On 10 July 2025, the European AI Office published the final Code of Practice for providers of so-called General-Purpose AI (GPAI) — that is, systems and models such as GPT-4, Gemini, or Midjourney, capable of performing a wide range of different tasks. The Code is the most important implementation instrument for the obligations under Article 53 et seq. of the EU AI Act (Regulation (EU) 2024/1689), which has been directly applicable to new models since August 2025. Providers of GPAI models who have not yet taken action must now do so without delay: on 2 August 2026, the European Commission will activate its full enforcement powers — backed by substantial fines for non-compliance.
The GPAI Code of Practice (CoP) was developed through a multi-month participatory process involving more than 1,000 stakeholders from industry, civil society, and member state representatives. The result is a structured framework divided into three chapters, which provides providers of AI models with a clearly defined path to legal compliance under the AI Act. Companies that register as signatories to the Code benefit from a so-called presumption of conformity: regulators will then generally assume that the company complies with its obligations under the AI Act — which represents a significant procedural advantage in the event of a regulatory investigation.
The AI Act defines general-purpose AI models as AI models that display significant generality and are capable of competently performing a wide range of distinct tasks. The threshold for classification as a model with systemic risk — the highest risk category — is generally a training compute exceeding 10^25 floating-point operations (FLOPs). Below this threshold, the requirements of Chapter 1 (Transparency) and Chapter 2 (Copyright) apply to all GPAI providers. Only models that exceed the systemic risk threshold are additionally required to comply with Chapter 3 (Safety and Security).
This classification is particularly relevant for companies developing large language models (LLMs) or multimodal models, or distributing them via API access. However, companies that integrate such models into their own products and make them available to other developers via API interfaces may also fall within the scope of GPAI providers. The distinction between model developers and downstream users is regulated in the AI Act and is decisive for determining the respective compliance obligations.
The Transparency chapter applies to all GPAI providers and requires them to produce standardised documentation of their models. Providers must complete a Model Documentation Form recording the model’s architecture, training data, compute resources, and energy consumption. This documentation must be retained for ten years and made available not only internally but also to downstream developers. The deadline for providing this technical information to downstream users is 14 days. These transparency obligations are designed to ensure that companies integrating GPAI models into their own products have the necessary foundation to comply in turn with the requirements of the AI Act.
The Copyright chapter addresses one of the most pressing unresolved legal questions in generative AI: how do GPAI providers handle copyright-protected content during training and in the generation of outputs? The chapter requires all GPAI providers to introduce a formal, written copyright compliance policy, which must be approved at least at board level. When crawling the web to collect training data, machine-readable opt-out signals — in particular the robots.txt file — must be strictly respected. Scraping content from known piracy websites or other sources of manifestly unlawful content is prohibited. Providers must implement technical safeguards to prevent copyright-infringing outputs and establish a complaint mechanism for rights holders.
The Safety and Security chapter applies exclusively to providers of models with systemic risk. It requires the establishment of a comprehensive risk management framework for identifying and mitigating systemic risks. This includes red-teaming exercises — targeted security tests of the model under realistic attack and misuse scenarios — as well as independent external evaluations. In the event of serious incidents, there is a direct reporting obligation to the European AI Office, combined with an obligation to immediately implement corrective measures.
The timing of AI Act application is staggered and depends on when a model was placed on the market. For models placed on the market after 2 August 2025, the GPAI obligations already apply immediately. However, the decisive enforcement deadline is 2 August 2026: from this date, the European Commission is fully empowered to actively enforce the AI Act provisions, order audits, open investigations, and impose financial penalties. For legacy models — those already on the market before 2 August 2025 — an extended deadline until 2 August 2027 applies.
The fines for violations of GPAI obligations are substantial: up to €15 million or 3% of global annual turnover — whichever is higher — can be imposed for non-compliance with the AI Act requirements. This scale underscores that the European Commission takes enforcement seriously and highlights the urgency of completing compliance processes before the August deadline.
Although the GPAI Code of Practice is formally voluntary, GPAI providers have strong incentives to sign it. Companies that choose not to join the Code must develop a bespoke compliance framework and demonstrate to regulators that it is at least equally robust as the Code of Practice. In practice, this proof is burdensome and associated with considerable legal uncertainty. Signing the Code, by contrast, provides a clearly defined safe harbour mechanism: regulators apply a presumption of conformity for signing companies, significantly reducing the burden of proof in the event of a regulatory investigation.
Beyond the regulatory dimension, signing the CoP is increasingly becoming a de facto market requirement: enterprise customers integrating GPAI models into their own products and services are actively inquiring about the compliance status of their model suppliers. GPAI providers who cannot demonstrate that they have signed the Code of Practice and implemented the relevant requirements risk being excluded from tenders and framework agreements.
Companies that develop or distribute GPAI models should now take concrete steps. The first step is classification: is your model classified as a GPAI, and does it exceed the systemic risk threshold of 10^25 FLOPs? Next, the company should check whether it has submitted the signatory declaration to the European AI Office — those who have not yet done so should act immediately. A gap analysis should then be carried out to identify which obligations under Chapter 1 (Transparency) and Chapter 2 (Copyright) are already fulfilled and where action is required. Particular attention should be paid to the copyright compliance policy and the technical complaint management system. Finally, it is essential to ensure that all measures and decisions are comprehensively documented, as this documentation will be of decisive importance in the event of a regulatory review.
Companies developing open-source GPAI models should note that special rules apply to them: they are generally exempt from the requirements of the Transparency chapter — provided there is no systemic risk — but must fully comply with the requirements of the Copyright chapter. This means in particular that a formal copyright compliance policy and a complaint mechanism for rights holders are mandatory even for open-source models.
2 August 2026 is not an abstract regulatory milestone — it is the concrete starting point for the full regulatory enforcement of the AI Act. Providers of GPAI models who cannot demonstrate verifiable compliance by that date expose themselves to the risk of multi-million euro fines, reputational damage, and loss of market share. The GPAI Code of Practice offers a structured, practical path to compliance — and with just six weeks until the enforcement deadline, there is still time to act, but no room to delay further. Those who act now will secure their market access in Europe and protect themselves from the substantial sanction risks of the AI Act.
Do you have questions about the EU AI Act or the GPAI Code of Practice? The lawyers at HUFELD PartGmbB are here to provide comprehensive advice. Get in touch now.
Are you looking for a specific topic?
.png)
.png)