Chapter V — General-purpose AI modelsArticle 56

Article 56: Codes of Practice for GPAI Models

In effect since 2 Aug 20255 min readEUR-Lex verified Apr 2026

Article 56 creates the codes of practice framework — the primary compliance pathway for GPAI model providers until harmonised standards are adopted. The AI Office facilitates the drawing up of codes, inviting GPAI providers, civil society, academia, and other stakeholders to participate. Codes must cover Article 53 baseline obligations and Article 55 systemic-risk duties. Adherence to a code creates a practical compliance presumption; providers who choose not to follow a code must demonstrate alternative adequate means of compliance. The Commission may approve a code as a common specification via implementing act.

Start free assessment All articles

Who does this apply to?

-Providers of GPAI models seeking a compliance pathway for Articles 53 and 55
-The AI Office (facilitating, monitoring, and publishing codes)
-Industry associations, civil society organisations, and academia invited to contribute
-Compliance teams deciding between codes of practice and alternative compliance evidence

Scenarios

A GPAI provider signs up to the AI Office's General-Purpose AI Code of Practice, implements its measures, and documents compliance.

Practical safe harbour: adherence to the code is presumed to demonstrate compliance with corresponding Article 53/55 obligations.

Ref. Art. 56

A provider chooses not to adhere to any code of practice and instead builds its own compliance framework referencing internal audits and third-party evaluations.

Permitted, but the provider must demonstrate to the AI Office that its alternative means are adequate — the burden of proof shifts to the provider.

Ref. Art. 56

The Commission finds that a code of practice insufficiently covers Article 53 obligations and adopts a common specification via implementing act.

The common specification becomes an alternative compliance reference. Codes of practice may need updating to align.

Ref. Art. 56 + Art. 41

How codes of practice work (plain terms)

Codes of practice are voluntary frameworks facilitated by the AI Office that translate the abstract obligations in Articles 53 and 55 into concrete, actionable measures. They are:

Not binding law — but adherence creates a practical compliance presumption
Developed through multi-stakeholder process — GPAI providers, downstream providers, civil society, academia
Published by the AI Office — with periodic review
Interim — they fill the gap until harmonised standards are adopted by European standardisation organisations

The hierarchy is: harmonised standards (strongest presumption) > common specifications (Commission implementing acts) > codes of practice (soft-law safe harbour).

What codes must cover

Article 56 requires that codes provide sufficient detail for providers to comply with:

For all GPAI providers (Article 53): - Technical documentation (Annex XI) - Information to downstream providers (Annex XII) - Copyright policy and text-and-data-mining compliance - Summary of training content

For systemic-risk providers (Article 55): - Model evaluation and adversarial testing - Systemic risk assessment and mitigation - Serious incident tracking and reporting - Cybersecurity protection

Codes may also include processes, tools, and metrics that demonstrate compliance without revealing trade secrets.

If you don't follow a code

Not adhering to a code of practice is not an infringement in itself. However:

1. The burden of proof shifts: you must demonstrate alternative adequate means of compliance to the AI Office 2. In enforcement proceedings, the AI Office may compare your practices against the code as a benchmark 3. Notified bodies, deployers, and regulators may expect code adherence as market practice

In practice, following a code is the path of least resistance unless you have genuinely superior compliance measures.

How Article 56 connects to the rest of the Act

Article 53 — Baseline GPAI obligations that codes help demonstrate compliance with.
Article 55 — Systemic-risk obligations that codes also cover.
Article 40 — Harmonised standards (stronger compliance presumption, when adopted).
Article 41 — Common specifications (Commission implementing acts, intermediate tier).
Article 64 — AI Office investigation powers that may assess code adherence.
Article 101 — GPAI fines — code adherence is relevant mitigation evidence.
Annex XI — Technical documentation requirements covered by codes.
Annex XII — Transparency information covered by codes.

Recitals (preamble) on EUR-Lex

The recitals in the same consolidated AI Act on EUR-Lex contextualise the co-regulatory approach, the multi-stakeholder process, and the transitional role of codes pending harmonised standards. Use the official preamble on EUR-Lex.

Compliance checklist

Monitor the AI Office for published codes of practice relevant to your GPAI model type.
Assess whether to adhere to a code or demonstrate alternative compliance means.
If adhering: implement all measures specified in the code and document evidence of implementation.
If not adhering: prepare a written justification with alternative compliance evidence for the AI Office.
Track harmonised standard development — codes will be superseded when standards are adopted.
Participate in code development processes where possible to influence practical measures.
Archive code versions and your compliance evidence for audit trail.

Read the official text on EUR-Lex

Evaluate code of practice alignment for your GPAI model—free assessment.

Start Free Assessment

Article 53: Obligations for Providers of General-Purpose AI Models

Article 55: Obligations for Providers of GPAI Models with Systemic Risk

Article 40: Harmonised Standards and Standardisation Deliverables

Article 41: Common Specifications

Article 51: Classification of GPAI Models with Systemic Risk

Article 64: European Artificial Intelligence Board

Article 101: Fines for Providers of General-Purpose AI Models

Article 113: Entry into Force and Application Dates

Annex XI: Technical Documentation for Providers of General-Purpose AI Models

Annex XII: Transparency Information for Providers and Users of GPAI Models

Related annexes

Annex XI — GPAI technical documentation (covered by codes)
Annex XII — Transparency information for GPAI (covered by codes)

Frequently asked questions

Are codes of practice mandatory?

No. They are voluntary. But non-adherence shifts the burden to demonstrate alternative compliance. In practice, they are the expected compliance pathway until harmonised standards exist.

Who writes the codes?

The AI Office facilitates; GPAI providers, downstream integrators, civil society, and academia contribute. The process is designed to be inclusive and iterative.

What happens when harmonised standards are adopted?

Harmonised standards provide a stronger compliance presumption and will progressively replace codes of practice. Providers may transition from code compliance to standard compliance.

Can a code protect me from fines?

Adherence does not guarantee immunity, but it is strong evidence of compliance effort. In enforcement proceedings, the AI Office considers code adherence as a positive factor.

On this page

Key terms

Code of practice: A voluntary, multi-stakeholder framework facilitated by the AI Office that translates Articles 53/55 into concrete compliance measures, creating a practical safe harbour.
Harmonised standard: A European standard developed by CEN/CENELEC at the Commission's request that, when followed, creates a presumption of conformity — stronger than codes of practice.
Common specification: A technical specification adopted by the Commission via implementing act when harmonised standards are insufficient — intermediate between codes and standards.

Maximum penalties (Art. 99)

3% of turnover / Non-adherence to a code is not directly sanctionable. However, non-compliance with underlying Articles 53/55 obligations triggers Article 101 fines (up to EUR 15M or 3%)
SMEs / start-ups: Proportionate to size
Code adherence provides mitigation evidence in enforcement proceedings.

Timeline

2 Aug 2025
Article 56 and Chapter V applied — AI Office facilitating codes of practice.

At a glance

Article: 56
Status: Applicable now
Timeline: 2 Aug 2025
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now