Elevate

What to Know About the EU AI Code of Practice (and How It Complements ISO/IEC 42001)

EU AI Code of Practice: 2025 Guide cover with a ring of EU stars on a blue tech background and a subtitle on ISO/IEC 42001.

 

Artificial intelligence is scaling faster than governance. In Europe, the EU Artificial Intelligence Act (AI Act) sets the legal backbone, with phased obligations and real penalties. To help general-purpose AI (GPAI) model providers operationalize early compliance, the European Commission released a voluntary GPAI Code of Practice on July 10, 2025, a practical “how-to” for transparency, copyright, safety, and security.

This guide explains what the Code contains, why it matters now, how it maps to ISO/IEC 42001 (the world’s first AI management system standard), and what you can do this quarter to be ready.

Quick Background: Why the GPAI Code Matters in 2025–2027

The AI Act entered into force on August 1, 2024 and applies in phases. For GPAI providers, obligations apply from August 2, 2025, with Commission enforcement powers from August 2, 2026. GPAI models released before August 2, 2025 must comply by August 2, 2027.

Non-compliance with certain AI Act provisions can bring fines up to €35 million or 7% of worldwide annual turnover (higher for prohibited practices). Even if you don’t sell in the EU, EU rules often shape global practice, the “Brussels effect.”

The GPAI Code of Practice is voluntary, but the Commission explicitly positions it as a tool to demonstrate conformity with AI Act Articles 53 (transparency, including copyright and training data summaries) and 55 (systemic risk, reporting, cybersecurity) for the most advanced models. Signatories can reduce administrative burden and gain legal certainty.

What the EU GPAI Code of Practice Actually Contains

Scope and Origin

Developed by independent experts via a multi-stakeholder process, the Code specifically targets GPAI models and bundles concrete measures across: Transparency, Copyright, and Safety & Security. The Commission hosts the chapters and supporting materials publicly.

The Three Chapters at a Glance

  • Transparency (Article 53): Includes a Model Documentation Form to disclose capabilities, limitations, intended use, evaluation results, and high-level training data information structured to satisfy Article 53’s transparency duties.
  • Copyright (Article 53): Guidance to address copyrighted content in training and manage notices, again mapped to Article 53 expectations.
  • Safety & Security (Article 55): For systemic-risk GPAI models, it sets out risk identification, mitigation, reporting obligations, and cybersecurity expectations aligned with Article 55.

Timelines and Enforcement (What Changes When)

  • Aug 2, 2025: GPAI obligations apply to new models placed on the EU market.
  • Aug 2, 2026: Commission enforcement powers begin (investigations, orders, fines).
  • Aug 2, 2027: Existing models (pre-Aug 2025) must be compliant.
    These milestones are confirmed by Commission materials and multiple legal analyses.

How the GPAI Code Aligns with ISO/IEC 42001 (and Why That Helps)

ISO/IEC 42001 is the international AI management system standard, a certifiable framework to establish, implement, maintain, and continually improve an AI Management System (AIMS) across the AI lifecycle. It operationalizes governance, risk, and controls, much like ISO/IEC 27001 did for information security.

Overlap between the GPAI Code and ISO/IEC 42001:

  • Risk Management: Identify, assess, and mitigate AI-specific risks; monitor in production; improve continuously.
  • Governance and Accountability: Define roles, responsibilities, and escalation paths-core to a management system approach.
  • Transparency and Documentation: Maintain technical documentation, policies, training data summaries, and evaluation artifacts.
  • Incident and Lifecycle Controls: Establish evaluation protocols, post-deployment monitoring, and incident reporting.

Key difference: The Code is voluntary guidance tied to AI Act Articles 53 & 55 (GPAI-specific), while ISO/IEC 42001 is a certifiable management-system standard that applies to any organization developing or using AI, globally. Together, they offer both regulatory alignment (Code) and audit-ready structure (ISO/IEC 42001).

Note: The ANSI National Accreditation Board (ANAB) runs accreditation for certification bodies issuing ISO/IEC 42001 certifications; for example, Schellman announced ANAB accreditation to certify organizations to ISO/IEC 42001.

Compliance Deadlines You Can’t Miss (GPAI)

Dates at a Glance

  • Now → Aug 1, 2025: Prepare documentation, risk registers, copyright posture, and security baselines.
  • Aug 2, 2025: New GPAI models must comply at launch.
  • Aug 2, 2026: Enforcement powers begin—expect active supervision by the AI Office/Commission.
  • Aug 2, 2027: Existing GPAI models (pre-Aug 2025) must be fully compliant.

Penalties: Depending on the breach, fines can reach €35M or 7% global turnover (higher tiers for prohibited practices).

What the Code Expects in Practice (and How to Show It)

Transparency: What to Publish and When

  • Model documentation covering capabilities, intended uses/limitations, evaluation results, and training data summaries appropriate to Article 53 expectations.
  • Stakeholder-readable disclosures on where and how the model is appropriate and where it is not.
  • Traceability for significant versions.
    Use the Commission-provided Model Documentation Form to structure deliverables.

Copyright: Managing IP During Training

  • Processes to respect copyrighted content during training, honor opt-outs/exceptions where relevant under EU law, and respond to notices.
  • Documentation of training data sources and basis for lawful use.

Safety & Security (Systemic-Risk Models)

  • Systemic risk identification (e.g., capability misuse, proliferation, dual-use concerns).
  • Mitigation plans, red-teaming, and model-level security controls;
  • Incident reporting to the AI Office and national authorities as required by Article 55.

Mapping the Code to ISO/IEC 42001 Controls (Field Guide)

Below is a practical mapping to speed up your readiness:

  • Leadership & Policy (ISO/IEC 42001 Clauses on Context, Leadership, Planning): Establish an AI policy, scope your AIMS, define roles (e.g., Head of AI Governance), and set objectives/metrics (e.g., % models with published documentation, % incidents resolved within SLA). This supports the Code’s transparency and accountability aims.
  • Risk & Impact Management: Maintain AI-specific risk registers, impact assessments, and control plans; link red-team results and mitigations to tracked risks. Aligns with Code’s risk, safety, and systemic-risk expectations.
  • Lifecycle Controls: Define gates from training → eval → deployment; require eval protocols, usage constraints, and monitoring for drift/harm. Supports Code’s lifecycle and Article 55 monitoring posture.
  • Documentation & Evidence: Create a documentation kit (policy set, model card/model documentation form, training data summary, evaluation reports, deployment decision memos). Mirrors the Code’s Transparency chapter.
  • Incident Response: Add AI-specific triggers (capability emergence, unsafe outputs, security events) and reporting pathways to the AI Office/national authorities where applicable under Article 55.
  • Supplier/Third-Party Oversight: Extend AIMS controls to foundation model vendors, finetuning partners, and data providers (SLAs, documentation hand-offs, security requirements). ISO/IEC 42001 emphasizes governance across your ecosystem.

Your 90-Day Plan to Be GPAI- and ISO-Aligned

Days 0–30: Baseline & Scope

  1. Inventory models (foundation, finetuned, embedded) and flag which qualify as GPAI under the Act. Start a single source of truth for model metadata.
  2. Apply the Model Documentation Form from the Code to at least your top 1–2 revenue-relevant models.
  3. Create an AI policy package (policy + standard + procedure) aligned to ISO/IEC 42001 structure.

Days 31–60: Risk, Copyright, and Security

  1. Run an AI risk & impact assessment: map misuse risks, dual-use, privacy, bias/harms; capture mitigations and owners. (If you suspect systemic risk, prepare Article 55 reporting pathways.)
  2. Copyright posture: document training data sources/justification and mechanisms to handle notices/opt-outs per the Code’s Copyright chapter.
  3. Security hardening: align model/infrastructure security to the Code’s safety & security guidance; define eval protocols, red-team cadence, and abuse monitoring.

Days 61–90: Operationalization & Evidence

  1. Production monitoring & incident playbooks with thresholds for rollback/containment and AI-specific incident reporting.
  2. Supplier controls: update contracts with model vendors/hosting to require documentation and cooperation for audits and Code signatory expectations.
  3. Management review: institute a quarterly AIMS review (KPIs, incidents, corrective actions) to meet ISO/IEC 42001’s “continual improvement” and be evidence-ready for audits.

Frequently Asked Questions

Is signing the Code mandatory?

No. The GPAI Code of Practice is voluntary. But signatories gain legal certainty and a recognized route to demonstrate alignment with Articles 53 & 55 during enforcement ramp-up.

Do we still need ISO/IEC 42001?

The Code helps you show conformance to the AI Act. ISO/IEC 42001 gives you a certifiable management system that regulators, partners, and customers recognize globally. Many organizations pursue both: sign the Code (to align with EU expectations) and certify to ISO/IEC 42001 (to institutionalize controls and evidence for audits).

What’s the risk if we “wait and see”?

From August 2, 2026, the Commission can investigate and fine; by August 2, 2027, existing models must comply. Early adopters reduce disruption and avoid “paper-only” scrambles.

Who accredits ISO/IEC 42001 certification bodies?

In the U.S., ANAB accredits certification bodies for ISO/IEC 42001.

Action Checklist

  • Identify which models are GPAI; map to business risk.
  • Stand up ISO/IEC 42001-aligned governance (policy, roles, KPIs, management review).
  • Complete the Model Documentation Form and publish transparency summaries.
  • Establish copyright workflows (training data summaries, notices, opt-outs).
  • Implement safety & security evaluations, red-teaming, and incident playbooks (Article 55 if systemic risk).
  • Update supplier contracts to pass down obligations and evidence hand-offs.
  • Plan for 2025 launch compliance, 2026 enforcement, 2027 legacy model deadline.

Ready to move from theory to execution? Book a 30-minute consult with Elevate Consult to map your 90-day GPAI + ISO/IEC 42001 readiness plan.

Bottom Line

The GPAI Code of Practice gives model providers a credible, Commission-endorsed path to demonstrate AI Act alignment especially on transparency (Article 53) and systemic-risk governance (Article 55) while ISO/IEC 42001 provides the auditable operating system for AI governance across your portfolio. Using them together positions you to reduce legal risk, simplify audits, and earn trust with customers and regulators ahead of the 2026–2027 enforcement window.