Skip to main navigation Skip to main content Skip to page footer
Lawyer Frank Ingenrieth logo Lawyer Frank Ingenrieth logo

European Commission Received Final Version of the Code of Practice for General Purpose AI

Created by Frank Ingenrieth | (Co-)Regulatory Framework Reference / Update AI Act

As of July 10th, 2025, experts handed over their final version of the Code of Practice (CoP) for General Purpose AI (GPAI) pursuant Art. 56 AI Act. The AI Office facilitated the drawing up of the Code by hosting the stakeholder expert groups, gathering more than 1,000 experts from various domains, including model providers, small and medium-sized enterprises, academics, AI safety experts, rights-holders, and civil society organizations. As of July 17th, 2025, the AI Office has complemented the publication by a signature procedure.

TL:DR / Summary

  • Final version of the Code of Practice for General Purpose AI pursuant Art. 56 AI Act has been handed over the to European Commission
  • Related provisions of the AI Act come into force by August 2nd, 2025
  • The European Commission states that the rules of the CoP for GPAI become enforceable by the AI Office one year later for any new models and two years for already existing models
  • The CoP for GPAI is deemed a voluntary tool facilitating compliance with the AI Act.
  • The CoP for GPAI comprises of three chapters addressing Transparency, Copyright, Safety and Security
  • The CoP for GPAI acknowledges the necessity to adapt its requirements for SME, SMC and Startups
  • The AI Office invites providers of GPAI models to sign the CoP for GPAI by its dedicated procedure, resulting in a public listing thereof
  • The European Commission is about to publish additional Guidelines to clarify who is in and out of scope of the AI Act's general-purpose AI rules

Codes of Practice under the AI Act

A Code of Practice (CoP) pursuant Art. 56 AI Act serves a distinct purpose. It shall facilitate to demonstrate compliance. Art. 55.2 AI Act states “Providers of general-purpose AI models with systemic risk may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article”.  A corresponding provision entails Art. 53.4 AI Act for Providers of GPAI in general.

Obligations pursuant Art. 55 AI Act address Providers of GPAI with systemic risks, whereas Art. 55.1 AI Act defines distinct obligations. Such obligations refer to elements such as to perform model, evaluations, conducting and documenting adversarial testing of the model, to assess and mitigate possible systemic risks at Union level, to keep track of, document, and report relevant information about serious incidents and possible corrective measures, to ensure an adequate level of cybersecurity protection.

Obligations pursuant Art. 53 AI Act address any Provider of GPAI models, whereas Art. 53,1 AI Act defines distinct obligations. Such obligations refer to elements such as to draw up and keep up-to-date the technical documentation of the model, to draw up, keep up-to-date and make available information and documentation to Providers of AI systems who intend to integrate the general-purpose AI model into their AI systems, to put in place a policy to comply with Union law on copyright and related rights, to draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model.

A CoP reflects on of several compliance tools under the AI Act. A CoP is considered a bridge builder and gap filler, until harmonised standards will be published, Art. 55.2 AI Act. Art. 55.2 AI Act states that Providers may rely on a CoP “[…] until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models with systemic risks who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission.” A corresponding provision entails Art. 53.4 AI Act for Providers of GPAI in general.

In other words: In the context of Art. 53 and 55 AI Act, once a harmonised standard will be published, any related CoP becomes obsolete. 

A CoP also serves its function in the context of Art. 50 AI Act, which governs transparency obligations for Providers and deployers of certain AI systems. In this specific case, the CoP shall facilitate the detection and labelling of artificially generated or manipulated content. Yet, Art. 50 AI Act goes beyond GPAI and therefore may not be covered by the CoP for GPAI. 

Main Contents of the CoP for GPAI

The CoP for GPAI consists of three chapters, i.e., 

  • Transparency
  • Copyright
  • Safety and Security

According to the Press Release of the European Commission, the last chapter will be “relevant only to a limited number of providers of the most advanced models.

The latest versions of each chapter may be retrieved via the website of the European Commission. To facilitate your read, you may also refer to the Related Files section below and retrieve the versions as retrieved by July 23rd, 2025 (i.e., the version published by July 10th, 2025). 

Micro, Small and Medium Sized Enterprises (SME), Small Mid-Cap Enterprises (SMC), Startups

The CoP for GPAI acknowledges the necessity to adapt its requirements for SME, SMC and Startups. While the CoP does not follow a one-size-fits all approach in every detail, this shall not be misunderstood with broad exemptions of the underlying requirements. 

The introductory statement of the Safety and Security Chapter reads as follows "SMEs and SMCs may be exempted 
from some reporting commitments (Article 56(5) AI Act). Signatories that are SMEs or SMCs and are exempted from reporting commitments recognise that they may nonetheless voluntarily adhere to them." Taking this reservation literally, the obligations to implement effective measures may apply regardless of size. Only the administrative burdens, i.e., obligations on reporting, were limited for SME and SMC.  

The introductory statement of the Copyright chapter states “The commitments in this Chapter that require proportionate measures should be commensurate and proportionate to the size of providers, taking due account of the interests of SMEs, including startups.”  Again, the underlying obligations apply regardless of size. Yet the individual design may take due account of the size and interests of SME. 

Methodology and Structure of the CoP for GPAI

Each chapter comprises of a preamble, where the signatories will recognize respectively acknowledge key elements of the AI Act and interplay of various provisions and roles. 

Additionally, each chapter defines rules. The related section is divided in Commitments and Measures. Commitments appear equivalent to Objectives in conformity assessment programmes (CAP), establishing the high-level obligation and purpose. Measures relate to a specific Commitment, further operationalizing the high-level obligations. In this sense, Measures appear equivalent to criteria in CAP. 

While the structure appears close to conformity assessment programmes, the actual language partially appears less stringent. The CoP lacks a clear definition on which phrasing will establish obligations and which phrasing will result in optional / voluntary elements. E.g., the CoP uses phrasings such as “shall”, “will do” and “commit to”. Most probably all of those will determine obligations equally. Without a clarifying statement some degree of uncertainty remains. Likewise some Measures only “encourage” Providers. If a Measure would consistently form obligations, encouragements were not suited within a Measure.  

Readiness of the CoP for GPAI

The Press Release by and websites of the European Commission read as if the CoP for GPAI is finalised and fit for purpose. It is “designed to help industry comply with the AI Act’s obligations for providers of general-purpose AI models.”, see EC website about CoP on GPAI. It is also stated that adherence to the Code by Providers “[…] will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods.” 

This shall not be read without the statements within each chapter of the CoP for GPAI. Each chapter integrates an “Objective” section, stating the objective of the CoP is to "[…] serve as a guiding document for demonstrating compliance with the obligations provided for in Articles 53 and 55 AI Act, while recognising that adherence to the Code does not constitute conclusive evidence of compliance with these obligations under the AI Act." In other words, where the AI Act considers a CoP ready once it may act as a tool to proof compliance, yet being similar to a conformity assessment programme, the CoP itself limits its effect to be a guidance document without effectively proving compliance. 

Eventually, one shall read each chapter and related provisions carefully to what extent such provisions may act as a legally relevant proof of compliance. In best case, adherence to the CoP for GPAI may act as “alternative adequate means of compliance”.

Next steps / legal status

As of today, the CoP for GPAI has no legal effect. The CoP for GPAI still requires endorsement of the Member States, as stated by the European Commission. “Once the Code is endorsed by the Member States and the Commission, providers of general-purpose AI models who voluntarily sign the Code will be able to demonstrate compliance with the relevant AI Act obligations by adhering to the Code.”, see website regarding the CoP for GPAI and related Press Release. Apparently, endorsement by the Member States relates to the positive assessment of the AI Board, Art. 56.6 AI Act. 

This status aligns with the Signature Form provided by the AI Office in order to adhere to the CoP for GPAI. It states that the “[…] Signatory agrees that this Signature Form will only become binding once the GPAI Code of Practice is assessed as adequate by the European AI Office and the European Artificial Intelligence Board pursuant to Article 56(6) AI Act, and at the earliest with the entry into application of Chapter V of the AI Act on 2 August 2025.

The European Commission and the AI Office consider the positive assessment by the AI Office and the AI Board sufficient. E.g., the Press Release of the AI Office inviting Providers to sign-up to the CoP for GPAI states “Providers who sign the Code will enjoy streamlined compliance with the obligations for general-purpose AI models in the AI Act. For signatories, the Commission will focus its enforcement on monitoring their adherence to the code, which offers greater predictability and reduced administrative burden.

Neither the website regarding the CoP for GPAI nor the Press Release mentions any additional requirements, such as an “approval” by the European Commission by means of an implementing act. Pursuant Art. 56.6 AI Act the European Commission may approve a CoP, resulting in general validity within the Union, by means of an implementing act. Interestingly, Art. 53.4 AI Act and Art. 55.2 AI Act both can be interpreted that only approved CoP will be an adequate means of compliance. “Providers of general-purpose AI models […] who do not adhere to an approved code of practice or […] shall demonstrate alternative adequate means of compliance for assessment by the Commission.” (highlights by the author) 

Signing the CoP / Adhering to the CoP

The AI Office has published the process on who to adhere to the CoP for GPAI. As stated in the Press Release by the AI Office, Signatories will be publicly listed on 1 August 2025. The adherence applies to the CoP for GPAI in its version of July 10th, 2025. 

The European Commission announced additional guidelines clarifying on the eligibility to sign up to the CoP for GPAI, more precisely, on the applicability of related provisions and obligations addressed by the CoP. “The Code will be complemented by Commission guidelines on general-purpose AI to be published ahead of the entry into force of the general-purpose AI obligations. The guidelines will clarify who is in and out of scope of the AI Act's general-purpose AI rules.

In order to adhere to the CoP for GPAI Providers need to sign a distinct form and sent it to the AI Office. Providers may still withdraw their adherence at any time, latest within seven (7) days after the publication of the adequacy assessments under Article 56.6 AI Act. The date of such publication is apparently considered the date when the CoP on GPAI becomes effective, 

The lastest version of the Signature Form may be retrieved via the website of the AI Office. To facilitate your read, you may also refer to the Related Files section below and retrieve the version as retrieved by July 23rd, 2025 (i.e., the version published by July 17th, 2025). 

Affected AI Act Provision(s) and Terms

Obligations of providers of general-purpose AI models with systemic risk

1.   In addition to the obligations listed in Articles 53 and 54, providers of general-purpose AI models with systemic risk shall:

(a) perform model evaluation in accordance with standardised protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks;

(b) assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, the placing on the market, or the use of general-purpose AI models with systemic risk;

(c) keep track of, document, and report, without undue delay, to the AI Office and, as appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them;

(d) ensure an adequate level of cybersecurity protection for the general-purpose AI model with systemic risk and the physical infrastructure of the model.

2.   Providers of general-purpose AI models with systemic risk may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models with systemic risks who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission.

3.   Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78.

Codes of practice

1.   The AI Office shall encourage and facilitate the drawing up of codes of practice at Union level in order to contribute to the proper application of this Regulation, taking into account international approaches.

2.   The AI Office and the Board shall aim to ensure that the codes of practice cover at least the obligations provided for in Articles 53 and 55, including the following issues:

(a) the means to ensure that the information referred to in Article 53(1), points (a) and (b), is kept up to date in light of market and technological developments;

(b) the adequate level of detail for the summary about the content used for training;

(c) the identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate;

(d) the measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks, take into consideration their severity and probability and take into account the specific challenges of tackling those risks in light of the possible ways in which such risks may emerge and materialise along the AI value chain.

3.   The AI Office may invite all providers of general-purpose AI models, as well as relevant national competent authorities, to participate in the drawing-up of codes of practice. Civil society organisations, industry, academia and other relevant stakeholders, such as downstream providers and independent experts, may support the process.

4.   The AI Office and the Board shall aim to ensure that the codes of practice clearly set out their specific objectives and contain commitments or measures, including key performance indicators as appropriate, to ensure the achievement of those objectives, and that they take due account of the needs and interests of all interested parties, including affected persons, at Union level.

5.   The AI Office shall aim to ensure that participants to the codes of practice report regularly to the AI Office on the implementation of the commitments and the measures taken and their outcomes, including as measured against the key performance indicators as appropriate. Key performance indicators and reporting commitments shall reflect differences in size and capacity between various participants.

6.   The AI Office and the Board shall regularly monitor and evaluate the achievement of the objectives of the codes of practice by the participants and their contribution to the proper application of this Regulation. The AI Office and the Board shall assess whether the codes of practice cover the obligations provided for in Articles 53 and 55, and shall regularly monitor and evaluate the achievement of their objectives. They shall publish their assessment of the adequacy of the codes of practice.

The Commission may, by way of an implementing act, approve a code of practice and give it a general validity within the Union. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2).

7.   The AI Office may invite all providers of general-purpose AI models to adhere to the codes of practice. For providers of general-purpose AI models not presenting systemic risks this adherence may be limited to the obligations provided for in Article 53, unless they declare explicitly their interest to join the full code.

8.   The AI Office shall, as appropriate, also encourage and facilitate the review and adaptation of the codes of practice, in particular in light of emerging standards. The AI Office shall assist in the assessment of available standards.

9.   Codes of practice shall be ready at the latest by 2 May 2025. The AI Office shall take the necessary steps, including inviting providers pursuant to paragraph 7.

If, by 2 August 2025, a code of practice cannot be finalised, or if the AI Office deems it is not adequate following its assessment under paragraph 6 of this Article, the Commission may provide, by means of implementing acts, common rules for the implementation of the obligations provided for in Articles 53 and 55, including the issues set out in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).

  • ‘general-purpose AI model’ means an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market; (Art. 3.63 AI Act)
  • ‘general-purpose AI system’ means an AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems; (Art. 3.66 AI Act)
  • ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge; (Art. 3.3 AI Act)
  • ‘systemic risk’ means a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chain; (Art. 3.65 AI Act)
  • ‘AI Office’ means the Commission’s function of contributing to the implementation, monitoring and supervision of AI systems and general-purpose AI models, and AI governance, provided for in Commission Decision of 24 January 2024; references in this Regulation to the AI Office shall be construed as references to the Commission; (Art. 3.47 AI Act)
  • ‘AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments; (Art. 3.1 AI Act)
  • ‘risk’ means the combination of the probability of an occurrence of harm and the severity of that harm; (Art. 3.2 AI Act)

Related News

Related Files

Related Links