The Llama Compliance Problem Nobody Is Talking About

When the EU GPAI Code of Practice was finalised in July 2025, 26 major AI providers signed it. Anthropic signed. Google signed. Microsoft signed. IBM signed. Mistral signed.

Meta did not.

That decision received some industry coverage at the time. What received almost none is what it means operationally for the thousands of enterprises that have deployed Meta Llama in production.

What the refusal actually means

The GPAI Code of Practice covers three areas: Transparency, Copyright, and Safety and Security. By signing, providers commit to producing specific compliance documentation — training data summaries, copyright compliance policies, technical model documentation — that deployers can reference in their own Article 26 evidence packs.

When Meta refused to sign, it created a documentation vacuum. Enterprises deploying Llama cannot point to provider-supplied GPAI compliance documentation because none exists. The EU AI Office has confirmed it will apply enhanced scrutiny to non-signatory models — meaning Llama deployments are more likely to be examined, not less.

For the deployer, this means the entire Article 26 evidence burden falls on them. Not partially. Entirely.

The distinction that matters: how is Llama running?

This is where most compliance analyses miss something important.

Llama via AWS Bedrock is a materially different compliance posture from self-hosted Llama.

When Llama runs on AWS Bedrock, it runs under Amazon's infrastructure and within Amazon's GPAI CoP signatory commitment. Amazon signed the Code of Practice in full. The upstream GPAI documentation gap — the gap Meta created by refusing — is closed by the Amazon umbrella.

For an enterprise running Llama on Bedrock with EU data residency configured, the upstream documentation layer is intact. The deployer's Article 26 obligations remain in full, but the GPAI provider documentation gap that Meta created is not their problem.

Self-hosted Llama is entirely different. Whether deployed via Groq, Together.ai, vLLM, or on-premise, self-hosted Llama has no upstream compliance coverage of any kind. The enterprise is the sole compliance owner for both the GPAI documentation layer and the deployer obligations layer simultaneously.

This distinction matters enormously for the Article 26 evidence pack. Two enterprises both "using Llama" can have completely different regulatory postures depending on how Llama is deployed.

What self-hosted Llama deployers need to do before August 2

The open-source Article 53(2) exemption applies to Llama's base model weights — but only to the extent that the deployer is not building a high-risk AI system on top of them. If Llama is being used in an Annex III domain — employment, credit, education, law enforcement — the exemption does not apply to that specific deployment.

For high-risk self-hosted Llama deployments, the deployer must produce:

1. A use case classification with documented reasoning
2. An Annex III domain mapping
3. A Fundamental Rights Impact Assessment
4. Documented human oversight assignment
5. Six months of retained automated logs
6. Worker notification records where applicable
7. Transparency disclosure evidence for affected persons

None of these require provider documentation. All of them are deployer-side obligations that the deployer generates from their own operational data.

The question is not whether you can produce this evidence. The question is whether you have tooling to assemble it before August 2.

The practical path forward

For enterprises running Llama via Bedrock: confirm your AWS data residency configuration, verify your use cases against the Annex III domain list, and close the deployer-side Article 26 checklist. The upstream documentation gap is covered.

For enterprises running Llama self-hosted in any Annex III use case: the documentation gap is real and the timeline is 51 days. The evidence needs to come from your own operational data — session logs, oversight assignments, FRIA completion, transparency disclosures.

The compliance path exists. It just does not involve Meta.

See how PromptKing handles Llama compliance scope detection →