anthropic, Google DeepMind), but its downstream effects flow directly into your products. When you sign an API terms of service with a GPAI provider, you are — explicitly or implicitly — accepting that their Code compliance posture defines the floor for your own.

The Code covers four main pillars:

1. Transparency and copyright — what providers disclose about training data, model architecture, and content provenance
2. Safety and risk management — how providers evaluate systemic risks before and after model deployment
3. Incident reporting — procedures for notifying the EU AI Office when serious incidents occur
4. Downstream deployer obligations — what GPAI providers must require of API customers like you

The August 2, 2026 Trigger

Article 113(1)(b) of the AI Act sets August 2, 2026 as the application date for Articles 53–55 — the GPAI-specific requirements. This means:

• GPAI providers must be Code-compliant or demonstrate equivalent measures by that date
• Deployers (SaaS companies like yours) must have updated their contracts, documentation, and technical integrations to match the Code's downstream requirements
• The EU AI Office begins active enforcement starting August 2026

The Code itself — in its current draft form — has been through multiple consultation rounds since late 2024. The final version is expected to be published in late June or early July 2026, giving deployers roughly 4–6 weeks to implement.

That means you should start compliance work now, based on the draft Code, rather than waiting for the final text.

What the Code Requires of GPAI Providers (and Why You Care)

Transparency Measures (Article 53(1)(d))

GPAI providers must publish a technical documentation package covering:

• Model architecture overview
• Training data description (sources, filtering, known limitations)
• Benchmark performance on standardised EU-approved test suites
• Known hazardous capability domains

For SaaS developers: Your AI Act Art.13 transparency notice to users (see post #3 in this series) can only be as accurate as what your GPAI provider discloses. If your provider publishes incomplete model cards, you have a gap in your own compliance chain. Audit your provider's documentation before August 2.

Copyright and Training Data (Article 53(1)(c))

Providers must maintain and publish a copyright compliance policy for training data. This includes:

• Opt-out mechanisms they've implemented
• Jurisdictional scope (EU vs. global)
• How they handled the Text and Data Mining (TDM) exception under the Copyright Directive

For SaaS developers: If your SaaS generates content that might be derivative of training data (legal document drafting, code generation, marketing copy), your liability chain runs through the provider's TDM compliance. Check that your API provider has published a compliant TDM policy. If they haven't, your outputs carry additional IP risk.

Systematic Risk Assessment (Article 55)

For systemic-risk GPAI models (currently those trained with >10^25 FLOPs — this covers GPT-4-class, Claude 3/4-class, and Gemini Ultra-class models), providers must:

• Conduct adversarial testing and red-teaming before major version releases
• Evaluate capability uplift for CBRN (chemical, biological, radiological, nuclear) threats
• Submit annual systemic risk reports to the EU AI Office
• Implement incident tracking and reporting within 72 hours of serious incident discovery

For SaaS developers using systemic-risk models: Your risk disclosure to users must acknowledge that the underlying model has been assessed for systemic risks. This is a new disclosure obligation that didn't exist in 2025. Update your AI transparency notice and terms of service accordingly.

What the Code Requires Downstream — Of You

The Code isn't purely between providers and regulators. Section 4 of the current draft establishes downstream deployer requirements that GPAI providers must cascade contractually.

Prohibited Use Pass-Through

If a GPAI provider's Code compliance includes prohibited-use restrictions (Art.5 of the AI Act), they are required to contractually prohibit you from enabling those uses in your deployment. This means:

• Review your API terms of service for any new prohibited-use clauses added in 2026
• Check that your own product's acceptable-use policy mirrors or extends these restrictions
• If you've built a product that could be used for any Art.5 prohibited practice (social scoring, subliminal manipulation, biometric categorisation), audit your use-case scope

Transparency Pass-Through

Providers must ensure you have sufficient information to comply with Art.13 user transparency obligations. The Code specifically requires providers to give deployers:

• A machine-readable "AI interaction indicator" flag they can expose in UI
• Model version identifiers for audit trail purposes
• Incident notification webhooks when the model they rely on has a safety incident

Action item: Check whether your provider offers these mechanisms. Anthropic, OpenAI, and Google have all published roadmaps for Code-aligned API updates — review their developer changelog between now and August 2.

Human Oversight Documentation

If your use case falls under high-risk AI (Art.6 + Annex III), the Code requires your GPAI provider to provide technical documentation sufficient to enable Art.14 human oversight. This includes:

• Model output confidence indicators
• Edge case and known failure mode disclosures
• Recommended override mechanisms

You need to verify this documentation exists in your provider's API reference before going live with any high-risk use case.

The Three Compliance Tiers for Deployers

Not all SaaS products face the same obligations. Here's how to position your product:

Tier 1: Systemic-Risk Model Deployers (Highest Burden)

If you use GPT-4-class, Claude 3/4-class, Gemini Ultra-class, or any model the AI Office classifies as systemic-risk:

• Verify provider has published systemic risk assessment report (AI Office registry post-August 2026)
• Update your Art.13 transparency notice to reference systemic-risk model status
• Implement 72h incident reporting flow (receive from provider, escalate internally)
• Maintain model interaction logs for 24 months (Art.55(1)(e) audit requirement)

Tier 2: Non-Systemic GPAI Deployers (Standard Burden)

If you use smaller or less capable GPAI models (sub-10^25 FLOP training, or models not on the AI Office's systemic-risk list):

• Verify provider's technical documentation package is accessible and current
• Ensure your Art.13 disclosure references GPAI involvement
• Include TDM/copyright compliance verification in your vendor due diligence
• Check provider's prohibited-use policy against your product's actual use cases

Tier 3: Limited GPAI Exposure (Minimal Burden)

If you use GPAI only for internal tooling (not user-facing) or for low-risk ancillary features:

• Document the limited-risk classification in your AI Act compliance register
• Ensure internal use doesn't inadvertently expand to user-facing deployment without re-classification
• Review annually as model capabilities increase

Practical Timeline for SaaS Developers

Now — May 2026

• Map every GPAI API your product uses against the AI Office's published provider registry
• Download the current draft Code of Practice and identify which sections affect your tier
• Initiate DPA/contract review with your GPAI providers: what Code obligations are they committing to contractually?

June 2026 (Final Code Publication Expected)

• Review final Code against your draft compliance implementation
• Update your AI transparency notices with Code-aligned language
• Issue internal developer guidance on the new Art.13 + Art.14 requirements
• Ensure human oversight mechanisms are technically implemented and documented

July 2026 (Last 30 Days)

• Final audit of all GPAI-powered features against the Code checklist
• Verify provider has been onboarded to AI Office registry (public-facing list expected)
• Update your product's AI system description in your internal AI Act compliance register
• Test incident notification workflows end-to-end
• Confirm your acceptable-use policy prohibits all Art.5 practices

August 2, 2026 (Application Date)

• Compliance must be in force — this is not a grace period extension, it's the enforcement start
• EU AI Office enforcement actions begin — penalties for systemic-risk providers up to 3% of worldwide turnover; deployer enforcement through national market surveillance authorities

What Your Contracts Should Say

If you're negotiating or renewing API agreements with GPAI providers before August 2026, request explicit contractual representations on:

1. Code of Practice adherence: "Provider represents that it adheres to the EU AI Act GPAI Code of Practice as published by the EU AI Office, or has implemented equivalent measures."
2. Systemic-risk status notification: "Provider will notify Deployer within 30 days if any model covered by this agreement is classified as systemic-risk by the EU AI Office."
3. Incident notification: "Provider will notify Deployer within 24 hours of any serious incident affecting models used under this agreement."
4. Documentation access: "Provider will make available the technical documentation required under Art.53(1)(d) sufficient for Deployer to comply with Art.13 of the EU AI Act."
5. TDM compliance certification: "Provider certifies its training data practices comply with the EU Copyright Directive TDM exception."

Not all providers will accept all of these — OpenAI, Anthropic, and Google publish compliance documentation publicly but often don't make contractual representations in standard API terms. Enterprise agreements are where these representations typically live.

The Anti-Pattern to Avoid

The most common GPAI compliance anti-pattern we see in SaaS products: treating the Code of Practice as a provider-only concern.

This thinking leads to gaps like:

• Disclosure gap: Provider is Code-compliant, but deployer's Art.13 notice doesn't reference GPAI involvement → user-facing compliance failure
• Log gap: Provider's API supports audit trail but deployer hasn't enabled it → Art.55 evidence gap in enforcement action
• Contract gap: Provider added prohibited-use clauses in 2026 API ToS update → deployer hasn't updated their own acceptable-use policy → indirect liability

Your job as a deployer is to receive the Code compliance from your provider and translate it into user-facing, legal, and technical implementations. The Code creates a chain of responsibility — every link must close.

Key Resources

• EU AI Office — GPAI Code of Practice working page (check for final publication)
• AI Act text — Articles 51–55 (GPAI obligations)
• EU AI Office — Systemic Risk Provider Registry (post-August 2026)

What's Next in This Series

Post #5 (final in the GPAI series) will be the complete GPAI developer toolkit — a consolidated checklist, template transparency notice, and model comparison matrix for all three major GPAI providers (Anthropic, OpenAI, Google) against the final Code of Practice requirements.

If you want to ensure your SaaS product is ready for August 2, the toolkit post will be your implementation reference.

sota.io helps European SaaS companies run compliant infrastructure in the EU. We track the EU AI Act, CRA, NIS2, and DORA so your engineering team doesn't have to.