Lesson10 minChapter 6 of 9
Codes of Practice
How codes of practice support GPAI compliance.
Codes of Practice (Article 56)
Learning Objectives
By the end of this chapter, you will be able to:
- Explain the legal role and effect of codes of practice under Articles 56 and 53(4)
- Understand the development process and stakeholder involvement framework
- Evaluate when code adherence provides adequate compliance demonstration
- Identify limitations of codes and situations requiring additional measures
- Develop strategies for code participation and implementation
The Legal Framework for Codes of Practice
The AI Act establishes codes of practice as a co-regulatory mechanism—voluntary industry frameworks that, when followed, provide a presumption of compliance with specific obligations.
Relevant Articles
| Article | Title | Key Provision |
|---|---|---|
| Article 56 | Codes of practice | AI Office encourages and facilitates code development |
| Article 53(4) | Presumption of conformity | Compliance with codes creates rebuttable presumption |
| Article 52 | Free movement | Codes contribute to consistent application |
| Recital 116 | Context | Codes provide practical guidance, especially pre-standards |
Legal Effect of Codes
| Effect | Description | Practical Implication |
|---|---|---|
| Presumption of Conformity | Compliance with code = presumed compliance with corresponding obligation | Reduced regulatory burden if following endorsed code |
| Rebuttable Presumption | Not absolute—authorities can still require evidence | Must be able to demonstrate actual implementation |
| Voluntary Participation | No mandatory requirement to follow codes | Alternative compliance paths remain available |
| Not Safe Harbour | Does not eliminate liability or prevent enforcement | Underlying legal obligations remain |
Expert Insight
Codes of practice fill an important gap. The AI Act sets high-level requirements but doesn't specify implementation details. Before harmonised standards are adopted, codes provide the most authoritative practical guidance. After standards exist, codes may still cover areas not addressed by standards.
Article 56: Development Framework
AI Office Role
Article 56 establishes the AI Office as facilitator of code development:
| AI Office Responsibility | Activities |
|---|---|
| Encourage development | Outreach, convening stakeholders, providing resources |
| Facilitate drafting | Coordinate working groups, manage process |
| Consider international approaches | Align with global standards and practices |
| Draw up templates | Provide model structures for code development |
| Publish codes | Make endorsed codes publicly available |
Stakeholder Categories
Article 56(3) mandates involvement of diverse stakeholders:
| Stakeholder Category | Role in Code Development | Expertise Contribution |
|---|---|---|
| GPAI Providers | Practical implementation insight | Technical feasibility, operational reality |
| Downstream Providers | User perspective | Integration requirements, information needs |
| Civil Society | Public interest representation | Rights protection, social impact |
| Scientific Community | Technical and research expertise | State-of-the-art assessment, emerging risks |
| Industry Associations | Sector coordination | Best practices, collective implementation |
| National Authorities | Regulatory perspective | Enforcement expectations, legal interpretation |
Development Process
| Phase | Activities | Timeline (Indicative) |
|---|---|---|
| Initiation | AI Office convenes stakeholders, defines scope | 1-2 months |
| Drafting | Working groups develop provisions | 3-6 months |
| Consultation | Broader stakeholder input, public comment | 1-2 months |
| Revision | Incorporate feedback, finalise text | 1-2 months |
| Endorsement | AI Office review and publication | 1 month |
| Implementation | Providers adopt and implement | Ongoing |
| Review | Periodic updates based on experience | Annual or as needed |
Scope and Content of Codes
Areas Covered by Article 56(4)
| Area | Corresponding Obligation | Code Content May Include |
|---|---|---|
| Technical Documentation | Article 53(1)(a) | Templates, formats, level of detail |
| Training Data Summaries | Article 53(1)(d) | Summary structure, disclosure categories |
| Copyright Compliance | Article 53(1)(c) | Opt-out detection methods, reservation verification |
| Downstream Information | Article 53(1)(b) | Information packages, update procedures |
| Systemic Risk Evaluation | Article 55(1)(b) | Assessment methodologies, risk categories |
| Adversarial Testing | Article 55(1)(a) | Testing protocols, documentation standards |
Code Structure Template
A well-designed code of practice typically includes:
| Section | Content | Purpose |
|---|---|---|
| Scope and Application | What obligations covered, which providers | Clarity on coverage |
| Definitions | Key terms as used in the code | Consistent interpretation |
| Requirements | Specific measures to implement | Practical guidance |
| Documentation Standards | What records to maintain | Evidence of compliance |
| Self-Assessment | Checklists, verification procedures | Internal compliance checking |
| Governance | Code administration, update procedures | Living document management |
| Complaints and Disputes | Resolution mechanisms | Accountability |
Code vs. Harmonised Standards
| Aspect | Codes of Practice | Harmonised Standards |
|---|---|---|
| Development body | AI Office facilitated, stakeholder-driven | European Standardisation Organisations (ESOs) |
| Legal basis | Article 56 | Article 40 |
| Presumption of conformity | Yes (Article 53(4)) | Yes (Article 40) |
| Mandatory requirements | No | No |
| Technical detail | Moderate | High |
| Development time | Faster | Slower (standardisation process) |
| Update flexibility | Higher | Lower |
Presumption of Conformity (Article 53(4))
How the Presumption Works
Article 53(4) provides:
"GPAI model providers that adhere to a code of practice as referred to in Article 56 until a harmonised standard is published shall be deemed to be in compliance with the obligations set out in paragraph 1..."
| Element | Explanation |
|---|---|
| Adherence | Actually following the code's provisions |
| Until harmonised standard | Codes bridge the gap before standards |
| Deemed to be in compliance | Rebuttable presumption—compliance is assumed |
| Corresponding obligations | Only obligations the code addresses |
Rebuttable Presumption
The presumption can be overcome:
| Situation | Effect on Presumption |
|---|---|
| Evidence of non-implementation | Presumption does not apply |
| Code provisions inadequate for specific case | May require additional measures |
| Novel risks not covered | Code compliance insufficient |
| Commission concerns | May require additional evidence |
| Enforcement action | Authority can examine underlying compliance |
Demonstrating Code Adherence
| Evidence Type | Description | Weight |
|---|---|---|
| Self-declaration | Provider's statement of adherence | Baseline |
| Documentation | Records showing implementation | Strong |
| Third-party audit | Independent verification | Strongest |
| Certification | Formal code certification (if available) | Strongest |
Compliance Note
Simply stating you follow a code is insufficient. You must be able to demonstrate actual implementation through documentation and evidence. Prepare as if the presumption will be challenged.
Participating in Code Development
Strategic Considerations for Providers
| Participation Level | Benefits | Resource Investment |
|---|---|---|
| Active participation | Influence provisions, early insight | High (staff time, expertise) |
| Observation | Awareness of developments | Moderate |
| Adoption only | Benefit from compliance path | Low (implementation cost) |
Effective Participation Strategies
| Strategy | Activities | Outcomes |
|---|---|---|
| Early engagement | Join working groups, respond to consultations | Shape code content |
| Evidence submission | Provide data on feasibility, costs | Practical provisions |
| Coalition building | Coordinate with similar providers | Collective voice |
| Expert contribution | Offer technical expertise | Credibility and influence |
| Implementation feedback | Report on pilot implementation | Workable provisions |
Implementation Planning
| Phase | Activities | Timing |
|---|---|---|
| Pre-publication | Monitor drafts, begin preparation | During development |
| Publication | Gap analysis vs. current practices | Immediately |
| Implementation | Adjust processes, systems, documentation | 3-6 months |
| Verification | Internal audit, evidence gathering | Ongoing |
| Maintenance | Monitor code updates, adjust as needed | Continuous |
Limitations and Considerations
When Codes May Be Insufficient
| Situation | Why Code May Not Suffice | Additional Measures |
|---|---|---|
| Novel model capabilities | Code may not address new risks | Bespoke risk assessment |
| Systemic risk classification | Higher scrutiny expected | Enhanced documentation |
| Commission concerns | Specific provider attention | Direct engagement |
| Rapid capability evolution | Code may lag developments | Proactive updates |
| Cross-border issues | Different authority interpretations | Multi-jurisdiction approach |
| Incident response | Code provides framework only | Operational procedures |
Codes and Enforcement
| Enforcement Scenario | Role of Code Adherence |
|---|---|
| Compliance inquiry | Code adherence creates initial presumption |
| Investigation | Authority may look beyond code compliance |
| Corrective measures | May require measures beyond code |
| Penalties | Code adherence may be mitigating factor |
| Court proceedings | Evidence of good faith and reasonable care |
Multiple Codes
Some obligations may be addressed by multiple codes. Consider:
| Consideration | Approach |
|---|---|
| Overlapping codes | May follow either; choose most applicable |
| Conflicting provisions | Assess which provides better compliance |
| Complementary codes | May combine for comprehensive coverage |
| Sector-specific codes | May supplement general GPAI codes |
Current and Expected Codes
AI Office Code Development Status (as of 2025)
| Code Area | Status | Expected Timeline |
|---|---|---|
| GPAI General Code | In development | Q3 2025 |
| Systemic Risk Code | In development | Q3-Q4 2025 |
| Training Data Summary Code | Under consideration | 2025-2026 |
| Copyright Compliance Code | Under consideration | 2025-2026 |
Industry-Led Initiatives
| Initiative | Focus | Relevance to AI Act |
|---|---|---|
| Partnership on AI | Responsible AI practices | May inform code content |
| OECD AI Principles | International alignment | Referenced in AI Act |
| ISO/IEC standards | Technical standards | May become harmonised standards |
| Sector codes | Industry-specific guidance | Complementary to general codes |
Compliance Strategy
Code-Based Compliance Approach
| Step | Actions | Documentation |
|---|---|---|
| 1. Identify applicable codes | Review AI Office publications | Code applicability assessment |
| 2. Gap analysis | Compare current practices to code | Gap analysis report |
| 3. Implementation plan | Develop remediation roadmap | Project plan |
| 4. Implement changes | Update processes, documentation | Implementation records |
| 5. Evidence collection | Document code adherence | Compliance dossier |
| 6. Monitoring | Ongoing compliance verification | Audit reports |
| 7. Update response | Adapt to code revisions | Change management |
Maintaining Code Adherence
| Activity | Frequency | Responsible |
|---|---|---|
| Code update monitoring | Continuous | Compliance team |
| Internal compliance audits | Annual | Internal audit |
| Documentation review | Quarterly | Operations |
| Evidence refresh | Annual | Compliance team |
| Stakeholder engagement | Ongoing | External affairs |
What You Learned
Key concepts from this chapter
**Codes of practice** provide practical guidance on implementing GPAI obligations, especially before harmonised standards exist
**AI Office facilitation** ensures stakeholder involvement and alignment with regulatory expectations
**Presumption of conformity** (Article 53(4)) rewards code adherence but is rebuttable—evidence of implementation is essential
Codes are **not a safe harbour**—underlying legal obligations and liability remain
**Active participation** in code development provides influence and early insight
Chapter Complete
GPAI Compliance
6/9
chapters