EU AI Act: GPAI Model Obligations in Force and Final GPAI Code of Practice in Place
On July 10, 2025, the European AI Office published the final version of the Code of Practice (CoP) for providers of General Purpose AI (GPAI) models under the EU Artificial Intelligence Act (EU AI Act). This CoP serves as a voluntary guide prepared by independent experts to assist GPAI providers in demonstrating compliance with their obligations under the EU AI Act. The CoP consists of three key chapters:
- Transparency
- Copyright
- Safety and Security
The CoP imposes extensive obligations on GPAI providers, including specific guidelines for designing compliance and audit structures that may conflict with existing processes and responsibility concepts. However, it leaves several questions unanswered, such as the criteria for reporting serious incidents, allowing GPAI providers some flexibility in implementation.
Background
The AI Office is a center of AI expertise established within the European Commission, tasked with governing and regulating GPAI models. Under Article 56 (1) of the EU AI Act, the AI Office is responsible for drafting codes of practice to help GPAI providers comply with their obligations under Article 53 and subsequent articles. The AI Office also has the authority to request information and evaluate GPAI models.
Following the publication on July 10, the European Commission and the AI Board endorsed the CoP on August 1, marking the applicability of the EU AI Act’s rules for GPAI models on August 2. New GPAI models placed on the market after this date must comply immediately, while existing models have until August 2, 2027 to achieve compliance.
Scope and Definitions
The CoP applies exclusively to GPAI models, defined as AI models displaying significant generality and capable of performing a wide range of distinct tasks. This includes models that can be integrated into various downstream systems or applications. The CoP also delineates obligations for models classified as having systemic risks, which are defined as those with significant impacts on public health, safety, or society.
Notably, open-source GPAI models are generally exempt from the CoP, except where systemic risks are involved. The CoP also considers the needs of small- and medium-sized enterprises (SMEs), including startups.
Structure and Key Requirements
Transparency
Providers of GPAI models must complete a detailed model documentation form to meet transparency obligations towards the AI Office, national supervisory authorities, and downstream providers. This documentation must cover technical properties, training, energy consumption, and intended use of the GPAI model. The AI Office has provided a mandatory template for a public summary of the model’s training data.
Furthermore, GPAI providers are required to publicly disclose contact information for the AI Office and downstream providers, ensuring relevant information is accessible within a 14-day timeframe upon request. They must also protect their intellectual property while promoting transparency.
Copyright
The Copyright chapter emphasizes the necessity of GPAI models respecting intellectual property rights. Providers must implement a copyright policy overseen by designated individuals and are encouraged to maintain a summary of this policy publicly. When utilizing web crawlers for training, providers must comply with limitations and ensure lawful access to content.
Providers must also designate a communication point for rightsholders and establish a process for handling complaints. This proactive engagement aims to enhance the participation of rightsholders and ensure compliance with copyright obligations.
Safety and Security
The Safety and Security chapter outlines extensive rules for GPAI models with systemic risks, including processes for identifying and mitigating these risks. Providers must develop a Safety and Security Framework and notify the AI Office upon its establishment. They are also required to conduct systemic risk analyses and document acceptable risks based on predefined tiers.
Providers must prepare a Safety and Security Model Report that details the GPAI model design and risk assessments before market placement. This documentation must be updated if significant changes occur, ensuring ongoing compliance and transparency.
Impact and Enforcement
While the CoP is not legally binding, non-compliance with the EU AI Act can result in fines of up to 3% of global annual turnover or €15 million, whichever is higher. Adherence to the CoP may mitigate penalties, as the AI Office recognizes good faith efforts by signatories to comply.
Compliance with the CoP may also reduce the risk of civil claims. Although the EU AI Act does not establish a dedicated legal basis for damage claims, comprehensive documentation may aid providers in defending against potential claims.
Outlook
While certain CoP requirements may shape industry norms, the absence of extraterritorial copyright obligations offers GPAI providers operational flexibility. Signatories can utilize the CoP to signal alignment with evolving expectations without significantly altering current practices.
