EU AI Act: European Commission Publishes General-Purpose AI Code of Practice

The publication of the General-Purpose AI Code of Practice ("Code of Practice") follows the EU Commission's release earlier this year of a draft version of a template for summarizing training data used in general-purpose AI models, the final version of which was published on 24 July 2025 (see our previous Commentary). It marks a pivotal moment in the staggered compliance deadlines of the EU's AI Act. It follows the AI Act's entry into force on 1 August 2024, and the first compliance deadline of 2 February 2025 for prohibited AI systems and AI literacy (see our Commentary on prohibited AI systems and AI literacy). 

Legal Framework 

The Code of Practice is a voluntary tool developed through a multistakeholder process involving nearly 1,000 participants. It is designed to help GPAI model providers meet their obligations under the AI Act. GPAI includes artificial intelligence models that are designed to perform a wide-range of tasks across various domains—including capabilities such as natural language processing, image recognition, and data analysis—often used as the basis for developing more specialized AI applications. While adherence to the Code of Practice does not eliminate regulatory risk, it creates a strong framework for demonstrating compliance with Articles 53 and 55 of the AI Act, in accordance with its Article 53(4). 

Providers that do not adopt the GPAI Code of Practice, or a comparable framework, will need to engage in a more complex compliance effort and may come under closer scrutiny by the AI Office and national authorities, with the prospect of administrative fines of up to €15 million or 3% of global turnover in case of infringement of the GPAI-related AI Act provisions. 

These fines will apply: 

• From 2 August 2026, for GPAI models where both original and modified versions were placed on the EU market after 2 August 2025; and 
• From 2 August 2027, for GPAI models where both unmodified and modified were placed on the EU market on or before 2 August 2025.

It remains unclear, however, whether modified GPAI models placed on the EU market after 2 August 2025 and derived from an original GPAI model placed on the market on or before 2 August 2025, will be subject to regulatory enforcement as of 2 August 2026, or 2 August 2027.

The respective one- or two-year grace periods for regulatory enforcement do not exclude risks of private litigation in case of noncompliance. 

The Code of Practice should be read in conjunction with both: (i) the guidelines on key concepts for GPAI models that provide an interpretative framework helping providers of GPAI models understand their obligations under the AI Act (published on 18 July 2025); and (ii) the template for summarizing training data used in GPAI models, outlining key data sources and supporting stakeholders, such as copyright holders, in exercising their rights under EU law (published on 24 July 2025).

Code of Practice's Structure and Key Provisions 

The Code of Practice is divided into three chapters dedicated to different issues: (i) transparency; (ii) copyright; and (iii) safety and security. The first two chapters guide providers of GPAI models on how to meet their obligations under Article 53, while the third chapter applies to a smaller number of providers of the most advanced models subject to Article 55's systemic-risk provisions.

1. Transparency Chapter—Operationalizing Article 53(1)(a)–(b) of the AI Act 

• Model Documentation Form. Providers must complete a detailed template covering architecture, training methodologies, data provenance, computational resources, and energy consumption. The documentation must be retained for at least 10 years and made available to downstream system providers and, upon request, to the AI Office or national authorities.
• Information Sharing. Providers are required to establish channels for timely disclosures to downstream users, enabling those users to perform their own AI Act compliance assessments.
• Trade-Secret Safeguards. The Code of Practice balances transparency with intellectual property protection by permitting redactions where strictly necessary to protect trade secrets, provided the withheld information can be inspected in a secure environment by regulators.

2. Copyright Chapter—Respecting EU Copyright Law (Article 53(1)(c) of the AI Act)

• Written Copyright Policy. Providers must adopt a board-level policy assigning organizational responsibility for copyright compliance. 
• Lawful Web-Crawling. Training data must be "lawfully accessible", and providers must honor machine-readable opt-outs (e.g., robots.txt); data scraped from sites "persistently and repeatedly infringing copyright" is prohibited.
• Safeguards Against Copyright-Infringing Outputs. Providers must implement appropriate and proportionate technical safeguards to prevent their models from generating infringing content, prohibit copyright-infringing uses in their acceptable use policy, and maintain an online mechanism for right-holder complaints.

3. Safety & Security Chapter—Systemic-Risk Management (Article 55 of the AI Act)

• Safety & Security Framework. Providers must adopt a document describing their systemic risk-management processes, and regularly update such framework. 
• Serious-Incident Reporting. Providers must notify the AI Office of serious incidents within two to fifteen days, depending on severity.
• Cybersecurity Controls. Providers need adequate cybersecurity measures for their models and physical infrastructure, covering the entire model lifecycle to protect against unauthorized release, access, or model theft.
• Safety and Security Model Report. Before placing a model on the market, providers must prepare a Model Report detailing how they assess and mitigate systemic risk; this report must be kept current.

What's Next? 

EU Member States and the EU Commission will review the GPAI Code of Practice in the coming weeks. According to the timeline published on the EU Commission's GPAI Code of Practice webpage, the AI Office and AI Board will assess the Code of Practice and may approve it via an adequacy decision on 2 August 2025.

Once the Code of Practice is endorsed by EU Member States and the EU Commission, AI model providers who voluntarily sign it can rely on the Code of Practice to demonstrate compliance with the AI Act. Several prominent GPAI model providers have already indicated their willingness to become signatories after the Code of Practice's endorsement by the relevant authorities. 

Starting on 2 August 2025, the AI Office will work closely with the Code of Practice signatories, ensuring that their GPAI models can be placed on the EU market without delay. If providers do not fully implement all commitments immediately upon signing, the AI Office will not view these providers as having breached their commitments under the Code of Practice or violated the AI Act. Instead, the AI Office will recognize their good-faith efforts and collaborate to achieve full compliance. However, starting on 2 August 2026, the EU Commission will enforce all obligations for providers and may impose fines for any noncompliance.