Code of Practice Offers Path to EU AI Act Compliance for Providers of General-Purpose AI Models

HWG LLP Artificial Intelligence & Emerging Technologies Client Alert

By: Austin Bonner and Alex Tate

On July 10, 2025, the European Commission’s AI Office published its General-Purpose AI Code of Practice, a set of voluntary measures focused on transparency, copyright protection, and safety and security that providers of general-purpose artificial intelligence (“GPAI”) models can adopt to achieve compliance with the AI Act—the European Union’s comprehensive AI law adopted in 2024.¹ While optional, providers who sign on to the Code will benefit from a “reduced administrative burden” and “increased legal certainty” compared to those who do not sign, according to the Commission.²

The Code’s publication comes less than a month before the Act’s provisions related to GPAI models go into effect August 2, 2025 (although enforcement is delayed for one year for new models and two years for existing models).³ The Code must still be officially endorsed by the EU member states and the Commission before providers can sign on.⁴ The Commission also anticipates publishing additional guidelines before August 2 so organizations can better understand who and what falls within the scope of the Act’s GPAI provisions.⁵ 

Who and What Does the Code of Practice Apply to? 

The Code of Practice is intended for use by providers of GPAI models. The Act defines a GPAI model as a model that “displays significant generality and is capable of competently performing a wide range of distinct tasks,” having been trained on a “large amount of data using self-supervision at scale” and with potential for integration into other systems and applications.⁶ This includes “large generative AI models” and “models with at least a billion . . . parameters.”⁷ GPAI models can be, and generally are, components of “AI systems.”⁸

The AI Act imposes additional obligations on the most advanced GPAI models, which it calls “general-purpose AI models with systemic risk.”⁹ Models trained with a compute exceeding 10^25 floating point operations per second (a measure of computing speed and power) are presumptively considered GPAI models with systemic risk.¹⁰ The Commission can designate other models based on criteria such as the model’s number of parameters, amount of computation used in training the model, level of autonomy and scalability, impact on the EU market, and number of registered end-users.¹¹ The Act presumes that state-of-the-art GPAI models entail inherent risk of “large-scale harm,” such as facilitating the development of biological weapons or losing control of the model.¹²

A “provider” of a GPAI model is the person or entity that develops the model (or has the model developed) and places it on the EU market under its own name or trademark, either for payment or for free.¹³ Three scenarios qualify as placing a model on the EU market: (1) when the model itself is made available for distribution or use in the EU for the first time or (2) when the model’s provider integrates it into an AI system and makes the system available for distribution or use in the EU for the first time, and (3) when the model’s provider integrates it into an AI system and either uses that system in the EU or directly supplies it to another person or entity that uses it in the EU for its intended purpose. ¹⁴ Notably for American companies, a company can be considered a “provider” and subject to the GPAI model provider obligations even if the company is located outside the EU.¹⁵ In addition, the Commission has also stated that “downstream entities that fine-tune or otherwise modify an existing general-purpose AI model may become providers of new models” but has not yet provided guidance on the admittedly “difficult question” of the point at which such modifications create a new model.¹⁶

The AI Act excludes GPAI models “specifically developed and put into service for the sole purpose of scientific research and development” from its scope.¹⁷ It also does not apply to “any research, testing or development activity,” except “[t]esting in real world conditions,” regarding GPAI models before they are placed on the market or put into service.¹⁸ That said, the Commission acknowledges that providers of GPAI models with systemic risk have obligations that pertain to model development.¹⁹ At some point, it plans to provide further guidance on this issue.²⁰

Questions remain about when a model is considered a GPAI model, when a GPAI presents systemic risk, and who is considered the provider of a GPAI model. The Commission has said it will issue separate guidelines on these topics before August 2.²¹

A Path to Compliance 

The AI Office will begin enforcing the AI Act GPAI provisions on August 2, 2026 for new models (i.e., models placed on the market after August 2, 2025) and August 2, 2027 for existing models.²² Signing onto the Code of Practice is one method of demonstrating compliance with the Act, although the AI Office notes that implementing the Code does not provide “a presumption of conformity with the AI Act.”²³

The Code of Practice distills GPAI model providers’ AI Act obligations into three chapters—transparency, copyright, and safety and security—that contain specific measures providers must adopt:²⁴

• Transparency. This chapter offers a Model Documentation Form that providers can use to compile the information that the AI Act requires them to provide to the AI Office and to providers of AI systems that use these GPAI models. GPAI model providers must complete this form (or maintain equivalent documentation), publish contact information for requests for this information on their website, and ensure that the information provided follows standards for quality and integrity. 

• Copyright. This chapter outlines several measures GPAI model providers must implement to demonstrate compliance with the Act’s requirement to adopt a policy for complying with EU copyright law. These measures, which must be integrated into the provider’s compliance policy, include imposing certain limitations on web crawling, adopting technical safeguards to prevent infringement, and including prohibitions on copyright-infringing uses in terms of service or acceptable use policies. Providers must also establish a system, including a public point of contact, for responding to copyright-related complaints. 

• Safety and security. The most extensive of the Code’s three chapters, this chapter applies only to providers of GPAI models with systemic risk. For these higher risk models, the Code outlines practices for complying with the Act’s requirements to identify, evaluate, and mitigate systemic risks, report serious incidents to the AI Office, and ensure an adequate level of cybersecurity protection. In addition to specific measures related to those requirements, the Code requires providers to adopt a safety and security framework, create safety and security model reports documenting their risk assessments, determine organizational responsibility for managing systemic risk, document implementation of the chapter, and, in some instances, publish their safety and security frameworks and model reports. 

Some of these measures arguably create heavier compliance burdens than the Act itself. GPAI model providers should evaluate whether signing onto the Code is the appropriate path to compliance for their organization.

Notably, the Code of Practice does not address the Act’s requirement that providers publish summaries of their training data.²⁵ The AI Office is developing a template but has yet to finalize it.²⁶

What’s Next 

The Code must still be endorsed by EU member states and the Commission before GPAI model providers can sign on. In addition, the AI Office has yet to release guidelines on the definitions of “GPAI model,” “systemic risk,” and “provider” that could change organization’s assessment of the Act’s applicability. And the final template for summaries of model training data—an element of compliance not addressed by the Code—is still outstanding. It is not clear which of the items, if any, will be finalized before the GPAI requirements enter into application on August 2, 2025.

* * * 

HWG LLP’s cross-disciplinary Artificial Intelligence and Emerging Technologies practice advises clients on federal and state legislative and regulatory proceedings, company compliance, and related litigation matters. Please contact Austin Bonner for more information.

Merrill Hart, a Legal Analyst at HWG LLP, contributed to the preparation of this advisory under the supervision of Austin Bonner.

This advisory is not intended to convey legal advice. It is circulated publicly as a convenience and does not reflect or create an attorney-client relationship. 

¹   European Commission Press Release IP/25/1787, General-Purpose AI Code of Practice Now Available (July 9, 2025). https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1787.

²   Id. 

³   Id.

⁴   Id.

⁵   Id.

⁶   Parliament and Council Regulation 2024/1689, Artificial Intelligence Act, art. 3(63), 2024 O.J. (L 1689) 1, 50 [hereinafter AI Act].

⁷   AI Act, recitals 98–99.

⁸   AI Act, recital 97. The Act defines an “AI system” as “a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” Id., art. 3(1).

⁹   Id., art. 51(1).

¹⁰   Id., art. 51(1)(a), (2).

¹¹   Id., art. 51(1)(b), annex XIII.

¹²   See Directorate-Gen. for Commc’n Networks, Content & Tech., Eur. Comm’n, General-Purpose AI Models in the AI Act – Questions & Answers, Shaping Europe’s Digital Future (July 11, 2025), https://digital-strategy.ec.europa.eu/en/faqs/general-purpose-ai-models-ai-act-questions-answers.

¹³   AI Act, art. 3(3).

¹⁴   General-Purpose AI Models in the AI Act – Questions & Answers, supra note 12; AI Act, recital 97.

¹⁵   Id. art. 2(1)(a).

¹⁶   General-Purpose AI Models in the AI Act – Questions & Answers, supra note 12.

¹⁷   AI Act, art. 2(6).

¹⁸   AI Act, art. 2(8).

¹⁹   General-Purpose AI Models in the AI Act – Questions & Answers, supra note 12.

²⁰   Id.

²¹   European Commission Press Release IP/25/1787, supra note 1.

²²   Id.

²³   General-Purpose AI Models in the AI Act – Questions & Answers, supra note 12.

²⁴   European Commission Press Release IP/25/1787, supra note 1.

²⁵   See AI Act, art. 53(1)(d).

²⁶   Directorate-Gen. for Commc’n Networks, Content & Tech., Eur. Comm’n, Drawing-up a General-Purpose AI Code of Practice, Shaping Europe’s Digital Future (July 11, 2025), https://digital-strategy.ec.europa.eu/en/policies/ai-code-practice.