Code of Practice for General-Purpose AI Models Published: Compliance Just Got Clearer (Participation Still Optional)

On 11 July 2025, the European Commission published the final version of its Code of Practice for General-Purpose Artificial Intelligence (GPAI). This Code is meant to serve as a tool for GPAI model providers, helping them to comply with the transparency, copyright and security provisions governing general-purpose AI models as set out in the AI Act (arts. 53 and 55), which will become applicable on 2 August 2025. Adherence to the Code is on a voluntary basis.

Developed by independent experts through a multi-stakeholder process, the Code of Practice is structured around three chapters: (i) Transparency, (ii) Copyright, and (iii) Safety and Security. This last chapter is addressed to the providers of GPAI models presenting systemic risk and will not be discussed in this alert.

The Code of Practice provides guidance on documenting compliance with the relevant obligations, but it is clearly stated that “adherence to the Code does not constitute conclusive evidence of compliance with these obligations under the AI Act”.

Chapter 1: Transparency

Providers of GPAI models are subject to the transparency obligations set out in article 53(1)(a) and (b) of the AI Act. As such, they are required to draft and update documentation about the functioning of their GPAI models and provide such information to the AI Office, national authorities and the downstream providers of AI systems who use their GPAI models. In addition to the specifications in Annexes XI and XII of the AI Act, providers may now commit to the Transparency chapter of the Code of Practice. Three measures are outlined in the Code of Practice:

Measure 1.1 – Drawing up and maintaining current model documentation

By virtue of the AI Act, GPAI model providers must draft and update documentation covering inter alia the tasks that the GPAI model can perform, the type and nature of the AI systems into which it can be integrated, acceptable use policies, technical information (architecture, parameters, modalities, formats of input and output), information about the distribution and the license. The obligations vary slightly depending on whether the documentation is meant for the AI Office and the national authorities (Annex XI), or the downstream providers (Annex XII).

The most concrete outcome of the Code of Practice is the Model Documentation Form. This model form contains the minimum information GPAI model providers commit to provide and they “may choose” to complete the Model Documentation Form to comply with that commitment. The information that should be made available (on request) to the AI Office, national competent authorities and/or downstream providers is brought together in one form, with an indication for which addressee each item of information is intended.

Measure 1.2 - Providing relevant information

Providers of GPAI models must publicly disclose contact information via their website or through “other appropriate means”, so the AI office and downstream providers can request access to relevant information, especially the information in the Model Documentation.

The Model Documentation Form itself reminds the provider that the information to the downstream providers must be provided proactively, while the information intended for the AI office must be made available at the AI Office’s request. It also summarizes what should be mentioned in the request, and makes some observations relating to the information to be disclosed and the confidentiality obligations to which the AI Office (and the national competent authorities) are subject.

Measure 2.3 – Ensuring quality, integrity, and security of information

Signatory GPAI model providers remain responsible for the quality and integrity of the documented information, which serves as evidence of compliance with the AI Act. They are “encouraged” to ensure the quality and security of the information and records by following “established protocols and technical standards”.

Chapter 2: Copyright

The AI Act contains explicit references to the “Union law on copyright and related rights”. The interplay between the regulatory obligations in the AI Act and copyright law (harmonized at the EU level, but in essence still governed by national law) is complex, not least due to the extra-territorial effect of the AI Act.

The Copyright chapter of the Code of Practice provides guidance on the proper application of the obligation on GPAI model providers to put in place a “policy to comply with the Union law on copyright and related rights”, in particular, as regards the exception for text and data mining and the “opt-out” in article 4(3) of Directive 2019/790 (art. 53(1)(c) of the AI Act). The obligation to disclose information about the content used to train the GPAI models is not covered in the Code of Practice.

Interestingly, the recitals of the copyright chapter require the signatories to “acknowledge” that Union copyright law is provided in directives and it identifies Directives 2001/29 and 2019/790 as particularly relevant in relation to the AI Act (rec. (c)(i)). Nevertheless, the signatory GPAI model provider remains responsible for verifying that their copyright policy also complies with the national implementation of Union law (point 2 of commitment 1 – copyright policy).

Measure 1.1 Draw up, keep up-to-date and implement a copyright policy

In accordance with the Code of Practice, GPAI model providers should “draw up, keep up-to-date and implement” a copyright policy, which they should describe in one single document. It is suggested (but not required) that a summary of the policy be made publicly available.

Measure 1.2 Reproduce and extract only lawfully accessible copyright-protected content when crawling the World Wide Web

GPAI model providers who use web-crawlers for collecting training data are required to commit to not circumventing “effective” technological protection measures (as provided in art. 6(3) of Directive 2001/29) and to excluding websites that are known for “persistently and repeatedly” infringing copyright on a commercial scale (as recognized by courts or public authorities in the EU or the EEA).

Measure 1.3 Identify and comply with rights reservations when crawling the World Wide Web

Web-crawlers used (directly or indirectly) by the GPAI model providers should observe the machine-readable reservation of rights under article 4(3) of Directive 2019/790. The Code of Practice now explicitly mentions the Robot Exclusion Protocol (robots.txt) as a protocol to follow. Other “appropriate machine-readable protocols” to express rights reservations may arise, and Code signatories commit to identifying and complying with any such protocols that are either adopted by international or European standardization organizations, or are otherwise “state of the art”. Emphasis is placed on the importance of voluntary, bona fide discussions on the development of workable technical standards.

A notable commitment is requested from those providers of GPAI models that also provide web search engines: such providers must observe the opt-outs expressed, e.g., in the robots.txt files, but must ensure this does not lead to “adverse effects” on the presentation of this content in the search results of the search engine. The idea is to limit the risk of “retaliation” for opting out of the crawling by AI bots.

Measure 1.4 Mitigate the risk of copyright-infringing outputs

Providers of GPAI models are required to adopt “appropriate and proportionate technical safeguards” to prevent infringing output and to prohibit copyright infringing use by the users in the “acceptable use policy”. This commitment highlights an interesting tension between the AI Act, which seems to be satisfied with the provider’s best effort to prevent copyright infringement, and many national copyright laws, which take a strict liability approach to copyright infringement.

Measure 1.5 Designate a point of contact and enable the lodging of complaints

Finally, signatories commit to designating a point of contact for electronic communication with affected right holders, and putting in place a mechanism to handle complaints regarding non-compliance with the commitments in the copyright chapter of the Code of Practice.

Conclusion

With this Code of Practice, the Commission is pushing GPAI model providers to comply with the AI Act in a practical way, but without removing the legal uncertainties as to the interpretation of the AI Act. The Code of Practice rightly specifies that, ultimately, only the interpretation of the Court of Justice of the European Union is binding.

While the Model Documentation Form is potentially a useful practical tool, complex questions regarding the interplay between the AI Act and EU and national copyright law, some of which have been highlighted above, are perhaps in even more urgent need of answering.

Since adherence to the Code of Practice is voluntary and the advantages of committing to it are not guaranteed, it remains to be seen whether it will have a meaningful impact on the functioning of the internal market, the uptake of human-centric and trustworthy AI and the high level of protection of health, safety and fundamental rights enshrined in the EU Charter.