From Voluntary Code to Strategic Standard: leveraging the GPAI Code of Practice like an ISO Framework to unlock strategic ROI and competitive AI Governance.

Part 1

About

On 10 July 2025 the European Commission has received the final version of the General-Purpose AI Code of Practice “GPAI CoP”. The GPAI CoP is the work result of nearly 1000 independent experts including EU Member States representatives.

The code is a voluntary tool designed to offer guidance for general-purpose AI models and general-purpose AI models with systemic risks. Although the GPAI CoP itself is voluntary, once formally endorsed by Member States and the European Commission it serves as a “presumption of conformity” with the obligations under EU AI Act for GPAI providers.

Structure

The CoP is divided into three chapters: Transparency and Copyright Chapters, both addressing all providers of GPAI models, and thirdly the Safety & Security Chapter relevant only for GPAI providers with systemic risk.

In other words, the transparency and copyright chapters apply to all GPAI providers irrespective if the product falls under under the systemic risk definition of Art. 55 AI Act or not.

We will dive into each chapter separately in the upcoming issues.

Role

The role of the GPAI CoP is simple and clear. It is designed to reduce the administrative burden and give more legal certainty for GPAI system providers and thus play a key role in implementing the EU AI Act.

Next steps

By 2nd August 2025 the AI Office and AI Board will assess the CoP and may approve it via an adequacy decision. After the CoP is endorsed, AI model providers who voluntarily sign it can show they comply with the AI Act by adhering the GPAI CoP.

The date is no coincidence. 2nd August marks the date when the GPAI provisions of the EU AI Act (Regulation (EU) 2024/1689) enter into force. This means that the placement of GPAI models after 2nd of August must adhere to the applicable rules from the AI Act.

The GPAI models already placed on the market before 2nd August 2025, benefit from a transition period of 2 years until 2nd August 2027 to comply with the new regulations.

Part 2

Does the GPAI Code of Practice behave like an ISO standard?

Both the GPAI CoP and the ISO standard are voluntary norms (soft law) that are designed to offer guidance & legal certainty for companies. Over the past years applying for an ISO standard it has became not just good practice, but in many cases, an indirect requirement. Many companies pursue ISO certification to gain competitive market advantage, and in some industries, it has became an audit requirement to demonstrate, risk management, and regulatory compliance.

Given the clear strategic value the GPAI CoP offers, one might ask: What is the parallel between these two approaches? Are they the same? Do they carry the same legal weight, or do they differ in important respects?

Similarities

The following similarities can be identified:

Presumption of compliance: Once formally endorsed by the Member States and the Commission, providers who sign and follow the CoP can treat it as a recognized way to demonstrate compliance with the AI Act. That is similar to what happens with EU harmonised standards (hENs): adherence creates a presumption of conformity with legal requirements.

2. Both the GPAI CoP and the ISO standard are voluntary norms (soft law) that are designed to offer guidance & legal certainty for companies. Companies may choose to adopt it or choose to demonstrate compliance through other means (other in-house compliance solutions).

3. Developed by 13 independent experts, with input from over 1,000 stakeholders, including model providers, small and medium-sized enterprises, academics, AI safety experts, rightsholders, and civil society organisations. It is expected to be endorsed via an adequacy decision issued by the AI Office and AI Board.

While both the ISO standard and the GPAI CoP promote responsible AI, they differ in legal effect, development process, and strategic purpose. ISO offers a global, certifiable governance standard. The GPAI CoP, in contrast, is tailored to the EU regulatory context, designed to reduce the administrative burden and increase legal certainty for GPAI providers under the EU AI Act, potentially serving as a blueprint to presumed compliance once endorsed.

Key Takeaway

The GPAI Code of Practice does notestablish a formal ISO certification regime, however once endorsed by EU authorities, it effectively operates the same way as a harmonised standard or ISO‑style benchmark under the AI Act. Therefore, even though it behaves like an ISO or hEN in practice, providing a safe‑harbour compliance mechanism, it still remains a code of practice (a guide) rather than a formal industry standard or certification scheme.

Although signing is voluntary, it offers legal and administrative advantages, making it a preferred route for GPAI providers. Moreover, it holds the potential to deliver market and strategic advantages comparable to those of ISO certification, positioning early adopters as leaders in trustworthy, responsible AI.