GPAI Code: who has signed it and what it commits to
The GPAI Code of Practice is a voluntary route to demonstrate AI Act compliance. Here is the official signatory list, the commitments in each chapter, and what happens when a provider does not sign.
The General-Purpose AI Code of Practice, usually called the GPAI Code of Practice, is neither a new law nor a badge that replaces the AI Act. It is a voluntary route, prepared with the support of the AI Office, through which providers can show how they meet duties that already exist. That distinction is the useful starting point for reading its signatory list and its commitments.
Our guide to the AI Act GPAI timetable explains that substantive provider duties have applied since 2 August 2025 and that the Commission's Article 101 fine provision applies from 2 August 2026. The Code does not alter that timetable: it turns part of those duties into practical measures.
Verified signatories
The European Commission page consulted for this article lists 23 signatories to the full Code: Accexible, AI Studio Delta, Aleph Alpha, Almawave, Amazon, Anthropic, Black Forest Labs, Bria AI, Cohere, Domyn, Dweve, Fastweb, Google, IBM, Lawise, LINAGORA, Microsoft, Mistral AI, Open Hippo, OpenAI, Pleias, ServiceNow and WRITER.
The same source flags one important exception: xAI signed only the Safety and Security chapter. The Commission therefore says it must demonstrate its transparency and copyright compliance through alternative adequate means. The list is updated as signatures are confirmed, so it should be attributed to the official page and its consultation date rather than treated as an unchanging industry census.
Signing does not, by itself, determine which of a company's models fall within the GPAI scope, nor does it settle the duties of companies that integrate those models into products. It shows that a provider has chosen the Code as its compliance-demonstration framework.
Three chapters, three kinds of work
Transparency. This chapter develops the documentation required by Article 53 of the AI Act. Its signatories commit to creating and keeping model documentation up to date, providing relevant information to downstream providers integrating the model, and responding to the AI Office when required. It includes a Model Documentation Form to collect information in a common format and calls for the quality, integrity and security of those records to be protected.
Copyright. The chapter does not decide what infringes copyright; that remains a matter for the applicable law and courts. Its commitment is a documented, current and implemented policy for complying with EU copyright law. For web crawling, it calls for no circumvention of technological access restrictions, exclusion of certain repeatedly infringing sites, reading and respecting machine-readable rights reservations including robots.txt, and explaining the measures to affected rightsholders. It also calls for proportionate safeguards against outputs that infringe protected training material, terms that prohibit such uses, and a contact point with a complaints mechanism.
Safety and Security. This is not for every GPAI provider, but for providers of models with systemic risk. These signatories commit to adopting, implementing and updating a safety framework describing how they assess and mitigate risk throughout the model lifecycle, including responsibilities, acceptance criteria, testing and trigger points. The chapter makes model evaluation, mitigation, governance, cybersecurity, and preparation to record and report serious incidents operational. The framework must be notified to the AI Office.
Demonstrating compliance is not immunity
The Commission and the AI Board have considered the Code an adequate voluntary tool for demonstrating compliance. This may reduce administrative burden and make supervision more predictable, because it gives authorities a specific framework to review. But adherence is not conclusive evidence of compliance, and it does not make the underlying duties optional. The Code itself makes that clear.
It is also worth being precise about the idea of a presumption of conformity. For systemic-risk GPAI providers, Article 55 allows codes of practice to be used to demonstrate compliance until a harmonised standard exists. The Regulation attaches the formal presumption of conformity to European harmonised standards, to the extent that they cover the obligations. Those are related tools, but not the same one.
A company that does not sign remains subject to whichever legal duties apply to it. For a systemic-risk provider, if it neither adheres to an approved Code nor complies with a harmonised standard, it must demonstrate alternative adequate means to the Commission. Not signing is not the same as non-compliance; it means being able to explain and evidence a different compliance route.
What Spanish companies should check
For a company buying or integrating a model, the first step is to ask the provider which documentation it supplies and whether it follows the Code, without assuming that the answer transfers every responsibility. For a company developing or placing a GPAI model on the EU market, it is sensible to compare its processes with the three chapters: documentation for downstream users and authorities, copyright policy, and, where relevant, systemic-risk management. The practical question is whether it has signed and what evidence it can show for each duty.