Tag: general purpose ai models

  • GPAI Code of Practice Signatories: Who Signed and What It Means for Research Tool Vendors

    As of mid-2026, Amazon, Anthropic, Google, IBM, Microsoft, OpenAI, Mistral AI and Aleph Alpha have signed the EU’s General-Purpose AI Code of Practice in full, xAI has signed only its Safety and Security chapter, and Meta has declined to sign at all. For research offices and publishers procuring AI-enabled tools, a vendor’s foundation-model supplier and that supplier’s gpai code of practice signatories status is now a material, checkable compliance signal.

    The General-Purpose AI Code of Practice (GPAI CoP) is a voluntary compliance framework, published by the European Commission on 10 July 2025, that lets providers of general-purpose AI models demonstrate adherence to the transparency, copyright and safety obligations of the EU AI Act’s Articles 53 and 55.

    Which AI labs have signed the Code of Practice?

    The European Commission maintains and continuously updates a public list of signatories on its digital-strategy portal. Signatories were first published on 1 August 2025, one day before the AI Act’s GPAI obligations took effect on 2 August 2025. The largest foundation-model providers active in academic and publishing tooling have signed all three chapters.

    Provider Signature status Chapters covered
    OpenAI Full signatory Transparency, Copyright, Safety and Security
    Microsoft Full signatory Transparency, Copyright, Safety and Security
    Google Full signatory Transparency, Copyright, Safety and Security
    Amazon Full signatory Transparency, Copyright, Safety and Security
    Anthropic Full signatory Transparency, Copyright, Safety and Security
    IBM Full signatory Transparency, Copyright, Safety and Security
    Mistral AI Full signatory Transparency, Copyright, Safety and Security
    Aleph Alpha Full signatory Transparency, Copyright, Safety and Security
    xAI Partial signatory Safety and Security only
    Meta Non-signatory None

    A Signatory Taskforce, chaired by the EU AI Office, was established to help signing providers implement the Code consistently and to keep the commitments current as models are updated. Institutions should check the Commission’s live list before relying on any third-party summary, including this one, since new signatories are added on a rolling basis.

    Which major providers have not signed, and why?

    Meta is the most significant non-signatory. In July 2025, Meta’s Chief Global Affairs Officer Joel Kaplan stated that the Code introduces legal uncertainties and obligations that “go far beyond the scope of the AI Act,” and confirmed Meta would not sign. xAI took a narrower position, signing only the Safety and Security chapter while rejecting the Transparency and Copyright chapters as, in the company’s view, potentially harmful to innovation.

    • Meta — declined to sign any chapter
    • xAI — signed Safety and Security only; declined Transparency and Copyright
    • Alibaba, Baidu and DeepSeek — no public commitment to sign as of early 2026

    Declining to sign does not exempt a provider from the AI Act itself. The Code is a voluntary route to demonstrating compliance; the underlying legal obligations in Articles 53 and 55 remain binding on any GPAI provider placing a model on the EU market, signatory or not.

    What does signing actually commit a provider to?

    The Code is organised into three chapters, each addressing a distinct obligation under the AI Act. Signing the full Code commits a provider to detailed documentation, copyright policy and, for the largest models, systemic-risk management.

    • Transparency — model documentation covering capabilities, limitations and training-data summaries, shared with downstream providers on request within 14 calendar days.
    • Copyright — a policy aligned with EU copyright law, including respecting rights-holder opt-outs and mitigating infringing outputs.
    • Safety and Security — applies only to models classified as carrying systemic risk (broadly, those trained above 1025 floating-point operations, per Article 55); requires independent external evaluation, incident reporting and a documented risk-management framework.

    Non-signatories that provide GPAI models must still satisfy Articles 53 and 55 through other means and face closer supervisory scrutiny from the AI Office. Under Article 101 of the AI Act, the Commission can fine GPAI providers up to €15 million or 3% of total worldwide annual turnover, whichever is higher, for breaches of these obligations — the same penalty tier applies regardless of Code signature status.

    What this means for research-tool vendor risk assessments

    Research offices, publishers and institutional procurement teams rarely contract directly with foundation-model developers. They contract with the AI-enabled research tools — plagiarism and integrity checkers, peer-review triage systems, writing and translation assistants, literature-discovery platforms — built on top of those models. The signatory status of the underlying model provider is a proxy for how much documentation, incident transparency and risk evidence a research-tool vendor can realistically pass through to an institutional buyer.

    A vendor built on a full Code signatory’s model can typically point to a standardised Model Documentation Form, published training-data summaries, and (for systemic-risk models) an externally evaluated Safety and Security Model Report. A vendor built on a non-signatory model has none of this by default; it must obtain equivalent assurances directly from its model supplier or demonstrate compliance through bespoke documentation, which is harder for a research office to verify at procurement stage.

    • Ask vendors which foundation model(s) power their product and whether that provider is a full, partial or non-signatory.
    • For partial signatories such as xAI, confirm whether the tool relies on capabilities covered only by the unsigned Transparency or Copyright chapters.
    • Where a vendor relies on a non-signatory model, request the provider’s own AI Act compliance documentation directly, rather than accepting the vendor’s assurance alone.
    • Track the Commission’s signatory list periodically — a vendor’s compliance posture can change as its underlying model supplier’s status changes.

    This procurement lens is distinct from the legal-compliance framing most coverage of the Code takes: research administration offices are not GPAI providers themselves, but they inherit downstream documentation risk every time they adopt an AI-enabled tool, a consideration that belongs alongside existing due-diligence practice for research administration vendor reviews.

    Common questions on GPAI Code of Practice signatories

    What is a GPAI system?

    A general-purpose AI (GPAI) model is a foundation model, such as those underpinning ChatGPT, Gemini or Claude, capable of performing a wide range of tasks without being built for one specific use. Under the AI Act, providers of GPAI models placed on the EU market carry distinct transparency and, above certain compute thresholds, systemic-risk obligations.

    What happens if a provider does not sign the Code of Practice?

    A non-signatory is not exempt from the AI Act. It must demonstrate compliance with Articles 53 and 55 through alternative means, and the EU AI Office has indicated it will apply closer regulatory scrutiny to non-signatories, increasing enforcement uncertainty relative to signatories.

    What are the penalties for GPAI Act non-compliance?

    Under Article 101 of the AI Act, the Commission can fine a GPAI provider up to €15 million or 3% of total worldwide annual turnover, whichever is higher, for breaches of the transparency, copyright or systemic-risk obligations, independent of whether the provider signed the Code.

    Can a provider sign only part of the Code of Practice?

    Yes. xAI signed only the Safety and Security chapter of the Code, declining the Transparency and Copyright chapters. Partial signature means a provider gains reduced administrative burden for the chapters it signed, while still needing to demonstrate compliance with the others through other evidence.

    Outlook for research administration

    The signatory list will keep shifting as new models cross the compute thresholds in Articles 53 and 55, and as the Signatory Taskforce publishes further implementation guidance. Research offices building AI-tool procurement checklists should treat Code of Practice status as one input alongside existing vendor due-diligence questions on data provenance, licensing terms and institutional data protection — not as a substitute for direct verification against the Commission’s live signatory list.

  • EU AI Act GPAI Code of Practice for Procurement

    The EU AI Act GPAI Code of Practice is a voluntary framework, published 10 July 2025 under Article 56, that lets general-purpose AI model providers demonstrate compliance with the Act’s transparency, copyright and safety obligations. Most major providers have signed; Meta and leading Chinese developers have not — a distinction procurement teams should weigh directly.

    The EU AI Act GPAI Code of Practice is the European Commission’s stopgap compliance tool for general-purpose AI (GPAI) model providers: a set of voluntary commitments, confirmed adequate by the Commission and the EU AI Board, that bridges the gap between the AI Act’s legal obligations and the harmonised European standards still years from adoption. For research institutions now procuring AI writing assistants, literature-review tools, and data-analysis copilots — most of which are built on a small number of underlying GPAI models — signatory status has become a practical, checkable proxy for regulatory risk.

    What is the EU AI Act GPAI Code of Practice?

    Article 56 of the EU AI Act establishes the Code of Practice as a voluntary mechanism GPAI model providers can use to demonstrate compliance with the obligations set out in Articles 53 and 55, until dedicated harmonised European standards are drafted by CEN-CENELEC — a process expected to take until 2027 or later. The final Code was published on 10 July 2025, following a multi-stakeholder drafting process the AI Office launched in October 2024.

    The Code has three chapters. The Transparency and Copyright chapters apply to every GPAI model provider placing a model on the EU market. The Safety and Security chapter applies only to providers of GPAI models with systemic risk — models presumed to meet that threshold once cumulative training compute exceeds 10^25 floating-point operations (FLOP). Epoch AI’s tracking of large-scale models puts the number of providers currently above that threshold at roughly 11 to 15 worldwide, meaning the systemic-risk chapter is a small-club obligation while transparency and copyright commitments apply far more broadly.

    GPAI obligations have applied since 2 August 2025. Enforcement — requests for information, model access, or recalls — begins 2 August 2026; providers of models already on the market before August 2025 have until 2 August 2027 to reach full compliance. Signatories get that runway with reduced scrutiny; non-signatories must prove compliance by other, more burdensome, means from day one.

    One point of confusion worth clearing up: the GPAI Code of Practice (Article 56) is not the separate Code of Practice on marking and labelling AI-generated content that the Commission published in June 2026 under Article 50. The two cover different obligations — model-level transparency and safety versus output-labelling — and procurement teams should confirm which one is relevant to the tool in question.

    Who has signed the GPAI Code of Practice — and who hasn’t?

    The Commission publishes and maintains the official signatory list. Signatories include OpenAI, Anthropic, Google, Microsoft, Amazon, IBM, France’s Mistral AI, and Germany’s Aleph Alpha — the providers behind most GPAI models embedded in commercially available research and productivity tools.

    Two gaps matter for procurement due diligence:

    • Meta has publicly declined to sign the Code, citing legal uncertainty over some of its transparency and copyright commitments.
    • Major Chinese developers — including Alibaba, Baidu, and DeepSeek — have not signed, leaving their models entirely outside the Code’s voluntary compliance pathway for EU deployments.
    • xAI has signed only the Safety and Security chapter, not the Transparency or Copyright chapters — a partial-adherence position that is easy to miss if a procurement team checks “has this vendor signed the Code?” as a single yes/no question rather than chapter by chapter.

    That last nuance is the one most procurement checklists get wrong. Chapter-level adherence, not blanket signatory status, is the correct unit of due diligence.

    A procurement checklist: evaluating AI vendors under the Code

    Most AI tools institutions buy — literature-review assistants, grant-drafting copilots, coding and data-analysis tools — wrap a small number of underlying GPAI models. Procurement teams rarely negotiate directly with OpenAI or Google; they negotiate with a SaaS vendor built on top of one. Tracing the underlying model, and its provider’s Code chapter adherence, is a genuine due-diligence step, not a formality.

    Evaluation question If the underlying GPAI provider is a signatory If not, or only partially
    Model documentation Standardised Model Documentation Form available on request, covering training data summary, compute, and energy use No standard form; institution must request bespoke documentation or accept a documentation gap
    Copyright policy Documented policy on lawful data collection and machine-readable rights signals, plus a complaints contact point Institution bears greater burden to assess copyright exposure independently
    Systemic-risk safeguards (where applicable) Safety and Security Framework, incident reporting, and evaluation regime in place No equivalent framework confirmed; higher-risk models warrant closer technical review
    Regulatory exposure Commission enforcement focuses on monitoring; Code commitments can mitigate fines Vendor faces fuller compliance burden by alternative means; more regulatory requests likely

    Practical steps for a research-institution procurement or IT-governance office:

    • Ask every AI vendor which underlying GPAI model(s) power their product, not just the vendor’s own brand name.
    • Check chapter-level adherence against the Commission’s published signatory list — Transparency, Copyright, and Safety and Security are separate commitments.
    • Request the Model Documentation Form (or equivalent) as a contractual deliverable, not an optional extra, where the underlying provider is a signatory.
    • For non-signatory or partial-signatory models, budget additional time for independent technical and legal review before approving procurement.
    • Record Code of Practice status in the institution’s AI-tool risk register alongside existing data-protection and accessibility checks.

    What this means for research institutions

    Universities and funders are not the direct addressees of Article 56 — GPAI model providers are. But procurement decisions inherit the compliance posture of whichever models sit underneath the tools researchers use. A literature-synthesis tool built on a Code-compliant model comes with documented training-data provenance and a defined incident-reporting channel; one built on a non-signatory model does not, and the institution absorbs that gap as its own due-diligence burden.

    Research administration offices already run vendor risk assessments for data protection and accessibility; Code of Practice adherence is a natural addition to that workflow. As enforcement ramps toward the 2 August 2026 date and the 2027 deadline for legacy models, institutions that have already mapped their AI-tool stack to underlying GPAI providers will face far less disruption than those discovering the dependency mid-audit.

    The Code remains voluntary and harmonised standards are still years away. Until CEN-CENELEC finalises them, signatory status is the clearest available signal of a provider’s regulatory posture — and the most defensible basis on which an institution can currently justify an AI procurement decision to its own governance body.

    Common questions about the GPAI Code of Practice

    Is the GPAI Code of Practice legally binding?

    No. The Code of Practice is voluntary, established under Article 56 of the EU AI Act as an interim compliance route. Providers who sign it can use adherence to demonstrate compliance with Articles 53 and 55; non-signatories must prove compliance through other, generally more burdensome, means.

    Has Meta signed the EU AI Act GPAI Code of Practice?

    No. Meta has publicly declined to sign the Code of Practice, citing concerns about legal uncertainty in some of its Transparency and Copyright commitments. This places Meta’s GPAI models outside the Code’s voluntary compliance pathway for EU deployments.

    What happens if an AI vendor does not sign the Code of Practice?

    A non-signatory provider must demonstrate AI Act compliance through alternative means, which the Commission has indicated will typically involve more requests for information and closer scrutiny. Institutions procuring tools built on non-signatory models should expect a heavier independent due-diligence burden.

    When does enforcement of the GPAI Code of Practice begin?

    AI Office enforcement action begins 2 August 2026 for models placed on the market after August 2025. Providers of models already on the market before that date have until 2 August 2027 to bring them into full compliance.

    The bottom line for research institutions: signatory status under the GPAI Code of Practice is not a legal requirement, but it is fast becoming the practical baseline against which every AI procurement decision — from a departmental writing assistant to an institution-wide research-administration platform — should be measured.