EU AI Act GPAI Obligations: The Code of Practice and the Enforcement Gap

The EU AI Act’s obligations for general-purpose AI (GPAI) models started applying on 2 August 2025. That sentence is true and routinely misread. “Started applying” is not the same as “enforceable,” and the gap between those two phrases — roughly a year — is where the most interesting EU AI governance question of 2026 lives. In the interim, a voluntary Code of Practice is doing the work that a binding harmonized standard eventually will. Understanding why that arrangement exists, and what it reveals about how the Act defines compliance before any fine is possible, is the point of this post.

What “applies from 2 August 2025” actually means

The AI Act phases in by obligation type. The GPAI provisions — the duties on providers of general-purpose AI models, set out in the Act’s GPAI chapter — became applicable on 2 August 2025. From that date, new GPAI models placed on the EU market are expected to comply.

Three timing details matter and are widely conflated:

• Models already on the market before 2 August 2025 have until 2 August 2027 to come into compliance. Existing models got a two-year runway; only new releases faced the obligations immediately.
• The Commission’s enforcement powers over GPAI providers — formal requests for information, model evaluations, requests for corrective action, penalties — do not begin until 2 August 2026. For the first year, the obligations apply but the AI Office’s enforcement toolkit is held back.
• Penalties for GPAI providers operate on that 2026 enforcement timeline, not the 2025 applicability date.

So as of this writing in 2026, the EU is in the interim window: GPAI obligations are live, providers are expected to meet them, but the regulator’s hard enforcement does not switch on until that August 2026 milestone. This is not a loophole; it is a deliberate grace period to let providers and the AI Office converge on what compliance looks like before anyone is fined for missing it.

The substantive GPAI obligations

Stripped to the load-bearing duties, a GPAI provider must:

• Maintain technical documentation of the model — its training and testing process, evaluation results — and make relevant information available to downstream providers who integrate the model into their own AI systems.
• Publish a sufficiently detailed summary of the training content, using a template the AI Office has provided. This is the transparency hook that lets the public and rights-holders understand, at a high level, what went into the model.
• Put in place a copyright policy to comply with EU copyright law, including respecting machine-readable rights reservations (opt-outs).

A subset of models — those classified as GPAI with systemic risk, generally the largest and most capable models above a compute threshold — carry heavier duties: model evaluation including adversarial testing, systemic-risk assessment and mitigation, serious-incident tracking and reporting to the AI Office, and cybersecurity protection for the model and its physical infrastructure.

The two-tier structure is the core design: baseline transparency and copyright duties for all GPAI providers, plus a systemic-risk regime for the frontier.

The Code of Practice: a voluntary bridge over a missing standard

Here is the structural problem the Code solves. The Act creates obligations, but the harmonized European standards that would tell providers precisely how to satisfy them do not yet exist — standards development runs on its own multi-year timeline. Between obligations-applicable (August 2025) and standards-available (later), providers needed a way to demonstrate compliance. The General-Purpose AI Code of Practice ↗ is that bridge.

The Code was delivered to the Commission on 10 July 2025, drafted by independent experts in a multi-stakeholder process, and the Commission and Member States confirmed its adequacy in the weeks that followed (the Commission approved it on 1 August 2025). It is organized around the obligation areas: transparency and copyright chapters that apply to all GPAI providers, and a safety and security chapter addressed to providers of models with systemic risk.

Crucially, the Code is voluntary. A provider does not have to sign it. But the incentive structure makes signing attractive:

• For signatories, the Commission will focus its oversight on monitoring adherence to the Code, treat adherence as a basis for trust, and may count Code commitments as a mitigating factor when setting fines.
• Non-signatories must demonstrate compliance “by other adequate means” — meaning they shoulder the burden of inventing and defending their own compliance evidence, without the safe-harbor-like benefit of the Commission’s blessing.

In other words: the Code is voluntary in form but load-bearing in practice. It is, for now, the clearest available answer to “what does compliance look like?” — which is why the major model providers’ decisions to sign or not sign it became a closely watched signal in late 2025.

The accountability question

From a watchdog vantage point, the interesting tension is this: the EU built an obligations regime, then deliberately suspended its own enforcement for a year and routed interim compliance through a voluntary instrument drafted partly by the regulated industry’s stakeholders. There are defensible reasons — you cannot fairly penalize providers against standards that don’t exist yet, and a voluntary code co-developed with industry is more likely to be technically workable than one imposed cold.

But it also means that for the first year of “applicable” GPAI obligations, the practical compliance bar was set by a document with no binding force, and the regulator’s leverage was reputational rather than legal. The real test arrives at the 2 August 2026 enforcement milestone, when the AI Office gains the power to demand information, evaluate models, and impose penalties. Until then, “the GPAI rules apply” describes a state of expectation, not a state of enforceable obligation — and that distinction is exactly the kind that gets flattened in coverage that treats a press release as analysis.

This is the same gap-between-text-and-teeth pattern we track in NIST AI RMF adoption and in the state-law patchwork: a framework can be widely “adopted” or “in force” on paper long before any mechanism exists to make non-compliance cost anything. With the EU GPAI regime, the paper-to-teeth transition has a date on it. Watch August 2026.

Sources

• AI Code of Practice — European Commission ↗ — primary source confirming the GPAI rules apply from 2 August 2025, the Code’s delivery on 10 July 2025, its voluntary nature, and its role bridging to harmonized standards.
• Guidelines for providers of general-purpose AI models — European Commission ↗ — the Commission’s guidance on who counts as a GPAI provider and the scope of the obligations.
• An Introduction to the Code of Practice for General-Purpose AI — EU AI Act (artificialintelligenceact.eu) ↗ — explainer on the transparency, copyright, and safety-and-security chapters and the signatory incentive structure.
• EU’s General-Purpose AI Obligations Are Now in Force, With New Guidance — Skadden ↗ — legal analysis confirming the enforcement timeline (powers from 2 August 2026; pre-2 August 2025 models compliant by 2 August 2027) and the signatory/non-signatory distinction.