From Code to Compliance

Thoughts & analysis on AI, law, and everything between.


OpenAI Signed the Code of Practice under the EU AI Act

TL;DR

On 26 July 2025 OpenAI joined signatories of the EU Code of Practice—voluntary rules that foreshadow binding GPAI obligations: documentation, evaluations, red-teaming, and research access before the AI Act bites.

OpenAI Signed the Code of Practice under the EU AI Act – What It Means and Why It Matters On July 26, 2025, OpenAI joined other major AI developers in signing the Code of Practice – a pivotal step toward the practical enforcement of the EU AI Act, Europe’s ambitious regulatory framework for artificial intelligence. This move is not just symbolic. It marks the start of an experimental phase where AI companies voluntarily align their practices with upcoming legal requirements – before these become binding. It’s the EU’s way of saying: we’re serious about safety, transparency, and accountability in AI – and we want the tech world to start preparing now.

But what does this mean in practice? And how might it affect the AI ecosystem, startups, and independent builders?

What is the Code of Practice? The Code of Practice is a set of non-binding guidelines that mirror the obligations of the EU AI Act – especially for so-called general-purpose AI models (GPAI), like GPT-4o or Gemini. These are the models that can be used in a wide range of downstream applications and therefore carry systemic risk. By signing the Code, companies like OpenAI, Anthropic, Meta, Mistral, and others commit to:

Publishing model cards and technical documentation. Disclosing training data and compute usage (to a reasonable extent). Conducting and publishing evaluations around systemic risk, robustness, and societal impact. Implementing red-teaming processes and safeguards against misuse. Supporting open scientific and technical research. While voluntary for now, these obligations will become enforceable under the EU AI Act once the law comes into force.

Why This Matters?

This is the first large-scale effort to regulate frontier AI models at the model level, not just the application layer. That’s a major shift. Until now, most AI regulation has focused on how a tool is deployed, not how it’s built. From a legal-tech perspective, this signals that governance and compliance mechanisms will need to move upstream – into the development pipeline itself. That has huge implications:

For developers: More documentation, evaluation, and transparency by default. For businesses: Clearer standards for trustworthiness and legal compliance. For the public: A stronger baseline of safety and ethical accountability. It also opens new questions: Who defines “risk”? Who gets to audit? What counts as sufficient disclosure? Strategic Implications for Builders and Startups If you're building AI tools in Europe or serving EU users, this is not background noise. It's the early warning system for what’s coming next. Start thinking about: How you document your model development process How you evaluate risks beyond just performance metrics How you explain your model’s behavior to users and regulators This is also an opportunity. Compliance with the Code of Practice (and eventually the AI Act) may become a competitive advantage, especially in public sector procurement, enterprise sales, or partnerships with institutions. My Take As someone working at the intersection of AI engineering and legal frameworks, I see this as a necessary – and overdue – recalibration. If we want powerful AI systems to benefit everyone, we need rules that match their scale and influence. The Code of Practice is not perfect. But it’s a start. And it’s a message to developers: transparency is no longer optional. Safety is no longer someone else’s job. If you build models, you are responsible for how they’re used.

Now is the time to get your house in order.

OpenAI Signed the Code of Practice under the EU AI Act