(An) Overview of the Guidelines and Code of Practice for General-Purpose AI

By 15.10.2025 October 17th, 2025 News & Publications
General-Purpose AI

Regulation (EU) 2024/1689 on Artificial Intelligence (the AI Act) introduced harmonised rules on artificial intelligence, including specific provisions for general-purpose AI models (GPAI models). These provisions entered into application on 2 August 2025 for providers placing new models on the market.

In this context, the European Commission, which has exclusive competence to enforce compliance for GPAI models under the AI Act, has recently published a package of materials relevant to GPAI model providers. This package includes the Guidelines for providers of general-purpose AI models, the General-Purpose AI Code of Practice, and other tools such as the Template for GPAI model providers to summarise the data used to train their models.

These materials address key industry concerns, particularly regarding copyright – including rightsholders’ reservations of rights under Article 4(3) of Directive (EU) 2019/790 on copyright and related rights in the Digital Single Market (the CDSM Directive) – and the publication of summaries of training data.

The Code of Practice

The General-Purpose AI Code of Practice sets out specific measures that GPAI model providers may implement to comply with their obligations under Articles 53 and 55 of the AI Act. It serves as a voluntary but adequate tool designed to help providers meet and demonstrate compliance with these obligations.

Under Article 53, GPAI providers must ensure compliance with transparency obligations – including providing information to downstream AI system providers that deploy or integrate their models – and with EU and national copyright law, by adopting a policy to ensure such compliance.

Under Article 55, providers of the most advanced or impactful GPAI models – those presenting systemic risks – are subject to additional obligations to assess and mitigate those risks related to safety and security.

In addition, under Article 55 of the AI Act, providers of the most advanced or most impactful GPAI models, namely models presenting systemic risks, are subject to additional obligations to assess and mitigate these systemic risks on safety and security.

The first two chapters of the Code cover transparency and copyright compliance (relevant for all GPAI providers), while the final chapter addresses safety and security measures (relevant only for providers of systemic-risk GPAI models).

Adhering to the Code does not in itself constitute conclusive proof of compliance with the AI Act. Rather, it reflects a signatory’s commitment to implementing the measures set out in the Code.

The Code is voluntary: GPAI providers operating in the EU may sign it – or only specific chapters – at any time, and may withdraw at any time. Providers who choose not to sign must demonstrate compliance through alternative means, typically requiring more detailed documentation (e.g. a gap analysis comparing their measures with those in an adequate code of practice). For such providers, the Code can still serve as a useful reference.

Since its publication, the Code has been well received by industry and signed by major actors such as OpenAI, Google, IBM, and Microsoft.

According to the European Commission, during the first year after the Code’s entry into application (i.e. until 2 August 2026), the AI Office will collaborate closely with signatories and will not require full implementation of all commitments. From that date onward, full implementation will be expected.

 

How does the Code address copyright?

Under Article 53(1)(c) of the AI Act, providers must adopt a policy to comply with EU copyright and related rights law, specifically to identify and respect reservations of rights expressed under Article 4(3) of the CDSM Directive.

The Code’s chapter on copyright offers practical guidance to help providers meet this obligation. By adhering to this chapter, signatories commit to implementing the following measures:

  • Develop, maintain, and apply a copyright policy incorporating the measures set out in the Code.
  • Reproduce and extract only lawfully accessible content protected by copyright when crawling the web for text and data mining and for training GPAI models.-> Under this measure, signatories agree (i) not to circumvent technological protection measures, and (ii) to exclude websites identified by courts or public authorities in the EU/EEA as persistently infringing copyright on a commercial scale.
  • Identify and comply with rights reservations when crawling the World Wide Web, specifically addressing that signatories will identify and comply with, including through state-of-the-art technologies, machine-readable reservations of rights expressed pursuant to Article 4(3) of CDSM Directive if they use web-crawlers or have such web-crawlers used on their behalf to scrape or otherwise compile data for the purpose of text and data mining and the training of their GPAI models.-> Under this measure, signatories commit (i) to employ web-crawlers that read and follow instructions expressed in accordance with the Robot Exclusion Protocol (robots.txt), and (ii) to identify and comply with other appropriate machine-readable protocols to express rights reservations pursuant to Article 4(3) of CDSM Directive.
  • Mitigate the risk of copyright-infringing outputs, in particular by implementing appropriate technical measures to prevent their models from reproducing protected training content.
  • Designate a point of contact for electronic communication with affected rightsholders and establish a complaint mechanism.

These commitments address current industry issues such as reservations of rights – that is, enabling data owners to prevent their data from being used for AI training. Collaboration between providers and rightsholders, as well as progress toward standardisation, is strongly encouraged.

However, signatories remain responsible for ensuring that their copyright policies comply with the national implementations of EU copyright law. In particular, national case law regarding reservations of rights under Article 4(3) of the CDSM Directive remains relevant to achieving full compliance.

The proportionality principle applies: commitments requiring “appropriate” or “proportionate” measures must be interpreted relative to the provider’s size, meaning they are applied more flexibly to SMEs and startups.

 

Guidelines on the scope of obligations for GPAI providers

The Code of Practice is complemented by the Guidelines on the scope of obligations for providers of GPAI models, which clarify the scope and applicability of the AI Act’s obligations. They provide definitions, indicative criteria, and practical examples of key terms as interpreted by the European Commission, guiding its enforcement approach.

Based on these clarifications, providers falling within the scope of Articles 53 or 55 may adhere to the Code of Practice to demonstrate compliance.

For instance, the Guidelines clarify:

  • what constitutes a “general-purpose AI model” (including when it qualifies as a systemic-risk model);
  • who qualifies as a “provider” (including when downstream actors modifying an existing GPAI model become providers themselves); and
  • when a GPAI model is considered “placed on the market.”

The Guidelines also interpret Articles 53(2) and 54(6) – the exemptions for models released under a free and open-source licence that meet transparency conditions, unless they are GPAI models with systemic risk.

Finally, the Guidelines explain the implications of adhering to an “adequate” code of practice (such as the Commission’s own Code) and describe the AI Office’s role in supervising, investigating, enforcing, and monitoring GPAI providers’ compliance under the AI Act.

 

Training data issue – Template for the summary of training data

Under Article 53(1)(d) of the AI Act, GPAI providers must publish a sufficiently detailed summary of the content used to train their models. This summary should provide a comprehensive overview of the training data, listing the main datasets and explaining other sources used.

To support this requirement – closely linked to transparency and copyright obligations – the AI Office has provided a template for the summary of training data.

Using the template, providers must include:

  • general information about the provider and the model (including the total training data size);
  • a list of data sources, categorised as:
  1. publicly available datasets,
  2. private datasets obtained from third parties,
  3. web-crawled or scraped data,
  4. user data (collected across services and products),
  5. synthetic data (created by or for the provider, including data generated by other AI models), and
  6. other data sources.

Providers must also describe how they comply with reservations of rights under the text and data mining exception, the measures set out in their copyright policy, and the steps taken to prevent or remove unauthorised or illegal content.

Using this template may help reduce the administrative burden for GPAI providers while ensuring the required level of transparency under Article 53(1)(d).

In conclusion, it remains to be seen how GPAI providers will refer to and implement the measures set out in the Code of Practice – and how the European Commission will assess and enforce these obligations, particularly after 2 August 2026, when full implementation is expected.

 

Article by Florina Enache. If you’d like to discuss the contents of this article or enquire about our services, please email us via this link