The GPAI Code and the EU's Emerging Model of AI Supervision.

The publication of the General-Purpose AI (GPAI) Code of Practice marks an important stage in the implementation of the AI Act. Much of the discussion surrounding the Code has focused on its substantive provisions, including transparency obligations, copyright-related commitments and safety and security measures for the most advanced AI models.

From an institutional perspective, however, the more significant development may be what the Code reveals about the Commission's approach to supervision.

The GPAI Code provides an early indication of how the European Union intends to operationalise the AI Act in practice. It suggests that supervision will increasingly take place through a combination of legislation, guidance, codes of practice and ongoing regulatory engagement rather than through legislative obligations alone.

Beyond Legislation Alone

The AI Act establishes the legal obligations applicable to providers of general-purpose AI models. The GPAI Code does not replace those obligations. Rather, it provides a voluntary framework through which providers may demonstrate compliance with them.

This distinction is important.

The Code indicates that the Commission does not intend to rely exclusively on legislative text to translate the AI Act into operational requirements. Instead, implementation is increasingly being supported by instruments that sit between legislation and enforcement.

This approach reflects the practical realities of regulating general-purpose AI models. Technical capabilities, deployment methods and risk profiles are evolving more rapidly than traditional legislative cycles. The Commission is therefore building mechanisms that allow supervisory expectations to develop without requiring continual legislative amendment.

The result is a regulatory model in which implementation becomes an ongoing process rather than a single legislative event.

GPAI Implementation and the Emerging Compliance Architecture

The publication of the Code was accompanied by Commission guidelines clarifying the scope of GPAI obligations under the AI Act.

Taken together, the legislation, the guidelines and the Code form an emerging compliance architecture for general-purpose AI models.

This architecture serves two functions.

First, it provides providers with a clearer pathway for implementing obligations that remain relatively high-level in the legislative text.

Second, it provides supervisors with a framework through which compliance can be assessed in a more structured and consistent manner.

The significance of the GPAI Code therefore extends beyond the commitments it contains. It forms part of the institutional machinery through which the AI Act will be administered.

As implementation progresses, understanding this machinery may become as important as understanding the legal provisions themselves.

The GPAI Code as a Supervisory Instrument

The Code is formally voluntary. Providers are not required to become signatories in order to comply with the AI Act.

Its practical significance may nevertheless be considerable.

The Code was developed through an extensive drafting process involving industry, civil society, academic experts and institutional stakeholders. More importantly, it has been developed with the explicit objective of supporting implementation of the GPAI obligations that fall under the supervision of the AI Office.

This gives the Code a function that extends beyond guidance.

While voluntary instruments do not create legal obligations in their own right, they frequently become reference points for supervisory practice. The concepts, documentation processes and risk-management approaches contained within the Code may therefore play an important role in shaping how compliance is assessed in practice.

The significance of the Code lies less in its formal legal status than in its potential role as a supervisory instrument.

The Focus Is Shifting Towards Governance Capacity

A notable feature of the Code is its emphasis on organisational processes.

The transparency chapter focuses on documentation and information-sharing. The copyright chapter focuses on policies and procedures. The safety and security chapter focuses on mechanisms for identifying, assessing and mitigating systemic risks associated with the most advanced models.

The Commission is increasingly focused on governance capacity rather than prescribed technical outcomes.

The central question is not simply whether a provider has adopted a particular technical measure. Increasingly, it is whether the provider can demonstrate that it possesses the structures, procedures and internal capabilities necessary to identify risks, manage them and account for its decisions.

This is an important feature of the emerging supervisory model.

The AI Act establishes obligations, but the Code suggests that supervision will place considerable weight on a provider's ability to evidence how those obligations are being operationalised within the organisation.

An Early Test of the AI Office's Supervisory Role

The GPAI Code also provides one of the first practical indications of how the AI Office may exercise its responsibilities under the AI Act.

The AI Office occupies a distinctive position within the Union's regulatory architecture. Unlike many existing digital regulatory frameworks, the AI Act created a dedicated institutional structure with direct responsibilities for general-purpose AI models.

The Code provides a mechanism through which supervisory expectations can be communicated before a substantial body of enforcement practice exists.

This may prove particularly important during the early years of implementation. In rapidly evolving markets, supervisory certainty is often established not only through formal decisions but through guidance, engagement and the gradual development of common expectations.

The GPAI Code should therefore be understood as part of the supervisory infrastructure that is beginning to emerge around the AI Act.

Outlook

The significance of the GPAI Code lies not primarily in the individual commitments it contains. Its broader importance is that it provides insight into how the European Union intends to supervise AI.

The emerging model is not one of legislation followed by enforcement. Instead, it combines statutory obligations, interpretative guidance, voluntary codes and ongoing supervisory engagement.

The immediate compliance implications of the Code are significant. Its longer-term importance, however, may lie in the supervisory framework it helps establish. For observers of EU digital regulation, however, the more consequential development may be institutional.

The GPAI Code suggests that the future supervision of AI in Europe will be shaped not only by the requirements contained in the AI Act itself, but also by the growing ecosystem of implementation instruments through which those requirements are interpreted, operationalised and supervised.