If your business develops or deploys General-Purpose AI (GPAI), the grace period for figuring out the EU AI Act is officially over. As of August 2025, the core rules governing GPAI models went live. To help companies cut through the regulatory noise, the European AI Office released the final GPAI Code of Practice on 10 July 2025.
Whether you are building the next massive large language model or integrating one into your tech stack, you need to know exactly what this Code entails. Getting your house in order now isn’t just about ticking compliance boxes; it’s about avoiding crippling fines and locking down your market access in Europe. Here is the straight-talking, practical guide to mastering the GPAI Code of Practice.
Essential Definitions: Decoding the GPAI Code of Practice Jargon
Before diving into the operational requirements, let’s establish exactly what the regulators are targeting.
General-Purpose AI (GPAI): An AI model that displays significant generality, is capable of competently performing a wide range of distinct tasks (like natural language processing or image generation), and can be integrated into a variety of downstream systems. Think OpenAI’s GPT-4, Google’s Gemini, or Midjourney.
The Code of Practice (CoP): A voluntary framework drafted by independent experts and the EU AI Office. If you sign and adhere to the Code, you benefit from a “presumption of conformity” with the EU AI Act. In short: follow the Code, and the regulators will presume you are operating legally.
Systemic Risk: A classification reserved for the most powerful GPAI models (typically those trained above the threshold of $10^{25}$ floating-point operations, or FLOPs). These models have high-impact capabilities that could theoretically cause significant negative effects on public health, safety, or society as a whole.
The Three Pillars of the GPAI Code of Practice
The Code is strategically divided into three operational chapters. The first two apply to all GPAI providers, while the third is exclusively for heavyweights handling models with systemic risk.
Chapter Breakdown & Requirements
| Chapter | Target Audience | Core Objectives & Practical Actions |
| 1. Transparency | All GPAI Providers | Standardised Documentation: You must use the “Model Documentation Form” to log architecture, training data, compute resources, and energy use. Downstream Support: You must supply downstream developers with the technical details they need to comply with the Act, typically within a strict 14-day window. Data Retention: Documentation must be securely retained for 10 years. |
| 2. Copyright | All GPAI Providers | Board-Level Policy: Adopt and implement a formal, written policy ensuring compliance with EU copyright law. Lawful Web Crawling: Respect machine-readable opt-outs (like robots.txt) and strictly avoid scraping blacklisted “pirate” websites.Safeguards: Implement technical defences to prevent the model from generating copyright-infringing outputs and establish a complaint mechanism for rightsholders. |
| 3. Safety & Security | Systemic Risk Models Only | Risk Management: Establish a rigorous framework to identify and mitigate systemic risks. Red Teaming: Conduct state-of-the-art model evaluations and independent external testing. Incident Reporting: Set up protocols for reporting serious incidents directly to the European AI Office, including immediate corrective measures. |
The GPAI Code of Practice Compliance Timeline: Where Are We Now?
Timing is everything. The EU AI Act is taking a staggered approach, meaning your deadlines depend entirely on when your model hit the market.
- 2 August 2025: The rules became legally applicable. Any new GPAI model placed on the market after this date must comply immediately (though the AI Office is offering a collaborative, soft-touch approach for CoP signatories during the first year).
- 2 August 2026: The European Commission’s enforcement powers fully activate. Expect audits, investigations, and financial penalties for non-compliance.
- 2 August 2027: The hard deadline for legacy models. If your GPAI model was already on the market before 2 August 2025, you have until this date to bring its documentation, copyright policies, and security frameworks up to standard.
Why You Should Sign the GPAI Code of Practice
You might be asking: If the Code is voluntary, why bother? Because the alternative is an administrative nightmare. If you choose not to sign, you must build your own bespoke compliance framework from scratch and prove to the European regulators that it is equally robust. By signing the Code, you secure a safe harbour. It gives your legal and engineering teams a clear, standardised blueprint to follow, reducing friction with downstream enterprise clients who need assurances that your model is legally sound.
Failure to comply with the underlying EU AI Act obligations can result in fines of up to €15 million or 3% of your global annual turnover—whichever is higher. The Code is your most efficient defence mechanism against that risk.
Next Steps
To properly execute this, your engineering, legal, and compliance teams need to be aligned. Have you already audited your current AI models to see if they cross the systemic risk threshold, or would you like me to outline a checklist for conducting a EU AI Act readiness assessment?
Frequently Asked Questions (FAQ)
Does the Code of Practice apply to open-source models?
Yes and no. Open-source GPAI models are generally exempt from the heavy documentation requirements in the Transparency chapter, provided they do not pose a systemic risk. However, they must still adhere to the rules outlined in the Copyright chapter.
What happens if a rightsholder complains about my model’s output?
Under the Copyright chapter, you are required to have a designated point of contact and an efficient, non-arbitrary process for handling complaints. You must act diligently to address the issue within a reasonable timeframe.
How do trade secrets factor into the transparency requirements?
The Code balances regulatory oversight with intellectual property protection. You are permitted to redact sensitive trade secrets from public or downstream documentation, provided the withheld information can still be inspected by regulators in a highly secure environment.
How do I actually sign the Code?
Providers can sign up by completing the official Signatory Form provided by the EU AI Office and submitting it to their dedicated signatures email address.
