Transparency, copyright, security: has the EU’s General-Purpose AI Code of Practice found a fair balance? (EU)

The General-Purpose AI Code of Practice (“GPAI Code”) is the EU’s first detailed framework for providers of general-purpose AI models. Developed by the European Commission’s AI Office, the Code supports and operationalises the new obligations introduced under Chapter V of the European Union’s Artificial Intelligence Act (“AI Act”). While Chapter V entered into force on 2 August 2025, it will apply from August 2026, subject to transitional measures.

The AI Act is the first comprehensive framework for AI, based on a risk-tiered system approach that ranges from, prohibitions, stringent requirements for high-risk systems, and targeted transparency duties for lower-risk applications. The GPAI Code complements this regime by offering voluntary but detailed guidance to help providers of GPAI models demonstrate compliance in practice. Its objectives are to ensure that GPAI models are developed and deployed in a way that is safe, transparent, traceable, non-discriminatory and consistent with EU fundamental rights. 

The GPAI Code was drawn up by the European AI Office (“AI Office”) as a voluntary instrument for providers of general-purpose AI models. General-purpose AI refers to AI models and systems capable of performing a variety of tasks, at the instigation of the user – ChatGPT is probably the best-known example. Because such models may be used so widely, they can pose systemic risks if they fail. The AI Act introduced baseline obligations to address these risks, which entered into force on 2 August 2025 and will apply from August 2026, subject to transitional measures.  The GPAI Code now provides detailed implementation  guidance on how those obligations should be met in practice. 

The GPAI Code is divided into 3 chapters which we consider in turn: Transparency, Copyright and Safety and security. 

Transparency

The GPAI Code places a strong emphasis on documentation and disclosure, requiring providers of GPAI models to maintain clear records and share essential information with regulators, downstream providers and the public. These duties reflect the obligations in Article 53 of the AI Act, which require providers to: (i) draw up and maintain technical documentation for each model to the AI Office, and (ii) provide necessary information to providers of AI systems who may wish to integrate the model into their system (known as ‘downstream providers’), and (iii) publish a summary of the content used to train the model.

To assist with this requirement, the GPAI Code introduces a Model Documentation Form, designed to compile all the information required under the AI Act in a single, structured document. . Use of the Model Documentation Form is voluntary, but its adoption makes it easier to demonstrate compliance.

GPAI providers who sign up to the GPAI Code commit to:

• update the form whenever relevant changes are made, including updates to the model;
• keep previous versions of the Model Documentation for 10 years from the date the model is placed on the market;
• publicly disclose via their website (or another suitable channel if no website exists) contact information to allow the AI Office and downstream providers to request access to the information contained in the Model Documentation;
• provide information to the AI Office upon request, where necessary for the AI Office to exercise its supervisory tasks, including in particular to assess compliance of high risk AI systems built on GPAI models where the provider of the system is different from the provider of the model;
• provide the downstream providers, subject to the confidentiality safeguards and conditions under Articles 53(7) and 78 of the AI Act, with sufficient information to understand the capabilities and limitations of the GPAI model, within a reasonable period and no longer than 14 days from the date of the request;
• consider whether additional information could also be provided to members of the public to promote transparency, beyond the mandatory requirement to provide a training content summary; and
• ensure that all documented information is verified for accuracy and integrity and protected from unauthorised alterations. 

Copyright

The GPAI Code requires GPAI providers to adopt a clear policy on copyright policy and related rights, reflecting the obligations set out in the AI Act. In particular, providers of GPAI models must have in place a copyright policy that complies with EU law, including the duty  to identify and comply with reservations of rights by rightsholders, using state of the art technologies where appropriate (Article 53(1)(c) AI Act). Providers are warned that compliance with the GPAI Code does not automatically guarantee compliance with EU copyright rules , and providers remain responsible for  ensuring that their copyright policy comply with Member States’ national implementation of relevant EU laws.

Providers who sign up to the GPAI Code commit to:

• create, implement and maintain a policy to comply with EU laws on copyright and related rights for all GPAI models placed on the EU market (and are encouraged t make the policy publicly available);
• reproduce and extract only lawfully accessible copyright-protected content when using web-crawlers to scrape or compile data from the internet and to exclude from web-crawling any publicly available websites that are recognised as blatantly infringing copyright laws on a commercial scale by the courts and/or public authorities (and a dynamic list of hyperlinks to these websites is to be published on an EU website);
• employ web-crawlers that are capable of following machine-readable protocols that enable them to identify and comply with rights reservations when compiling or scraping data and provide information to rightsholders on the type of web-crawlers deployed and the measures adopted;
• implement appropriate and proportionate technical safeguards to prevent their models from reproducing copyrighted material in an infringing manner and to prohibit copyright-infringing use of the AI model in the model’s acceptable use policy; and
• designate a point of contact and means for lodging of complaints.

Safety and security

Signatories of the GPAI Code commit to adopting a state-of-the-art Safety and Security Framework, which outlines the systemic risk management processes and measures that are being implemented to ensure the systemic risks stemming from their models are acceptable. The Framework should cover all models being developed, on the market and/or being used, and should contain a high-level description of implemented and planned processes and measures for systemic risk assessment and mitigation. 

The first stage toward creating a Framework requires a full systemic risk assessment and mitigation process – this should be completed before market placement. Providers should be continuously monitoring risks stemming from the model, and implementing mitigations as appropriate. Information must be provided to the AI Office about each model and the systemic risk assessment and mitigations made in the form of a Model Report. Importantly, the provider must be able to demonstrate why systemic risks in relation to the model are acceptable, by showing a clear understanding of the levels of systemic risk, and the security and safety mitigations in place for each systemic risk.     

Once completed, the AI Office should be notified of the Framework. Providers should continue to conduct lighter-touch model evaluations at trigger points throughout the model’s lifecycle, updating the Framework as required. In addition, providers undertake to conduct an appropriate framework assessment if they have reasonable grounds to believe that the adequacy of the Framework has been or will be materially undermined, or at least every 12 months from the placement on the model on the market. 

Signatories of the GPAI Code commit to identifying the systemic risks stemming from the model. This process involves:

1. following a structured process to identify the risks and
2. developing systemic risk scenarios for each identified systemic risk. 

Following identification, each systemic risk should undergo systemic risk analysis with a view to aiding the final stage of systemic risk acceptance determination. 

The GPAI Code sets out a structured analysis process for providers to follow involving gathering information, evaluation, modelling, risk estimation and post-market monitoring. There is an expectation that providers will conduct continuing, detailed and in-depth assessment and evaluation. Signatories agree to provide free access to versions of their model to independent evaluators for assessment and mitigation of systemic risk. In the final stage, providers will make the call whether to proceed with development and/or marketing of a model following a systemic risk acceptance determination. If the systemic risk is not found to be acceptable the process may be repeated until the balance of risk and mitigation is judged to comply with the AI Act’s rules on systemic risk presented by GPAI models.

Comments

There can be little doubt that the rules of the AI Act concerning GPAI models are serious, burdensome and substantial – they are designed to prevent systemic risks that could be significant not only for downstream providers, but for users across the EU. In providing detailed guidance, the GPAI Code can help to ease the burden by harmonising the processes to be followed. At a point in history where there is increasingly tension between the US Government and the EU over what the former considers to be overly bureaucratic barriers to its big tech businesses, it remains to be seen whether the voluntary GPAI Code will enjoy the support of GPAI providers. The fact that its first signatories include names such as Anthropic, OpenAI, Amazon, Mistral AI, and Microsoft is a positive indication, but the absence of other major players such as Meta, Google and X citing concerns over transparency obligations and copyright restrictions, suggests that broader industry alignment may take more time.