Introduction

The General-Purpose AI (GPAI) Code of Practice is a voluntary framework designed to assist AI model providers in aligning with the EU AI Act’s requirements. It aims to ensure transparency, safety [1] [2] [4] [5] [6] [8] [9] [10], and compliance within the European market for general-purpose AI models.

Description

Providers of general-purpose AI models are encouraged to sign the General-Purpose AI (GPAI) Code of Practice by completing a Signatory Form [7] [10], which must be submitted by an authorized individual [7] [10], such as a senior executive [7]. While there is no set deadline for signing [10], existing providers are urged to do so before 1 August 2025 [10], when public listings of signatories will be made available. This date coincides with the enforcement of the AI Act’s obligations on 2 August 2025 [7], although enforcement by the AI Office will not begin until 2026 for new models and 2027 for existing models [5]. This phased approach ensures that general-purpose AI models in the European market are safe and transparent [4] [5]. Signing the Code signifies a commitment to compliance [7], facilitating adherence to specific articles of the AI Act and providing legal clarity for providers.

The final version of the Code [3], developed through a multi-stakeholder process involving over 1,400 participants and drafted by thirteen independent experts [1], serves as a voluntary tool to assist AI developers in meeting the EU AI Act’s requirements on transparency [6], safety [1] [2] [4] [5] [6] [8] [9] [10], and intellectual property [6]. It comprises three chapters: Transparency and Copyright [1] [6] [9], which applies to all providers [1] [9], and Safety & Security [1] [4] [6] [9] [10], which is relevant to a select group of advanced model providers [1]. The Transparency chapter includes a user-friendly Model Documentation Form to facilitate necessary documentation [9], specifying obligations for signatories when marketing a general-purpose AI model [4]. This includes maintaining up-to-date model documentation [4], providing relevant information through a public website or contact details for the EU AI Office [4], and ensuring the quality [4], integrity [4], and security of information [4]. Providers must detail critical aspects of model design, including data sources [6], training processes [7], intended use cases [6], energy consumption [2], licensing [2] [6], distribution [2], and acceptable use [2]. This comprehensive documentation must be accessible to those deploying the model and regulators upon request [6], ensuring transparency while protecting sensitive business information [6]. Emphasis is placed on disclosing data provenance and documenting model authenticity, which is essential for ensuring compliance with the AI Act and respecting copyright protections to prevent the reproduction of copyrighted works.

The extensive Safety & Security chapter outlines state-of-the-art practices for managing systemic risks associated with general-purpose AI models, including ten commitments for signatories [4]. These include establishing a comprehensive risk management framework, identifying and analyzing systemic risks [4], conducting structured risk assessments [6], and implementing ongoing post-market monitoring to track real-world performance and address any incidents promptly [6]. Documentation retention is required for at least ten years post-market release [2], and independent audits of high-impact models are mandated to ensure compliance with safety standards [6]. The guidance on transparency and copyright is relevant to all general-purpose AI model providers [8], while the safety and security sections specifically address the most advanced model providers [8].

Once the Code is endorsed by Member States and the Commission, signatories can utilize it to demonstrate compliance [10], gaining increased trust from the Commission and stakeholders [10]. Providers who voluntarily sign the Code may benefit from reduced administrative burdens and enhanced legal certainty compared to other compliance methods [5]. It is important to note that opting out of any chapters in the Code will result in the loss of compliance facilitation benefits. Providers who do not adhere to the Code must find alternative ways to demonstrate compliance and will be subject to increased scrutiny, including the requirement to report their compliance measures to the AI Office, which may include a gap analysis.

The AI Office will monitor adherence among providers and prioritize enforcement efforts on those who sign the Code, offering predictability and reducing administrative burdens [7]. Recognizing that signatories may need time to implement the Code’s measures [10], the AI Office will consider good faith efforts in this regard [10]. The Code will be reviewed every two years to address technological advancements or shifts in risk [1], with potential updates communicated to signatories. Providers not developing general-purpose AI models with systemic risk may choose to sign the Safety and Security chapter [10], indicating which models will follow its measures [10]. Signatories can withdraw their commitment to the Code at any time [10]. The Code will also be supported by forthcoming Commission guidelines on general-purpose AI [5], which will clarify the applicability of the AI Act’s rules [5]. The Computer & Communications Industry Association (CCIA Europe) [3], representing a diverse range of communications and technology firms [3], has expressed its commitment to supporting the development of a robust European digital economy and has been actively involved in EU policy-making since 2009 [3].

Conclusion

The GPAI Code of Practice represents a significant step towards ensuring that AI models in the European market are developed and deployed with transparency and safety in mind. By aligning with the EU AI Act, the Code provides a structured approach for compliance, potentially reducing administrative burdens and enhancing legal certainty for providers [5]. The phased implementation and regular reviews ensure that the Code remains relevant and effective in addressing emerging technological and regulatory challenges.

References

[1] https://digital-strategy.ec.europa.eu/en/faqs/questions-and-answers-code-practice-general-purpose-ai
[2] https://www.cio.com/article/4020130/eu-finalizes-general-purpose-ai-code-of-practice-for-enterprises.html
[3] https://ccianet.org/news/2025/07/ai-act-eus-final-gpai-code-imposes-disproportionate-burden-improvements-required/
[4] https://ipwatchdog.com/2025/07/10/eu-publishes-code-practice-deadline-ai-acts-provisions-general-purpose-ai-models-nears/id=190257/
[5] https://www.scl.org/eu-general-purpose-ai-code-of-practice-now-available/
[6] https://www.stibbe.com/publications-and-insights/eus-gpai-code-of-practice-the-worlds-first-guidance-for-general-purpose
[7] https://digital-strategy.ec.europa.eu/en/library/ai-office-invites-providers-sign-gpai-code-practice
[8] https://economictimes.indiatimes.com/tech/artificial-intelligence/eu-code-of-practice-to-help-firms-with-ai-rules-will-focus-on-copyright-safety/articleshow/122363933.cms
[9] https://aitransparencyinstitute.com/general-purpose-ai-code-of-practice-now-available/
[10] https://digital-strategy.ec.europa.eu/en/faqs/signing-general-purpose-ai-code-practice