The European Commission finalized the General Purpose AI (GPAI) Code of Practice in July 2025, aiming to help model providers align with the EU Artificial Intelligence Act. The Code introduces voluntary guidelines for transparency, safety, and accountability for advanced AI models. These measures are intended to support the development of global standards in AI governance.
Moody’s Analytics clarified that its AI models are “specialist models” or “domain-specific models,” not general purpose. As a result, while the EU AI Act applies to Moody’s, the GPAI Code of Conduct does not. Nonetheless, best practices derived from the GPAI Code are influencing industry standards.
Key elements from these best practices include rigorous pre-market risk assessments, maintaining a transparency mindset from inception, continuous monitoring, robust internal governance structures, and detailed record-keeping. This approach is designed to ensure ongoing accountability and allow rapid response to emerging risks.
The GPAI Code identifies two levels of risk among AI models:
For all GPAI models, there is an emphasis on transparency and copyright compliance. Providers must maintain comprehensive documentation covering technical details, data sources, and intended uses of their AI systems. This information should be available both to regulators and users. Operationally, providers are expected to implement copyright policies that ensure lawful sourcing and use of data—including synthetic media.
For highly effective systemic risk models—those considered more far-reaching—the requirements extend further: robustness, reliability measures, safeguards against misuse such as logging activities, human oversight mechanisms, and strong data governance frameworks must be established. A key standard is maintaining a safety and security framework throughout the model’s life cycle that identifies systemic risks and reports them transparently.
Signing onto the GPAI Code signals legal commitment under Articles 53 and 55 of the EU AI Act by helping reduce uncertainty regarding required technical documentation about model architecture and training methods. The scope of GPAI under EU law refers to models using large-scale data with self-supervision techniques; they typically involve over 10 floating point operations (FLOPS).
A standard practice now includes providing summaries of training data along with clear instructions for downstream users and regulators—ensuring consistency across all documentation related to each model.
Model documentation forms offer templates for standardizing disclosures about training processes—including datapoint numbers and types—and methodologies used for curating data or detecting bias.
Compliance with these guidelines starts at the training stage; any significant modifications later can trigger additional obligations. Each EU member state may set up sandboxes as compliance facilitators so providers can demonstrate alignment with transparency requirements.
Non-EU companies offering AI services within Europe must also comply with these regulations; enforcement falls under the purview of the EU AI Office. By August 2, 2026 new models must meet these requirements; existing ones have until January 2027. High-risk sectors such as healthcare or law enforcement face early deadlines for readiness assessments.
In California since September 2025 Senate Bill (SB) 63 has introduced CalCompute—a public cloud computing cluster aimed at supporting safe deployment of ethical AI solutions—which differs from European rules in defining high-risk thresholds: In Europe any model trained above 10^25 FLOPs counts as systemic risk; California defines frontier foundation models as those trained above 10^26 integer operations.
Other countries like Japan and China mention specialty categories but have yet to adopt dual-level comparative regimes similar to those seen in Europe or California—though China is developing relevant measures.
“The GPAI Code promotes a ‘comply or explain’ model,” according to guidance materials on responsible governance frameworks. This flexible system encourages organizations toward standards-setting collaborations with national institutes focused on domain-specific guidance.
According to policy recommendations: “Per the AI Act, to protect our industries, AI solution providers must leverage the GPAI Code of Practices beyond general-purpose models to provide effective transparency, explainability, reporting, and oversight to their customers all the way to the final user.”
Floating point operations per second remain a central benchmark for classifying high-performance systems in both US (threshold at 10^26) and EU (at 10^25) regulatory contexts.
