EU finalizes GPAI Code of Practice ahead of August deadline

The Code translates the EU AI Act's GPAI articles into concrete implementation expectations. Providers above the 10^25 FLOP systemic-risk threshold face the heaviest burden — model evaluations, adversarial testing, incident reporting, and cybersecurity protections. Providers below the threshold still face documentation and transparency requirements under Article 53.

The Code of Practice covers four main domains. **Transparency**: providers must publish model cards disclosing training data sources, known limitations, and benchmark performance. **Copyright**: training pipelines must implement opt-out mechanisms for rights holders by the August 2026 deadline. **Risk classification**: providers must self-assess whether their model meets the systemic-risk threshold, using a FLOP count methodology the Commission has now clarified. **Incident reporting**: confirmed AI-related incidents must be reported to national authorities within 72 hours — the same window as GDPR data breach notifications, which is deliberate.

For APAC enterprise teams that fine-tune or distribute foundation models touching EU users, the practical implication is immediate: begin assembling the technical documentation now. The compliance obligations attach to anyone placing a GPAI model on the EU market, regardless of where the provider is incorporated. A Hong Kong fine-tuning shop distributing a derivative model via EU cloud marketplaces is in scope.

AIMenta advises APAC clients to run a rapid gap analysis against the Code's four domains before the August 2026 deadline. The documentation burden for non-systemic-risk models is manageable — typically 2-4 weeks of legal and engineering time. For models that might cross the FLOP threshold (large multi-modal or domain-specific foundation models), the assessment is more complex and should begin immediately.