Article 95 of Regulation (EU) 2024/1689 — Codes of conduct for voluntary application of specific requirements. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 95 of Regulation (EU) 2024/1689 (the EU AI Act), situated within Title X (Codes of Conduct and Guidelines), establishes a voluntary framework through which providers of AI systems that are not classified as high-risk may choose to commit to requirements that go beyond their legal baseline.
Specifically, Article 95 invites providers of non-high-risk AI systems to draw up codes of conduct intended to extend, on a voluntary basis, the application of requirements set out in Title III, Chapter 2 — the mandatory obligations that apply to high-risk AI systems. These requirements include risk management systems, data governance and management practices, technical documentation, record-keeping, transparency and provision of information to deployers, human oversight measures, accuracy, robustness, and cybersecurity. Article 95 also expressly encourages codes of conduct to address the environmental sustainability of AI systems.
The elaboration of such codes of conduct may involve providers, deployers, representative organisations, and other relevant stakeholders including civil society and academia. The AI Office and national competent authorities are tasked with facilitating this process. The Commission is empowered to issue guidelines on the form, content, and processes associated with codes of conduct under this article. Existing voluntary commitments and industry self-regulatory frameworks may be taken into account when drawing up codes of conduct under Article 95, avoiding unnecessary duplication of effort.
What This Means in Practice
Article 95 creates a space for responsible AI actors to signal trustworthiness by voluntarily aligning with the higher standards applicable to high-risk AI — even when they are not legally required to do so.
For providers of limited-risk or minimal-risk AI systems, this means that rather than simply meeting the lighter-touch obligations that apply to their products (for example, transparency notices for chatbots under Article 50), they can elect to implement a full risk management system, conduct data governance audits, maintain technical documentation, and build in human oversight mechanisms — and formalise that commitment through a publicly stated code of conduct.
In practice, participation in a code of conduct under Article 95 may serve multiple strategic functions. It can differentiate a product in a competitive market where enterprise customers or public-sector procurement teams demand demonstrable trustworthiness. It can build the internal processes and documentation habits that ease future compliance if a product is later reclassified as high-risk. It can also strengthen the organisation's position in dialogues with regulators and in the context of incident investigations.
A practical example: a provider of an AI-powered recruitment screening tool that falls just below the high-risk threshold in Annex III may nonetheless adopt a code of conduct committing to bias testing, transparent model documentation, and periodic human review of algorithmic decisions — measures that build user trust and anticipate regulatory evolution.
Codes of conduct are expected to be specific, measurable, and publicly accessible. Organisations should treat them not as marketing instruments but as operational commitments subject to genuine internal governance.
Key Obligations
- Voluntary adoption: Providers of non-high-risk AI systems are invited but not required to draw up and apply codes of conduct that extend Title III Chapter 2 requirements to their systems.
- Scope of voluntary requirements: Codes of conduct may cover risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, and environmental sustainability of AI systems.
- Inclusive drafting process: Codes of conduct should be elaborated with input from providers, deployers, representative organisations, and relevant stakeholders including civil society and academia, with facilitation by the AI Office and national competent authorities.
- Compatibility with existing frameworks: Codes may build upon existing voluntary commitments or self-regulatory industry initiatives to avoid duplication, provided those frameworks are compatible with the objectives of the Regulation.
- Commission guidelines: The European Commission may issue guidelines specifying the expected form, content, and processes for codes of conduct under this article, providing a reference framework for interested parties.
- Environmental sustainability: Codes of conduct are expressly encouraged to include provisions promoting the environmental sustainability of AI systems throughout their lifecycle, reflecting the broader policy objectives of the Regulation.
Relationship to Other Articles
Article 95 should be read alongside the mandatory transparency obligations of Article 50, which represent the actual legal floor for many non-high-risk AI systems. It draws its substantive content by reference from Title III, Chapter 2 (Articles 9–15), which sets out the requirements — risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, and cybersecurity — that high-risk AI system providers must meet and that non-high-risk providers may voluntarily adopt.
Article 95 is complemented by Article 96, which empowers the Commission to issue guidelines on the practical implementation of this article. It also connects to Article 56, which establishes the AI Office as a facilitating body, and to the broader scheme of Article 55 concerning general-purpose AI model codes of practice, which operates as a parallel but distinct voluntary framework for a different category of actors. Together, these provisions reflect the Regulation's layered approach: mandatory floors, voluntary ceilings, and institutional facilitation.
Compliance Timeline
Article 95 entered into application as part of the general application date of the EU AI Act. The Regulation entered into force on 1 August 2024, twenty days after its publication in the Official Journal. Application of the Regulation's provisions is phased:
- 1 February 2025: Prohibitions on unacceptable-risk AI practices (Title II) became applicable.
- 2 August 2025: Provisions relating to general-purpose AI models (Title VIII) and governance structures (Title III of the governance chapter) became applicable.
- 2 August 2026: The majority of the Regulation's provisions, including obligations for high-risk AI systems under Annex I (product safety legislation), became applicable.
- 2 August 2027: Obligations for high-risk AI systems listed in Annex III became fully applicable.
Article 95, falling under Title X, became applicable on 2 August 2026 as part of the general application of the Regulation. However, given its voluntary nature, providers wishing to use codes of conduct as a compliance and trust-building tool are encouraged to engage with the process as early as possible — particularly since the AI Office may begin facilitating code elaboration well ahead of formal deadlines, and early movers benefit from shaping the content of those codes.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 95 encourages providers of non-high-risk AI systems to voluntarily draw up and apply codes of conduct designed to extend compliance with requirements that are mandatory only for high-risk AI systems — such as transparency, robustness, and human oversight — to systems that fall outside that mandatory scope.
No. Article 95 is entirely voluntary. Providers are invited but not compelled to draft or adhere to codes of conduct. The provision is designed to raise the general level of trustworthiness across the AI ecosystem beyond the minimum legal floor.
Providers of AI systems that are not classified as high-risk, as well as other relevant stakeholders such as deployers, industry bodies, civil society organisations, and academia, may voluntarily participate in drafting and applying these codes.
Codes of conduct may voluntarily apply requirements equivalent to those in Title III Chapter 2 — covering risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity — as well as requirements related to environmental sustainability.
The AI Office and national competent authorities may facilitate and promote the elaboration of codes of conduct. The Commission may also issue guidelines specifying the form and content that such codes should take.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.