The GPAI Code of Practice provides guidelines for compliance with the EU AI Act, focusing on safety, security, transparency, and copyright management.
Since the General-Purpose AI (GPAI) Code of Practice (the Code) was published on July 10, 2025, the European Commission and the AI Office confirmed on August 2 that the Code is an adequate tool for demonstrating compliance with the EU Artificial Intelligence Act (the AI Act), covering the obligations provided for in Articles 53 and 55. The Commission also published the list of AI model providers who have signed it up until now. Anella Buković, expert on the matter, breaks down the Code and its impact on deployers.
The Code is a voluntary tool, and for now, it is the only document that GPAI model providers can use as guidance while adhering to the AI Act. As such, it sets a strong precedent and carries major implications primarily for GPAI model developers (or providers as defined by Article 3 of the AI Act), but also for GPAI model deployers, regulatory authorities and users.
The Code is divided into three chapters: Safety and Security, Transparency and Copyright.
Safety and Security
Even though the Safety and Security chapter is the most comprehensive one, it is relevant only for a small number of providers of the most advanced models, specifically, those subject to the obligations of the AI Act for providers of GPAI models with systemic risk as outlined by Article 55 of the AI Act. Moreover, the Code allows for simplified and less detailed ways of adhering to some commitments for small and medium enterprises and small mid-cap enterprises, proportionate to the extent necessary to reflect capacity constraints.
The Safety and Security chapter consists of ten commitments detailed in 32 measures that cover the entire life cycle of a GPAI model. It introduces a Safety and Security Framework that needs to be maintained by the GPAI model provider, which includes pre-release descriptions of the systemic risks, their mitigations and organizational responsibilities. GPAI providers also need to:
- identify the systemic risks (pre-release and implement post-market monitoring that includes independent external evaluators);
- determine the acceptable risks;
- integrate safety and security measures;
- report on the safety and security model implemented (Model Reports);
- determine clear roles and responsibilities for managing the systemic risks;
- allocate sufficient resources; and
- nurture a healthy risk culture that includes whistleblower protection.
Additionally, serious incidents along the entire model lifecycle and possible corrective measures to address them must be promptly documented and reported to the competent authorities in provided timelines (e.g. for serious disruptions of critical infrastructure no later than two days from their detection).
Finally, GPAI providers must keep the relevant documentation for at least ten years after placing the model on the market and publish summaries of their Safety and Security Framework and Model Reports to ensure transparency, if and insofar that it is necessary to assess and/or mitigate systemic risks.
All of these commitments and measures have to take into account all the relevant actors along the AI value chain and be regularly updated (with changelogs, when required).
This chapter highlights the product safety aspect of the AI Act and provides guidance in applying rules for ‘regular’ products to AI systems, addressing risks to health, safety and fundamental rights by implementing risk assessments and mitigations, risk-based requirements, post- market monitoring and incident reporting.
While the Safety and Security chapter is extremely useful in laying out the groundwork for compliance, GPAI providers could face similar issues as did data controllers once the EU General Data Protection Regulation (GDPR) entered into force since the described measures or terms are not specifically provided, using wording such as ‘appropriate,’ or ‘proportionate,’ which proved to be an issue and are still one of the main grounds for GDPR fines. This could provide a headache to organizations without robust legal, safety, and security teams or further guidelines or recommendations issued by the Commission or regulatory authorities.
Consequently, the bar for GPAI model conformity, especially its robustness, compliance, and oversight, is set high, that could potentially increase development costs and delay development cycles. However, having in mind the proportionality of systemic risks and fundamental rights protection, the high bar for any such requirements seems necessary.
Transparency
The focus of the Transparency chapter is on promoting trustworthiness and accountability, focusing on the documentation obligations laid out in Article 53 (a) of the AI Act. It consists of one commitment, detailed in three measures, noting that the measures do not apply to free and open-source models, unless they are GPAI models with systemic risk.
The measures mandate that GPAI providers must keep detailed and current documentation on GPAI models before placing them on the market, that needs to contain at least the information requested in the Model Documentation Form provided in this chapter. As per the Safety and Security chapter, this documentation must be preserved for at least 10 years after placing the model on the market.
The aim of the Model Documentation Form is to simplify and standardize the documentation requirements and outline the required elements along with explanatory information. This includes detailed technical documentation about the models, their properties, inputs and outputs, licenses and use, data used for their training, computational resources, and energy consumption. All information provided by signatories and required in the Model Documentation Form is covered by the confidentiality obligation set out in Article 78 of the AI Act.
Moreover, to ensure accountability, signatories of the Code must provide contact information for the AI Office and downstream providers (providers of AI systems who intend to integrate the GPAI model into their AI systems) to request documentation access. Relevant documentation needs to be provided upon request to the AI Office within the timeframe specified in the request; and to downstream providers within 14 days.
The documentation must be controlled for quality and integrity, protected from unintended modifications, and stored securely to demonstrate compliance.
Transparency’s biggest impact is that it represents an effective tool for building trust with all stakeholders in the AI system value chain, as well as a means to reduce risks for GPAI providers who proactively communicate their systems’ information and limitations in a standardized and structured way.
Copyright
The Copyright chapter impacts how GPAI models handle copyrighted content, impacting their providers, deployers, users, and rights holders. The Code’s signatories undertake to fulfill one main commitment, establishing a comprehensive copyright policy for the GPAI models, detailed in four measures. Moreover, the signatories remain responsible for making their policies compliant with EU and national copyright and related rights laws, prior to undertaking any copyright-related activities.
The copyright policy that will be drawn up by the signatories must incorporate the measures detailed in the Copyright chapter, most notably drawing up, updating, and implementing a copyright policy and clearly defining internal responsibilities.
When using web-crawlers to scrape or compile data, their access must be limited to lawfully accessible works, and circumventing technological measures that are designed to prevent unlawful or unauthorized access is not allowed. Any crawling systems must be able to identify and comply with machine-readable rights-reservations, including robots.txt files.
Information about the web crawlers employed and other measures adopted to comply with the rights reservations should be able to be provided to affected rights holders. Signatories that also provide an online search engine as defined in the EU Digital Services Act (DSA) are encouraged to take measures to ensure that their compliance with the rights reservations does not adversely impact the indexing of content in their search engine.
Signatories will commit to implement appropriate and proportionate technical safeguards designed to minimize the risk of their models generating copyright-infringing outputs, and to explicitly prohibit copyright-infringing uses of their model in their acceptable use policies.
The goal is for the providers of downstream AI systems, that have integrated a GPAI model to mitigate the risk of the system infringing on any rights in the works protected by copyright or related rights. These measures should apply regardless of whether the model is used directly or through a third party.
The final measure listed in the Copyright chapter is designating a point of contact for the affected rights holders and providing accessible information about it, along with a mechanism that allows them, their representatives, and collective management organizations to submit complaints electronically. Such complaints should be dealt with in a non-arbitrary and timely manner, except for those that are manifestly unfounded or repetitive. This commitment does not affect other legal remedies and sanctions available to rights holders under EU and national law.
The Copyright chapter empowers rights holders, helps GPAI model providers, downstream providers and deployers to stay compliant and aims to reduce litigation and reputational risks for GPAI model providers.
What the Code means for deployers
Even though the Code is primarily aimed at GPAI providers, it also impacts GPAI model deployers – organizations that integrate and apply GPAI models into their products, services, or workflows. The Code explicitly addresses all stakeholders, including deployers, framing AI governance and risks mitigation as a shared duty. The AI Act introduces a shared responsibility for providers and deployers in ensuring AI literacy, providing training, and documenting learning outcomes for staff interacting with AI tools.
The Code provides a how-to for deployers when they use GPAI models, ensuring their use is in line with the provider’s policies and instructions, and providing an AI governance benchmark that deployers can align their internal policies with. This is especially important to ensure responsible use by the deployers, that is in line with the intended use of the GPAI. It also helps deployers have a better understanding of the provider’s commitments, that can be used in the deployer’s selection of vendors and GPAI providers.
The Code can be useful as a tool to manage the deployer’s downstream risks and monitor their own regulatory alignment, ensuring transparency, ethical use, data governance, and technical compliance. By adhering to the Code, deployers can proactively mitigate operational and reputational risks and implement clear ethical rules of their GPAI model use.
Conclusion
Any gaps in the current Code logically stem from gaps and peculiarities in the AI Act itself, since it is a soft-law instrument aimed at compliance with the AI Act. In my opinion, these stem from the fact that the AI Act tries to match fundamental rights issues with product safety rules. While product safety rules are important and can be a crucial tool for AI governance, they are limited when it comes to tackling the risks to fundamental rights.
This could have been at least slightly levitated by including clear references to fundamental rights such as personal data protection in the GPAI Code of Practice, highlighting a holistic approach and ensuring consistent application of the EU’s digital regulation. Since GDPR already set a framework for ensuring compliance and organizations have already implemented it, it is a missed opportunity that it is completely left out of the Code, while references to the DSA or copyright and intellectual property directives were included.
For example, while the Code sets some rules for transparency, it does not mention or reference Articles 13 and 14 of the GDPR, which were the basis for fines imposed on some GPAI model providers in the EU. Additionally, the transparency commitments from the Safety and Security chapter do not mention or reference the transparency obligations from the Transparency chapter, even though this would make the comprehension of the overall transparency obligations easier.
While outlining the security mitigations, the Code does not reference Article 32 of the GDPR nor the NIS 2 Directive (when appropriate).
The risk analysis mentioned in the Safety and Security chapter represents a key ambiguity, and it is yet to be seen how the Commission will address or standardize such risk analyses or their potential interplay with the GDPR’s Data Protection Impact Assessments. Moreover, while listing appropriate methods for conducting systemic risk analysis, the Code failed to include data protection experts or data protection officers, which could be a valuable reference and reminder. Additionally, even though the Code sets out some exceptions for small and medium- sized enterprises, it is not clear specifically how they will demonstrate their compliance in practice.
However, even if any gaps exist, the GPAI Code of Practice is a welcome and valuable tool for ensuring compliance. The Code promotes a strong product safety culture and provides guidance for challenges set by the AI Act, underscoring that compliance is not a checklist but a continuous process and strategy.