EU General-Purpose AI Code of Practice

Updated 24 January 2026

The EU General-Purpose AI Code of Practice is an operational framework translating legal mandates into concrete, auditable engineering and risk management practices.
The framework defines clear classification metrics and technical tools—such as uncertainty estimation—to ensure transparency, fairness, and robust safety measures.
The CoP promotes industry alignment by mandating standardized documentation, dynamic risk registers, independent audits, and benchmarks for systemic-risk AI models.

A general-purpose AI (GPAI) Code of Practice (CoP) in the European Union is an operational framework designed to guide AI providers and deployers in aligning model development, deployment, and oversight with the obligations of the EU Artificial Intelligence Act (AI Act). The Code translates legal requirements—including transparency, safety, non-discrimination, accountability, traceability, and environmental sustainability—into concrete, auditable engineering and risk-management practices. The CoP functions both as an adjunct to binding regulation for “systemic risk” AI models and as voluntary best practice for the broader ecosystem, establishing technical, procedural, and governance standards for the responsible handling of GPAI systems (Valdenegro-Toro et al., 2024, Uuk et al., 2023, Uuk et al., 2024, Sun et al., 2024, Guldimann et al., 2024, Silva, 2024, Stelling et al., 21 Apr 2025, Prandi et al., 7 Aug 2025, Charnock et al., 17 Jan 2026).

1. Legal Mandate and Scope

The legal basis for a GPAI Code of Practice arises directly from the EU AI Act (Regulation (EU) 2024/1689). Article 3(63) defines a “general-purpose AI model” as one that displays significant generality (competently performing a wide range of distinct tasks) and can be integrated into various downstream applications, excepting models in research or prototyping (Silva, 2024). The Act assigns specific obligations to providers and deployers of such models, including robust technical documentation, support for interoperable integration, copyright and data provenance disclosures, risk-mitigation documentation, and enhanced obligations for models with "systemic risk" as determined primarily by a training compute threshold of Σ FLOPS_training ≥ 10^{25} (Silva, 2024). Codes of Practice are encouraged under Article 56, serve as an interpretive bridge to practical compliance, and, once endorsed, provide harmonized guidance across the EU (Silva, 2024, Uuk et al., 2023).

2. Classification and Distinction of General-Purpose AI

Accurate identification of GPAI is essential for regulatory compliance and scope delimitation. The CoP operationalizes the concept of “distinct tasks” with four approaches:

Quantity-based: System performs at least Q_{min} distinct tasks (e.g., Q_{min}=10).
Performance-based: Mean task performance $\bar{P}$ exceeds baseline or at least M_{min} tasks exceed performance threshold.
Adaptability-based: Zero-shot or few-shot generalization with threshold A_0 or A_5 (e.g., A_0 ≥ 0.50, A_5 ≥ 0.70).
Emergence-based: Qualitative jumps ΔP_{i} ≥ ΔP_{min} with scale (e.g., ≥0.30 between two model sizes) (Uuk et al., 2023).

A system may be classified as GPAI by exceeding a threshold in any one of these approaches. The framework mandates technical documentation, conformity assessment, pre-deployment impact assessment, dynamic risk registers, and independent audits for GPAI, especially for those at or above systemic risk compute levels (Uuk et al., 2023, Silva, 2024).

3. Core Principles and Compliance Mechanisms

The CoP operationalizes five central ethical principles:

Safety: Minimization of risk from unintended behaviors. Techniques include risk lifecycle management, robustness certification, adversarial training, and adversarial example defenses, with quantitative metrics such as certified robustness radius and attack success rate (Sun et al., 2024).
Transparency: Encompasses system-level documentation (model cards, data sheets), disclosure of AI-generated content, and explainability at both local (e.g., SHAP φᵢ(x)) and global scales. Metrics include explainability score (E-score) and calibration error (ECE) (Sun et al., 2024, Guldimann et al., 2024).
Non-discrimination: Prevention of biased outcomes through pre-, in-, and post-processing interventions; quantitative parity/odds constraints such as statistical parity difference (SPD) and equalized odds difference (EOD) (Sun et al., 2024, Guldimann et al., 2024).
Traceability: End-to-end provenance with event logs, version-controlled artifacts, watermarking, and reproducibility platforms (Sun et al., 2024, Guldimann et al., 2024).
Environmental Sustainability: Minimization of carbon footprint and energy use, benchmarked by CO₂eq emissions, energy per inference, and FLOPS-per-watt (Sun et al., 2024).

Implementation integrates lifecycle controls—data audits, fairness-aware training, monitoring hooks, watermarking, and energy-tracking—with formal documentation and periodic third-party assessment (Sun et al., 2024, Guldimann et al., 2024, Stelling et al., 21 Apr 2025).

4. Risk Management and Systemic Risk

The Code prescribes a comprehensive risk-governance architecture anchored on a taxonomy of 13 systemic risks, including loss of control, discrimination, democracy, security, environment, and more. Sources of risk are catalogued (e.g., model misalignment, deceptive alignment, autonomy risk), and mapping between technical function and observed risk is formalized as Risk = Probability × Severity (Uuk et al., 2024). Mandatory practices include:

Periodic systemic risk assessment and impact scoring across all categories.
Hazard-specific mitigation protocols (e.g., “kill switches” for control risk, fairness testing for discrimination, takedown SLAs for information risk).
Continuous monitoring, public risk disclosures, and annual reporting to designated agencies.
Multi-stakeholder governance structures and assigned institutional roles (Owner, Auditor, Incident Manager) (Uuk et al., 2024, Stelling et al., 21 Apr 2025).

Systemic-risk classification (compute ≥ 10^{{25} FLOPS)} triggers requirements for adversarial testing, continuous monitoring, cybersecurity hardening, and public transparency (Silva, 2024, Stelling et al., 21 Apr 2025).

5. Technical Tooling: Uncertainty Estimation

The CoP integrates uncertainty estimation as a core mechanism to fulfill transparency, accuracy, and oversight requirements (Valdenegro-Toro et al., 2024):

Aleatoric uncertainty: captures data noise.
Epistemic uncertainty: captures model uncertainty due to capacity or data coverage gaps.

Methodologies include deep ensembles, MC-Dropout (M stochastic forward passes), and deterministic UQ (DUQ). Mathematical formulations rely on ensemble mean μ(x) and predictive variance σ²(x), crucial for confidence metrics and threshold-based interventions (e.g., human-in-the-loop when σ(x) is high). These methods support compliance by:

Flagging “low‐confidence” predictions (risk management),
Triggering human review (oversight),
Enabling calibration and out-of-distribution detection (accuracy and robustness),
Logging for audit (traceability).

However, there is a computational tradeoff, as uncertainty methods can contribute toward threshold compute and hence, inadvertently, to systemic risk status (Valdenegro-Toro et al., 2024).

6. Access, Auditing, and Benchmarking

The CoP formalizes external evaluation by defining “appropriate access” along three dimensions: ModelAccess (black-, grey-, white-box), ModelInfo (minimal, substantial, comprehensive), and TimeFrame (short, standard, extended). Three access levels—AL1 (“best practice”: black-box, minimal info), AL2 (“state of the art”: grey-box, substantial info), AL3 (“more innovative”: white-box, comprehensive info)—structure required evaluator capabilities. Mapped directly to Code requirements, these access levels enable rigorous, risk-proportionate external assessment, red-teaming, and post-market monitoring (Charnock et al., 17 Jan 2026).

Benchmarking is recognized as critical but currently misaligned: Bench-2-CoP demonstrates that 90% of benchmark coverage focuses on hallucination, bias, and unreliability, with near-zero functional coverage for abilities such as self-replication or oversight evasion—capabilities critical to “loss of control” and cyber-offense risk (Prandi et al., 7 Aug 2025). Recommendations include: mandatory portfolios of evidence beyond public benchmarks, development of CoP-aligned evaluation suites, and minimal coverage thresholds for each risk-relevant capability and propensity (Prandi et al., 7 Aug 2025, Guldimann et al., 2024). The COMPL-AI suite illustrates the operational mapping from regulatory principles to quantitative technical metrics on LLMs, exposing compliance gaps and thresholds (Guldimann et al., 2024).

7. Industry Alignment and Implementation

Existing practice among leading providers converges with the Code’s requirements: tiered safety frameworks, milestone-based risk assessment, multi-stage evaluation (automation to red-teaming), adversarial training, incident reporting, non-retaliation protections, documentation, and periodic adequacy reviews (Stelling et al., 21 Apr 2025). However, harmonization and standardization gaps remain in SME support, quantitative threshold definitions, agent-ecosystem infrastructure, and public disclosure procedures.

A representative commitment structure in the CoP includes:

Commitment	Code Requirement/Practice	Alignment Notes
Safety & Security Framework	Documented, tiered systemic risk and governance frameworks	Strong among major providers; SMEs less mature
Lifecycle Risk Assessment	Milestone-based and periodic risk analysis	Converges at 2×–4× compute increments or 6–12 month cycles
Independent Assessor Access	External pre-market assessment, research APIs, safe-harbor terms	Widespread in major labs; SME formalization in progress
Documentation & Transparency	Model reports, audit trails, changelogs, adequacy reviews	Public reporting variable, especially among SMEs

Alignment analysis finds robust precedent for all major commitments, but ongoing regulatory development is expected to address public reporting, SME onboarding, coverage of emerging threats, and standardized notification procedures (Stelling et al., 21 Apr 2025, Charnock et al., 17 Jan 2026).

References:

(Valdenegro-Toro et al., 2024, Uuk et al., 2023, Uuk et al., 2024, Sun et al., 2024, Guldimann et al., 2024, Prandi et al., 7 Aug 2025, Silva, 2024, Stelling et al., 21 Apr 2025, Charnock et al., 17 Jan 2026)