[co-authors: Richard Falk , Daniel Werner]
The European Commission has published the final version of a general-purpose AI (“GPAI”) Code of Practice. We took a deeper look into it and prepared a short summary to help you understand what the GPAI Code of Practice is, what it is for and what it is about.
Background
The rules for GPAI models are a key part of Regulation (EU) 2024/1689, also known as the EU Artificial Intelligence Act (“AI Act”), which sets out common standards for AI across the EU. GPAI models represent AI models whose abilities are not limited to a specific use case, but are capable of performing a wide range of distinct tasks (Art. 3 no. 63 AI Act). This includes, in particular, so-called large language models (LLMs), such as GPT-4 (OpenAI), Llama 2 (Meta), Gemini (Google), Claude (Anthropic) or the open source model BLOOM (BigScience) to just name a few, which, inter alia, also form integral part of AI chatbots.
According to AI Act provisions, providers of GPAI models – i.e. individuals or legal entities (i) developing a GPAI model or having it developed by a third party and (ii) placing it on the market under own name or trademark (Art. 3 no. 3 AI Act) – are obliged to comply with a number of requirements. As far as just “simple” GPAI models are concerned, in essence (i) a technical documentation, (ii) information and documentation for integration of the particular GPAI model into downstream systems, (iii) compliance with EU copyright and related rights as well as (iv) drawing up and making publicly available a detailed summary of underlying training material is required (Art. 53(1) AI Act). For so called “GPAI models with systemic risk” (Art. 51 AI Act), providers have to adhere to additional requirements, such as model evaluation, risk assessment and mitigation, incident reporting and ensuring adequate levels of cybersecurity (Art. 56 AI Act).
What are codes of practice and what are they for?
Codes of practice represent sets of documents developed in cooperation by stakeholders from, inter alia, GPAI model providers, competent authorities, civil society, industry and academia aiming proper compliance with applicable AI Act requirements (Art. 56(1) and (3) AI Act), all encouraged and facilitated by the so called AI Office, the European Commission’s central point of expertise and capabilities concerning AI (Art. 64(1) AI Act). As a GPAI provider supporting tool (recital 117 sentence 1), codes of practice shall specify their obligations outlined in Art. 53 and 55 AI Act and, as such, specifically focus on
- means to ensure that particular information is drawn up, kept up-to-date and made available by GPAI model providers (Art. 53(1)(a) and (b) AI Act) in line with latest market and technical developments;
- level of detail of content used for GPAI training activities;
- identification of systemic risks; and
- measures, procedures and modalities for proper assessment and management of systemic risks including documentation (Art. 56(2) AI Act).
Codes of practice shall also include clear objectives, commitments and measures, including, as appropriate, key performance indicators (Art. 56(4) AI Act).
How can Codes of Practice be helpful?
Technically, codes of practice do not have binding legal effect. Under Article 56(7), sentence 1 of the AI Act, the AI Office may only encourage GPAI model providers to adhere to such codes. However, providers who sign the GPAI code of practice, even if they do not fully implement all commitments immediately after signing, will benefit from a one-year grace period. During this time, they will not be considered in breach of the AI Act but rather seen as acting in good faith toward compliance. Full enforcement of all obligations for GPAI model providers, including the imposition of fines, will then only begin on 2 August 2026.
Furthermore, in order to demonstrate compliance with AI Act obligations, GPAI model providers can rely on a code of practice issued by the AI Office (Art. 53(4) sentence 1 and Art. 55(2) sentence 1 AI Act) as previously approved by the European Commission (Art. 56(6) para. 2 sentence 1 AI Act). This is, however, only the case as long as a suitable so-called harmonised standard (e.g., a European Norm or EN) in terms of Art. 40 AI Act is not in place. Once this is the case, the harmonized standard sets out the relevant requirements.
In case neither an approved code of practice nor a harmonized standard is in place, providers are required to demonstrate alternative adequate means of compliance (Art. 53(4) sentence 3 and Art. 55(2) sentence 3 AI Act), as non-sufficient compliance with AI Act obligations triggers risk of being fined by up to 3 % of the provider’s annual total worldwide turnover made in the preceding business year or EUR 15,000,000, whichever amount is higher(Art. 101 (1)(a) AI Act).
However, if not yet approved by the European Commission, codes of practice may be useful to demonstrate a provider’s willingness to comply with applicable AI Act requirements. This should apply, in particular, if a code of practice is deemed adequate by the AI Office and the Board as they are responsible for assessing, regularly monitoring and evaluating codes of practice (Art. 56(6) AI Act). That said, even if a code of practice has not yet been officially approved by the European Commission, following it may still have a positive impact—especially when demonstrating compliance efforts. Public authorities may consider such efforts when deciding administrative fines. It is however not clear at this stage when and under which conditions the AI Office and the Board will deem a code of practice adequate.
Recently published GPAI Code of Practice
The recently published GPAI Code of Practice consists of three chapters: One committed to Transparency, one committed to Copyright, both suitable for all providers of GPAI models, and one committed to Safety and Security relevant to providers of GPAI models with systemic risk.
- The chapter Transparency comprises a Documentation Commitment for GPAI model providers listing three transparency measures in accordance with Art. 53(1)(a) and (b) AI Act) as well as a template to be completed by specific information about the GPAI model in question (so called Model Documentation Form).
- The chapter Copyright encompasses a Copyright Policy Commitment describing five measures to comply with copyright law and related rights, Art. 56(1)(c) AI Act).
- The chapter Safety & Security details a total of 10 commitments each describing specific measures for managing systemic risks, such as adopting a state-of-the-art Safety and Security Framework, identifying and analysing systemic risks, implementing cybersecurity protection measures and following additional documentation and transparency activities.
Next steps
Following publication of the GPAI Code of Practice on July 10, 2025, AI Office and AI Board are now about to assess its adequacy by 2 August 2025 at the latest (for further timeline click here). Although the European Commission’s website suggests that the Commission and Member States will assess the adequacy of the GPAI Code of Practice, Article 56 (6) of the AI Act clearly assigns this task to the AI Office and the AI Board. The Commission’s role is limited to approving the code through an implementing act. The GPAI Code of Practice will also be complemented by guidelines on key concepts related to GPAI models issued by the European Commission, expected to be published in July.
Once deemed adequate and approved by the Commission, GPAI model providers may sign the GPAI Code of Practice and rely on it to demonstrate compliance with the obligations set out in Art. 53(1) and 56(1) AI Act.
[View source.]
