teleo-codex/entities/ai-alignment/eu-gpai-code-of-practice.md

# EU GPAI Code of Practice

**Type:** Regulatory Framework  
**Domain:** AI Alignment, AI Governance  
**Status:** Active (enforcement begins August 2, 2026)  
**Jurisdiction:** European Union (extraterritorial application)  
**Authority:** EU AI Office  

## Overview

The General-Purpose AI (GPAI) Code of Practice is the primary implementation vehicle for EU AI Act Articles 50-55, establishing mandatory obligations for providers of GPAI models with systemic risk (defined as models trained with >10^25 FLOPs).

## Scope

**Covered Providers (as of August 2025):**
- Anthropic (Claude)
- OpenAI (GPT-4o, o3)
- Google (Gemini 2.5 Pro)
- Meta (Llama-4)
- Mistral
- xAI (Grok)

## Four Mandatory Systemic Risk Categories

1. **CBRN risks** — chemical, biological, radiological, nuclear
2. **Loss of control** — AI systems that could become uncontrollable or undermine human oversight
3. **Cyber offense capabilities** — capabilities enabling cyberattacks
4. **Harmful manipulation** — large-scale manipulation of populations

## Requirements

**Safety and Security Model Report (before market placement):**
- Detailed model architecture and capabilities documentation
- Justification of why systemic risks are acceptable
- Documentation of systemic risk identification, analysis, and mitigation processes
- Description of independent external evaluators' involvement
- Details of implemented safety and security mitigations

**Three-Step Assessment Process (per major model release):**
1. **Identification** — must identify potential systemic risks from the four categories
2. **Analysis** — must analyze each risk, with third-party evaluators potentially required if risks exceed prior models
3. **Determination** — must determine whether risks are acceptable before release

**External Evaluation:**
Required unless providers can demonstrate their model is "similarly safe" to a proven-compliant model.

## Enforcement

- **Soft enforcement:** August 2025
- **Fines begin:** August 2, 2026
- **Penalty structure:** Up to 3% global annual turnover or €15 million, whichever is higher
- **Compliance presumption:** Signatories get presumption of compliance; non-signatories face higher AI Office scrutiny

## Signatories

As of August 2025: Anthropic, OpenAI, Google DeepMind, Meta, Mistral, Cohere, xAI, and ~50 other organizations.

## Development Process

Developed through multi-stakeholder process with significant industry input. AI safety researchers from GovAI, CAIS, and METR contributed to drafting committees. The four categories were contested — CBRN and cyber offense less controversial; loss of control and harmful manipulation reflect more contested AI safety concerns.

## Key Uncertainty

The specific technical definition of "loss of control" is in Appendix 1. Whether it means (a) behavioral human-override capability (shallow, consistent with current safety training) or (b) oversight evasion, self-replication, autonomous AI development (substantive alignment-relevant capabilities) determines whether GPAI enforcement produces genuine safety governance or documentation compliance theater.

## Timeline

- **2025-07-10** — Final version published by EU AI Office
- **2025-08** — Soft enforcement begins; major frontier labs sign as participants
- **2026-08-02** — Fines and full enforcement begin

## Related

- EU AI Act Articles 50-55 (parent legislation)
- EU AI Office (enforcement authority)
- Sessions 21-22 KB analysis (Bench-2-CoP finding: 0% compliance benchmark coverage of loss-of-control capabilities)