With the majority of obligations for general-purpose AI (GPAI) models set to take effect on 2 August 2025 (AI Act, Chapter V, Art. 53), the European Commission has published the long-awaited GPAI Code of Practice on 10 July 2025. The document—developed by independent experts—serves as voluntary guidance to help GPAI providers prepare for compliance under the EU AI Act. It focuses on three key areas: Copyright, Transparency, and Safety & Security.

Although the AI Act required the Commission to finalize the Code of Practice by 2 May 2025 (AI Act, Art. 56(1)–(3)), its delayed release has now been supplemented by legal guidelines and enforcement expectations. On 17 July 2025, the EU AI Office formally invited GPAI providers to become signatories by submitting a form to: EU-AIOFFICE-CODE-SIGNATURES@ec.europa.eu.

Key Pillars of the GPAI Code of Practicer

Copyright

Under Article 53(1)(c) of the AI Act, GPAI providers are expected to:

• Establish and maintain a copyright policy.
  
• Crawl only lawfully accessible copyrighted content.
  
• Respect copyright reservations when collecting data online.
  
• Mitigate the risk of copyright-infringing outputs.
  
• Provide a point of contact for takedown or rights-holder complaints.

Transparency

To fulfill documentation and information-sharing requirements (Articles 53(1)(a), 53(1)(b), 53(2), 53(7), and Annexes XI–XII), providers should:

• Develop and maintain comprehensive model documentation.
• Provide relevant and accurate information on model capabilities, training, and use.
• Ensure the quality, integrity, and security of shared information.

A Model Documentation Form has also been issued to support these efforts.

Safety and Security

For GPAI models classified as posing systemic risk, the Code outlines ten key commitments under Articles 55 and 56:

• Establish a Safety and Security framework.
  
• Conduct systemic risk identification, analysis, and acceptability assessments.
  
• Implement risk and cybersecurity mitigation strategies.
  
• Produce model-specific safety and security reports.
  
• Assign responsibilities and report serious incidents.
  
• Maintain supporting documentation and transparency.

Guidelines and Enforcement Roadmap

In parallel, the Commission released GPAI guidance documents clarifying legal responsibilities for providers. These define GPAI models as those trained with over 10²³ Floating Point Operations Per Second (FLOPs) and capable of generating complex outputs (e.g. text, audio, images, or video). Entities that substantially modify and re-release GPAI models are also considered providers under the Act.

The guidelines also detail:

• Conditions under which open-source GPAI models may qualify for exemptions.
• The role of the voluntary Code of Practice in demonstrating good-faith compliance.
• The AI Office’s commitment to collaborative enforcement during the first year of implementation.

From 2 August 2025, all GPAI models entering the EU market must comply with the applicable AI Act obligations. Models already available before that date must be brought into compliance by 2 August 2027. The Commission’s enforcement powers will be fully applicable starting 2 August 2026.

Voluntary Participation and Legal Certainty

While the Code of Practice is non-binding, it is expected to serve as a key reference for both providers and regulators. Providers who voluntarily commit may benefit from regulatory clarity, structured guidance, and early alignment with enforcement expectations.

The Commission has emphasized that this Code forms part of a broader support ecosystem, including the AI Act Service Desk, technical templates, and ongoing stakeholder engagement.

To stay informed on implementation of the EU AI Act, visit our website at AI-Regulation.com and follow us on LinkedIn, Twitter and Facebook

P.R.