EU releases final version of AI Code of Practice

EU releases final version of AI Code of Practice

On 10 July 2025, the EU Commission published the final version of the General Purpose AI Code of Practice. Drafted by Commission-appointed experts, the Code faced delays and significant criticism, with some stakeholders arguing that the rules exceeded the scope of the AI Act and could stifle innovation. This final version aims to address these criticisms.

As a reminder, under Article 2 of the AI Act, the law and by extension, these Code of Practice guidelines applies to providers regardless of whether they are established within the EU or in a third country, as long as the output produced by the AI system is used in the EU.

The Code aims to assist industry compliance with the AI Act's rules on general-purpose AI, which will come into effect on 2 August 2025. It consists of three chapters: Transparency and Copyright, which address all providers of general-purpose AI models, and Safety and Security, relevant only to a limited number of providers of the most advanced models.

Transparency

The transparency chapter which aims to enhance transparency and foster trust and accountability, covers three key measures which are designed to ensure compliance with Article 53(1), points (a) and (b), and the corresponding Annexes XI and XII of the AI Act:

• Drawing up and keeping up-to-date model documentation
• Providing relevant information
• Ensuring quality, integrity, and security of information

Drawing up and keeping up-to-date model documentation

The first measure is facilitated through the provision of a Model Documentation Form present in the chapter. The form aims to provide clarity to signatories by clarifying when information is intended for the EU AI Office, the national competent authority, or downstream providers.

Providing relevant information

Signatories, should they be asked to through the AI Office, must provide specific information quickly and up to date. Companies must also share important information with other businesses that use their AI models. They should respond to these requests within 14 days so as to ensure that downstream providers can comply with their obligations under the AI Act. Additionally, companies are encouraged to share some of this information publicly to be transparent. Some information might also need to be summarised and made public as part of the model's training content.

Ensuring quality, integrity, and security of information

Signatories should ensure their documented information is controlled for quality and integrity, and retained as evidence of compliance with their obligations under the AI Act.

Copyright

This chapter aims to serve as a guiding document for demonstrating compliance with the obligations provided for in Articles 53 and 55 AI Act. To do so it outlines five key measures to be followed:

• Draw up, keep up-to-date and implement a copyright policy
• Reproduce and extract only lawfully accessible copyright-protected content when crawling the World Wide Web
• Identify and comply with rights reservations when crawling the World Wide Web
• Mitigate the risk of copyright-infringing outputs
• Designate a point of contact and enable the lodging of complaints

Draw up, keep up-to-date and implement a copyright policy

Companies must create, update, and follow a policy to obey EU copyright laws for all general-purpose AI models they sell in the EU. They need to write this policy in one document and assign people within their organisation to make sure the policy is followed. Companies are encouraged to share a summary of their copyright policy publicly and keep it up to date.

Reproduce and extract only lawfully accessible copyright-protected content

Companies who either directly use web crawler(or have others use them on their behalf) should make sure not to bypass any technological measures that prevent unauthorised access to protected works, such as paywalls. Additionally they should Avoid crawling websites known for repeatedly infringing copyright on a commercial scale, using a dynamic list of such sites provided by EU authorities.

Identify and comply with rights reservations when crawling the World Wide Web

Companies must ensure their web crawlers respect copyright rules by following the Robot Exclusion Protocol (robots.txt) and complying with other machine-readable rights reservations. They should actively support the development of these standards and keep content owners informed about their practices. Additionally, companies that provide online search engines should ensure that compliance with rights reservations does not negatively impact the indexing of content.

Mitigate the risk of copyright-infringing outputs

Companies should commit to implementing technical safeguards that prevent their models from generating outputs that infringe on copyrighted training content. Additionally, they should also prohibit copyright-infringing uses of their models in their usage policies, terms and conditions, or other relevant documents. When it comes to open-source models, signatories will need alert users about the prohibition of copyright-infringing uses in the model's documentation.

Designate a point of contact and enable the lodging of complaints

Companies will need to provide a contact point for copyright holders and set up a system for submitting complaints about non-compliance. They will address "sufficiently precise and adequately substantiated complaints" promptly and informally, unless they are unfounded or repetitive. This will not affect legal copyright enforcement measures.

Safety and Security

This chapter, which is more detailed than the others aims to ensure that signatories assess and mitigate systemic risks by providing ten commitments to be followed (further detailed by specific measures):

• Adopting a state-of-the-art Safety and Security Framework
• Identifying systemic risks stemming from the model
• Analysing each identified systemic risk
• Specifying systemic risk acceptance criteria and determining whether the systemic risks stemming from the model are acceptable
• Implementing appropriate safety mitigations along the entire model lifecycle
• Implementing an adequate level of cybersecurity protection
• Reporting to the AI Office information about the model and its systemic risk assessment and mitigation processes (through a Safety and Security Model Report)
• Defining clear responsibilities for managing the systemic risks while promoting a "healthy risk culture"
• Implementing appropriate processes and measures for keeping track of, documenting, and reporting to the AI Office
• Documenting the implementation of the Safety and Security Chapter

The chapter also provides signatories with a wide range of definitions to ensure coherent interpretation and implementation of each measure.

Next steps

The code now needs to be endorsed by EU Member States and the EU Commission. Once this is done, providers of general-purpose AI models who voluntarily sign the Code will be able to demonstrate compliance with the relevant AI Act obligations by adhering to the Code. Signatories to the Code should benefit from a "reduced administrative burden" and increased legal certainty.

The Code will be complemented by Commission guidelines on general-purpose AI to be published ahead of the entry into force of the general-purpose AI obligations (2 August). The guidelines will clarify who is in and out of scope of the AI Act's general-purpose AI rules.

techUK will continue to analyse the Code of Practice and assess how to best support members.