Why Guidance Matters
The EU AI Act is a technology-neutral regulation written in broad, principles-based language. This is intentional — it allows the Act to remain relevant as AI technology evolves — but it also means that providers, deployers, and national authorities need detailed guidance on how abstract obligations translate into concrete compliance steps.
The EU has created a multi-layered guidance ecosystem:
- Codes of Practice — developed through multi-stakeholder processes, providing the most authoritative non-binding guidance
- Commission guidelines and notices — directly issued interpretive guidance from the European Commission
- European standards (CEN/CENELEC, ETSI) — harmonised technical standards that can be used to demonstrate compliance
- AI Office guidance notes — operational guidance from the body responsible for supervising GPAI models
Compliance with a relevant harmonised standard creates a rebuttable presumption of conformity with the corresponding requirement of the AI Act — making standards particularly important for high-risk AI systems.
GPAI Code of Practice
The primary guidance instrument for providers of General-Purpose AI models.
What is the GPAI Code of Practice?
Article 56 of the EU AI Act requires the AI Office to facilitate the drawing up of Codes of Practice for GPAI model providers. These Codes are developed through a multi-stakeholder process involving GPAI providers (including OpenAI, Anthropic, Google, Meta, and Mistral), civil society, academics, and member state representatives.
The Code covers the key obligations in Articles 53 and 55:
- Technical documentation requirements
- Copyright transparency policies
- Systemic risk identification and assessment methodology
- Adversarial testing and red-teaming standards
- Incident classification and reporting procedures
While the Code is not legally binding in itself, demonstrating compliance with it creates a presumption of conformity with the corresponding GPAI obligations in the Act.
Current Status (April 2026)
The GPAI Code of Practice went through multiple drafts through 2025, with the final Code expected to be adopted by the AI Office in mid-2025. As of 2026, the Code is in its operational phase.
Key content areas of the Code
Transparency & copyright: Requirements for summarising training data, documenting copyright compliance policies, and reporting to the AI Office.
Safety & security: Minimum standards for adversarial testing, risk evaluation methodologies, and incident reporting thresholds.
Governance: Accountability structures, designated responsible persons, and documentation retention requirements.
Commission Guidance Documents
Official interpretive guidance from the European Commission on key provisions of the Act.
Guidelines on Prohibited AI Practices
Commission guidelines clarifying which AI practices are prohibited under Article 5, including examples of manipulation, social scoring, and real-time biometric surveillance. Published ahead of the February 2025 application date.
Guidelines on High-Risk Classification
Guidance on how to determine whether an AI system falls within the high-risk categories listed in Annex III, including the substantial modification threshold that would require a new conformity assessment.
Definition of GPAI Models
Guidance on what constitutes a General-Purpose AI model for the purposes of the Act, including the compute threshold (10^25 FLOPs) that triggers the systemic risk designation.
Fundamental Rights Impact Assessment
Guidance for deployers of high-risk AI systems on conducting Fundamental Rights Impact Assessments (FRIAs), required for public authority deployers and certain private-sector deployers under Article 27.
Harmonised Technical Standards
The Commission has mandated CEN-CENELEC and ETSI to develop harmonised standards for the AI Act.
Harmonised standards provide the most reliable route to a presumption of conformity. The Commission published a standardisation request to the European standards organisations in May 2023. Key standards under development include:
| Standard Reference | Topic | Status | Relevant Articles |
|---|---|---|---|
| CEN/CLC/JTC21 WG1 | AI terminology and concepts | In development | Definitions (Art. 3) |
| CEN/CLC/JTC21 WG2 | Risk management for AI | In development | Art. 9 |
| CEN/CLC/JTC21 WG3 | Data and data governance | In development | Art. 10 |
| CEN/CLC/JTC21 WG4 | Transparency & user information | In development | Art. 13, 50 |
| CEN/CLC/JTC21 WG6 | Accuracy, robustness, cybersecurity | In development | Art. 15 |
| ISO/IEC 42001:2023 | AI Management System Standard | Published (2023) | General governance |
| ISO/IEC 42006 | AI system impact assessment | In development | Art. 9, 27 |
ISO/IEC 42001 — AI Management Systems
ISO/IEC 42001:2023 is already published and provides a framework for an AI Management System (AIMS). While not an EU AI Act harmonised standard per se, many organisations are using it as a foundational governance framework. It aligns well with the Act's risk management and documentation requirements.
Practical Implementation Resources
Tools and resources from the Commission and AI Office to support compliance.
AI Act Compliance Checker
The EU AI Office has developed a digital tool to help organisations self-assess whether their AI systems fall within the scope of the Act and what obligations apply.
AI Cybersecurity Guidance
The EU Agency for Cybersecurity (ENISA) has published guidance on cybersecurity requirements for AI systems, particularly relevant to Articles 15 and 55 of the Act.
Voluntary Early Commitment
The AI Pact was a voluntary initiative inviting AI companies to commit to implementing key AI Act obligations ahead of the mandatory application dates. Over 100 companies signed pledges.
Fundamental Rights Guidance
The EU Agency for Fundamental Rights (FRA) provides guidance on how to assess the fundamental rights implications of AI systems, relevant to the FRIA requirement in Article 27.