Europe's General-Purpose AI Code of Practice Emerges
With rules governing general-purpose AI under the EU AI Act becoming effective Aug. 2 and enforceable for new models one year later, the European Commission on Thursday unveiled a code of practice aimed at helping industry comply with the act's GPAI provisions.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The GPAI rules become enforceable for models already on the market Aug. 2, 2026.
Businesses may voluntarily sign the code and enjoy fewer administrative burdens and greater predictability in their AI Act compliance, EC officials said Thursday during a background briefing. It's the first time the EC has attempted to use a regulatory arrangement like this, converting laws into a code that users can sign, the officials added.
However, one tech industry group accused the EC of over-burdening AI developers.
Organizations aren't obliged to sign the code but those who pass on signing must prove their GPAI models comply with the AI Act regardless.
Moreover, the officials confirmed there will be no postponement of GPAI rules (see 2507070019).
The AI Act defines a GPAI model as one that displays "significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications."
Under the AI Act, starting next month, providers of GPAI models must notify the EC AI Office when they place products with systemic risks on the European market, the EC officials said.
The code covers transparency, copyright and safety and security. The last category covers only the few providers of GPAI models that carry the greatest systemic risks, the officials said.
The AI Act requires developers to ensure enough transparency about their models to allow downstream providers in the value chain to be able to integrate the models into their products and meet regulatory requirements, the officials said. The code offers a user-friendly model documentation form to help companies with this.
Under the code, model developers must implement policies that comply with EU copyright law and include provisions such as excluding recognized piracy websites from GPAI models; respecting state-of-the-art opt-out protocols for activities like web crawling; and having a complaint-handling mechanism for rights holders.
The code's safety and security provisions focus on the most advanced AI models with systemic risks of large-scale harm. Among other things, the code offers up-to-date practices for managing systemic risks, the officials said. Risks that need to be assessed include fundamental rights.
The code continues to "impose a disproportionate burden on AI providers," said Boniface de Champris, Computer & Communications Industry Association Europe senior policy manager. Without significant improvements, signers will be at a disadvantage to non-signatories, undermining the EC's competitiveness and simplification agenda, he added Thursday.
While GPAI rules won't be paused, the EC is, however, considering delaying some high-risk rules set to apply next summer because standards aren't yet in place, the officials said.
The final version of the code "appears to make welcome improvements that make it more flexible and therefore workable for the development and adoption of trusted AI in Europe," said Hadrien Valembois, BSA director of policy for Europe, the Middle East and Africa, in an emailed statement.
Despite that, some provisions "remain concerning" to BSA, said Valembois: With less than a month to go before the code becomes binding, the EC should consider timing options to give companies the chance to evaluate the code and determine their commitment to comply with it.