Introduction
The European Commission’s AI Office has finalized the General-Purpose AI Code of Practice [1] [2] [6], a voluntary framework designed to help AI model providers comply with the forthcoming AI Act. This initiative [2] [3], developed with input from a wide range of stakeholders, aims to guide the industry in adhering to regulations governing general-purpose AI, with a phased enforcement timeline starting in 2026.
Description
The European Commission’s AI Office finalized the General-Purpose AI Code of Practice on 10 July 2025, establishing a crucial voluntary framework for AI model providers to ensure compliance with the upcoming AI Act, which will take effect on 2 August 2025 [1] [2] [5] [6] [7] [11]. Developed by 13 independent experts with input from over 1,000 stakeholders—including model providers [1] [2] [5] [6], SMEs [1] [2] [5] [6], academics [1] [2] [4] [5] [6], AI safety experts [1] [2] [5] [6], rightsholders [1] [5] [6] [9], and civil society organizations—the Code aims to assist the industry in adhering to the regulations governing general-purpose AI [5]. This initiative anticipates mandatory compliance requirements and features a phased enforcement timeline, with enforcement beginning in August 2026 for new models and August 2027 for existing models placed on the market before August 2025.
The framework applies to all providers placing general-purpose AI models on the EU market [9], regardless of their location [9], with a focus on models integrated into downstream AI systems [9]. It outlines voluntary compliance pathways to enhance transparency for system integration [9], ensure copyright protection for rightsholders [9], and mitigate risks associated with advanced AI models that could impact public safety and fundamental rights. A user-friendly Model Documentation Form is introduced to assist signatories in meeting their obligations under the Safety and Security chapter [10], which includes ten commitments such as identifying systemic risks [10], developing a Safety and Security Framework [10], and implementing safety and security mitigations [10]. This form facilitates clear disclosure of information regarding model training, evaluation [3] [9] [11], and usage [3] [11], building trust and ensuring users are aware of potential limitations and risks [3].
Organized into three chapters—Transparency [1] [2] [6] [8], Copyright [1] [2] [3] [4] [6] [8] [9] [11], and Safety and Security—the Code provides practical tools and guidance. The Transparency chapter mandates extensive documentation from providers [9], including model architecture [9], training methodologies [9], and integration specifications [9]. Providers must disclose model input and output modalities and document the types of AI systems into which their models can be integrated [9], such as autonomous systems and decision support systems [9].
The Copyright chapter requires compliance with EU Directive 2019/790 [9], mandating that providers utilize web crawlers adhering to the Robot Exclusion Protocol and identify other machine-readable protocols for rights reservations [9]. They must implement safeguards to prevent their models from generating outputs that infringe on copyright and establish complaint mechanisms for rightsholders to report non-compliance [9]. The Code advises enterprises to respect measures that prevent unauthorized scraping [4], such as robots.txt files and Cloudflare’s identification systems for AI bots [4], and to design AI models that avoid reproducing copyrighted works while establishing clear usage policies.
The Safety and Security chapter addresses systemic risks associated with general-purpose AI models [3] [6], including risks to fundamental rights and safety [6], and outlines state-of-the-art practices for risk management [6]. Providers are required to establish evaluation trigger points throughout the development lifecycle and maintain detailed records of training data provenance [9], computational resources [9], and energy consumption [4] [9]. Documentation must be maintained for at least 10 years after a model is marketed. Security measures must protect against insider threats and implement confidential computing using trusted execution environments [9]. The Code outlines commitments for enterprises developing and distributing general-purpose AI models [4], including identifying and managing systemic risks [4], implementing safety mitigations [4] [10], assigning responsibilities [4], and reporting on model safety and security incidents [4]. The adequacy of the Code will be assessed by Member States and the European Commission in the near future [10].
Once endorsed by EU Member States and the Commission [1] [2] [3] [8] [10], providers who voluntarily sign the Code can demonstrate compliance with the AI Act’s relevant provisions [1] [2], benefiting from reduced administrative burdens and increased legal certainty compared to other compliance methods [1] [6]. Exemptions apply for models released under free and open-source licenses [9], though not for those with systemic risk [9]. Existing model providers must take necessary steps for compliance by 2 August 2027 [9].
Henna Virkkunen [11], executive vice-president for tech sovereignty [11], security [1] [3] [4] [6] [8] [9] [10] [11], and democracy [11], has emphasized the significance of the Code in ensuring that advanced AI models in Europe are both innovative and safe [11]. CEPIS has also expressed support for this initiative [2], highlighting its importance in fostering a trustworthy and transparent AI ecosystem in Europe and encouraging companies within its network to endorse the Code for a responsible AI landscape. The upcoming Commission guidelines will further clarify the obligations related to general-purpose AI under the AI Act [2], while the AI Office will provide collaborative implementation support during the first year after the rules take effect [9]. Providers who do not fully implement all commitments immediately will be considered to be acting in good faith [9]. The framework’s transparency requirements will enhance information flows between AI model providers and downstream developers [9], facilitating the assessment of model capabilities for marketing technology companies and addressing concerns related to content generation in marketing applications [9]. This comprehensive approach positions the EU as a leader in ethical AI development, promoting a balanced strategy that fosters innovation while safeguarding public interests [3].
Conclusion
The General-Purpose AI Code of Practice represents a significant step towards ensuring that AI development in Europe is both innovative and safe. By providing a structured framework for compliance, it reduces administrative burdens and increases legal certainty for AI model providers. The Code’s emphasis on transparency, copyright protection [3] [9], and safety and security measures fosters a trustworthy AI ecosystem, positioning the EU as a leader in ethical AI development [3]. This initiative not only anticipates future mandatory compliance but also encourages responsible AI practices, ultimately safeguarding public interests while promoting technological advancement.
References
[1] https://digital-strategy.ec.europa.eu/en/news/general-purpose-ai-code-practice-now-available
[2] https://cepis.org/european-commission-receives-final-general-purpose-ai-code-of-practice/
[3] https://www.innovationnewsnetwork.com/eu-finalises-general-purpose-ai-code-of-practice/59721/
[4] https://www.cio.com/article/4020130/eu-finalizes-general-purpose-ai-code-of-practice-for-enterprises.html
[5] https://futurium.ec.europa.eu/en/european-ai-alliance/blog/general-purpose-ai-code-practice-now-available
[6] https://www.pubaffairsbruxelles.eu/eu-institution-news/general-purpose-ai-code-of-practice-now-available/
[7] https://ccianet.org/news/2025/07/ai-act-eus-final-gpai-code-imposes-disproportionate-burden-improvements-required/
[8] https://digital-strategy.ec.europa.eu/en/faqs/questions-and-answers-code-practice-general-purpose-ai
[9] https://ppc.land/eu-publishes-final-general-purpose-ai-code-of-practice/
[10] https://ipwatchdog.com/2025/07/10/eu-publishes-code-practice-deadline-ai-acts-provisions-general-purpose-ai-models-nears/id=190257/
[11] https://www.siliconrepublic.com/machines/eus-ai-code-of-practice-tackles-transparency-copyright-and-safety
