Introduction
On July 10, 2025 [1] [7] [8] [10], the European Commission released the final version of the General-Purpose AI Code of Practice [2]. This document establishes a compliance framework under the EU Artificial Intelligence Act (AI Act), effective August 2, 2025 [4]. The Code, developed by a panel of 13 independent experts with contributions from over 1,000 stakeholders, aims to guide General-Purpose AI (GPAI) providers in meeting the AI Act’s requirements concerning transparency, safety [2] [3] [4] [5] [6] [7] [8] [9] [10], and intellectual property [3] [8] [10]. Although voluntary and non-binding, the Code offers a compliance guide for existing legal obligations, providing businesses with a rebuttable presumption of conformity and mitigating legal risks, albeit without offering a safe harbor.
Description
The Code is structured into three main chapters: Transparency [4] [8] [9], Copyright [1] [3] [4] [5] [6] [7] [8] [9] [10], and Safety & Security [3] [4] [5] [7] [8] [9] [10]. The Transparency chapter mandates comprehensive disclosures [8], including a Model Documentation Form detailing technical specifications [8], intended use [3] [4] [7] [10], energy consumption [8], and risk management [4] [7]. Providers must maintain updated technical documentation [1] [6], including summaries of training data, and certain information must be accessible to downstream users and regulators upon request. Sensitive business information can be shared confidentially with regulators [7], benefiting from confidentiality protections under the AI Act [7]. Signatories are required to document information about each GPAI model for ten years and provide necessary details to the AI Office and downstream providers while protecting their intellectual property rights [10]. Although there is no general obligation to publish Model Documentation [6], it should be available to supervisory authorities and downstream providers upon request [6].
The Copyright chapter focuses on ensuring compliance with the 2019 Copyright Directive [3] [4], including the need to respect opt-out requests from rightsholders and to avoid using unlawfully sourced data [4]. Providers must adopt internal copyright compliance policies [3], avoid circumventing technical measures protecting copyrighted content [3], and implement safeguards to prevent the generation of infringing outputs [3]. GPAI providers must be cautious about data scraping practices to avoid violating these obligations [10], thereby providing a framework for responsible data practices and promoting cooperation between AI developers and rightsholders. Signatories are permitted to use web crawlers for text and data mining but must respect TDM opt-out mechanisms declared by rightsholders and provide a point of contact for rightsholders to submit complaints.
The Safety & Security chapter targets advanced GPAI models classified as posing systemic risks [4], mandating comprehensive risk management frameworks and ongoing post-market monitoring. Providers are required to conduct structured risk assessments, establish criteria for systemic risk levels [3], and report serious incidents to the AI Office and relevant authorities [3], including root cause analyses and recommendations [10]. Developers of such models are expected to maintain risk assessment frameworks and document mitigation strategies [7], particularly for those with extensive computational training that significantly affect the Union market. Models exceeding 10^25 floating point operations per second (FLOPs) are considered to carry systemic risk, requiring notification to the European Commission’s AI Office [1]. Signatories must submit a Safety and Security Model Report to the AI Office [10], detailing systemic risk assessments and mitigation measures [10]. The assessment of systemic risks should be proportionate [6], and simplified compliance methods for smaller enterprises are encouraged [6].
While participation in the Code is voluntary [4], signatories may benefit from reduced compliance burdens and greater deference in enforcement matters compared to nonsignatories [4], who must independently demonstrate compliance [7]. However, concerns have been raised regarding the potential for the Code to impose obligations beyond those of the AI Act [4], which could hinder innovation [4], particularly for smaller developers [4] [7]. Critics argue that the definitions of systemic risk may be overly broad [4], potentially leading to over-regulation of low-risk applications and disproportionately affecting startups.
The Commission has issued guidelines clarifying the obligations for providers of GPAI models under the AI Act [11], effective from August 2, 2025 [4] [8] [11]. These guidelines establish clear technical criteria for identifying GPAI models [11], aiding developers in determining their compliance requirements [11]. Only those making significant modifications to AI models are required to adhere to these obligations [11], while minor changes do not trigger compliance [11]. Providers of open-source AI models may be exempt from certain obligations [11], fostering transparency and innovation [11]. The guidelines also define key terms from the AI Act [11], assisting stakeholders in understanding their responsibilities [11]. They complement the General-Purpose AI Code of Practice [11], a voluntary framework for fulfilling obligations under the AI Act [11].
Implementation tools [4] [6] [7], including a training data disclosure template [4], are still pending [4], and further guidance is expected to clarify obligations for fine-tuned and open-source models [4] [7]. The final endorsement of the Code by EU member states is anticipated in August [4] [7], as the deadline for compliance approaches [4], highlighting the urgency for GPAI providers to prepare for the new regulatory landscape [4]. An enforcement grace period until August 2, 2026 [6], is anticipated for signatories [6], although its specifics remain unclear [6]. Compliance obligations for GPAI models will begin on August 2, 2025 [1], with enforcement powers commencing on August 2, 2026 [1]. Providers of models released before this date will need to comply by August 2, 2027 [1]. Future updates to the Code will be communicated to signatories [7], who may opt out of certain sections but will lose associated benefits [7]. The Code is designed to be adaptable to the rapid advancements in AI technology [5], with a commitment to review and potentially update it every two years in response to technological changes or shifts in risk [5]. The Code reflects the Commission’s expectations for GPAI providers and may influence future regulatory investigations once the GPAI obligations are enforced [10]. The response from potential signatories has been varied as they weigh the commitments required by the Code against their current practices and the implications of compliance [10]. Early alignment with the Code can ease compliance burdens and reduce the risk of enforcement actions [6], making it essential for companies to integrate these standards into their operations [6].
Conclusion
The General-Purpose AI Code of Practice represents a significant step in aligning AI development with regulatory expectations in the European Union. By providing a structured framework for compliance, the Code aims to enhance transparency, safety [2] [3] [4] [5] [6] [7] [8] [9] [10], and intellectual property protection in AI applications. While voluntary [2] [3] [4] [5] [6] [7] [8] [10] [11], adherence to the Code can offer substantial benefits, including reduced compliance burdens and a more favorable position in enforcement matters. However, the potential for over-regulation and the impact on innovation, particularly for smaller developers [4] [7], remain concerns [7]. As the AI landscape continues to evolve, the Code’s adaptability and the ongoing guidance from the European Commission will be crucial in ensuring that AI development remains both innovative and compliant.
References
[1] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20250724-european-commission-issues-guidelines-for-providers-of-general-purpose-ai-models
[2] https://futurium.ec.europa.eu/en/european-ai-alliance/blog/general-purpose-ai-code-practice-now-available
[3] https://www.stibbe.com/publications-and-insights/eus-gpai-code-of-practice-the-worlds-first-guidance-for-general-purpose
[4] https://perkinscoie.com/insights/update/delayed-eu-code-practice-provides-compliance-framework-general-purpose-ai-models
[5] https://digital-strategy.ec.europa.eu/en/faqs/questions-and-answers-code-practice-general-purpose-ai
[6] https://www.taylorwessing.com/en/insights-and-events/insights/2025/07/update-ai-act
[7] https://www.jdsupra.com/legalnews/delayed-eu-code-of-practice-provides-3360445/
[8] https://www.nelsonmullins.com/insights/alerts/privacyanddatasecurityalert/all/the-eu-commission-publishes-general-purpose-ai-code-of-practice-compliance-obligations-begin-august-2025
[9] https://www.lexology.com/library/detail.aspx?g=62b005db-4826-4430-9b61-ed5ec5627c3b
[10] https://www.paulweiss.com/insights/client-memos/eu-commission-publishes-its-code-of-practice-for-general-purpose-ai-what-you-need-to-know
[11] https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers
