EU AI Act GPAI Code of Practice: What Changed in the June 2026 Final Version

The EU AI Act Code of Practice for general-purpose AI (GPAI) finalized in June 2026. Four drafting rounds, 1,000+ comments from providers and civil society, and a lot of negotiation over what counts as an "equivalent alternative measure" to Code adoption.

Here is what locked in, what changed from the April draft, and what GPAI providers need to do before August 2, 2026.

TL;DR: The final Code locks in three core obligations for GPAI providers: a published transparency template, a systemic risk assessment methodology for frontier models, and a copyright compliance framework. Providers must adopt the Code or demonstrate equivalent compliance by August 2, 2026. Fines for non-compliance go up to 3% of global annual turnover.

What the Code of Practice is (and is not)

The Code of Practice is not a law. It is a standards document developed by the AI Office in consultation with GPAI providers, academics, and civil society. GPAI providers can use it to demonstrate compliance with the EU AI Act's GPAI obligations (Articles 53-55).

The Code is quasi-mandatory. Providers who sign it and implement its measures get a presumption of compliance. Providers who do not use the Code must demonstrate compliance through alternative equivalent measures, a higher evidential burden. Most providers will adopt the Code.

The Code does not apply to pure deployers (companies that use GPAI models via API but do not develop or place models on the market). It applies to providers: companies that develop GPAI models and offer them via API, as open weights, or embedded in products accessible to EU users.

What finalized in June 2026

Transparency template (all GPAI providers)

Every GPAI provider must publish a standardized disclosure document covering:

• Model name and version
• Intended purposes and reasonably foreseeable uses
• Training data summary (data sources, approximate volume, whether web-scraped data was used, data collection period)
• Whether the model was trained on personal data
• Copyright compliance process (what steps were taken to respect rightsholders)
• Known limitations and risks
• Contact point for downstream deployers

The final version made two changes from the April draft. First, the training data summary requirement was narrowed: providers no longer need to disclose specific datasets by name, only category (web data, licensed data, synthetic data). Second, the contact point requirement was clarified to mean a technical contact for deployers asking about the model's capabilities, not a public-facing support line.

Systemic risk assessment (frontier model providers only)

Providers of GPAI models trained on more than 10^25 FLOPs face additional obligations. The final Code specifies the methodology:

Evaluation scope: Adversarial testing (red teaming) must cover at minimum: cybersecurity attack assistance, biological/chemical weapon development assistance, large-scale disinformation generation, and critical infrastructure vulnerability exploitation.

Evaluation cadence: Before deployment, before each major update (defined as a change affecting capabilities or safety properties), and at least annually.

Serious incident reporting: Within 2 weeks of becoming aware of a serious incident (defined as a misuse that caused or is reasonably likely to cause serious harm to persons, critical infrastructure, or democratic processes).

Mitigation measures: Providers must implement at least one mitigation for each identified high-probability risk. The Code lists acceptable mitigation types: model-level controls (fine-tuning, RLHF), deployment-level controls (API filtering, rate limiting), and downstream deployer contractual requirements.

What changed from the April draft: the definition of "serious incident" was narrowed. The April draft required reporting for any misuse causing harm. The final version limits mandatory reporting to misuse causing serious harm, and clarifies that providers are not required to proactively monitor for misuse beyond what their logging and feedback systems already capture.

Copyright compliance framework (all GPAI providers)

GPAI providers must implement a process to honor opt-out signals from rightsholders who do not want their content used for training. The final Code specifies three acceptable opt-out mechanisms:

1. robots.txt Disallow directives (web crawling)
2. The EU AI Act's forthcoming opt-out registry (to be established by the AI Office)
3. Direct rightholder agreements documented and accessible to the AI Office on request

What changed from the April draft: the April draft required providers to retrospectively demonstrate that historical training data complied with rightholder opt-outs. The final version limits this obligation to prospective compliance: providers must implement the opt-out process for future training runs, and document efforts to honor opt-outs for historical data where feasible.

What did not change from draft to final

The core structure stayed intact:

• Tiered obligations (transparency for all GPAI, systemic risk assessment for frontier models)
• The 10^25 FLOP threshold for systemic risk
• The 3% global turnover cap for fines
• The requirement for downstream deployer information sharing (providers must give deployers enough information to comply with their own obligations)
• The AI Office's right to request models, documentation, and test results

7-step action checklist for GPAI providers

If you develop or offer a general-purpose AI model to EU users, here is what to do before August 2, 2026:

Step 1: Confirm you are a GPAI provider Use the 8-question self-test linked below. The key question: do you develop an AI model with broad capabilities and make it available to third parties? If yes, you are a GPAI provider regardless of where you are based.

Step 2: Assess whether you are above the systemic risk threshold If your model was trained on more than 10^25 FLOPs, you are presumed to pose systemic risk. If you are below the threshold, you have transparency-only obligations.

Step 3: Prepare the transparency template Draft the disclosure document using the categories in the final Code. The training data summary does not require per-dataset disclosure, only category-level (web, licensed, synthetic). Publish it in a publicly accessible location.

Step 4: For frontier model providers: complete the adversarial evaluation Schedule red team evaluations covering the four required risk categories. Document the methodology, results, and mitigations. This documentation must be available to the AI Office on request.

Step 5: Implement the copyright compliance process Configure your web crawlers to respect robots.txt Disallow directives. Document your rightholder opt-out process. Prepare a written description of your copyright compliance approach for the transparency template.

Step 6: Set up serious incident reporting (frontier models) Establish a reporting process: who receives reports, how they are escalated, what threshold triggers a report to the AI Office. Configure your incident log to capture the information required by the Code.

Step 7: Sign the Code (or document your alternative approach) If adopting the Code: register with the AI Office's GPAI compliance platform when it launches. If taking an alternative approach: prepare written documentation of your equivalent measures. Alternative measures face a higher review burden.

What downstream deployers need from GPAI providers

If you use a GPAI model via API (for example, the OpenAI API, Anthropic's Claude API, or Google's Gemini API), you are a downstream deployer, not a GPAI provider. The Code does not impose obligations on you directly.

But the Code does require GPAI providers to give deployers what they need to comply with their own EU AI Act obligations. Specifically, the Code requires providers to furnish an information package that includes:

• A description of the model's capabilities and limitations relevant to high-risk AI applications
• Instructions for safe deployment in specific use cases
• Information about known biases and their potential impact on protected groups
• Any restrictions on use (uses the provider prohibits via their terms of service)

Deployers should request this package from their GPAI API providers before August 2, 2026. If your provider cannot supply it, that is a vendor compliance risk worth flagging in your vendor due diligence review.

Enforcement timeline

The AI Office has indicated it will prioritize enforcement against providers with broad EU market reach. Providers that sign onto the Code early and demonstrate good-faith implementation are less likely to face immediate enforcement action.

How to assess whether the Code applies to your organization

Three questions:

1. Do you develop an AI model (rather than only using someone else's model via API)? If no, you are a deployer. The Code does not apply to you as a provider. Your obligations come from the high-risk AI provisions and Article 50.

2. Is your model general-purpose (can it perform a wide range of tasks, not just one specific task)? Models trained for a specific task only (a document classifier, an image labeler for one product category) are not GPAI models. Models capable of broad tasks including text generation, code generation, translation, and question answering are GPAI models.

3. Do EU users have access to your model? If your model is available via API, as open weights, or embedded in any product accessed by EU users, you are placing a GPAI model on the EU market. You are a GPAI provider regardless of where your company is incorporated.

If all three answers are yes, the Code applies to you. Use the 8-question self-test linked below to confirm.

What the Code does not cover

The Code applies to GPAI providers. It does not address:

• Obligations of downstream deployers who use GPAI models (covered by the EU AI Act's high-risk AI system provisions and Article 50 transparency obligations)
• Obligations related to AI content labeling and deepfake disclosure (covered by Article 50, separate from the GPAI framework)
• National AI liability frameworks being developed in parallel by member states

For a full picture of EU AI Act obligations that apply to your organization, see the August 2026 compliance checklist linked below.

Related reading

• Are you a GPAI provider? 8-question self-test
• EU AI Act GPAI compliance checklist, August 2 deadline
• EU AI Act August 2026 compliance checklist
• AI regulation deadline calendar 2026