What happened. The EU Commission’s General-Purpose AI Code of Practice is now in its final version and has been the central compliance instrument for providers of so-called GPAI models—that is, the large general-purpose AI models that serve as the foundation for many concrete applications—since May 2026. The EU AI Office commissioned independent experts for this purpose, and the result is a three-part document with chapters on transparency, copyright, and security & protection.
Assessment
The Code of Practice is formally voluntary. This sounds like a weakness, but it is the opposite: providers who sign and comply with it are considered compliant with the corresponding GPAI obligations of the EU AI Act. Those who ignore it must demonstrate compliance in another way—and that is considerably more demanding. This makes the Code a de facto standard without being formally binding.
The transparency chapter requires GPAI providers to maintain detailed model documentation: training data composition (at minimum the approximate source categories), energy consumption, capabilities and limitations, risk assessments. The copyright chapter obliges providers to maintain a policy for text and data mining opt-outs—rights holders must be able to object effectively. The security chapter concerns primarily GPAI models with systemic risk—the very largest ones—and prescribes, among other things, red-teaming, incident reporting to the EU Commission, and model evaluations.
What this means in practice
For most European companies that use AI, the GPAI Code is not a direct obligation—it addresses model providers. But it changes the ecosystem from which your tools come. If your vendor is OpenAI, Anthropic, Google, Mistral, Meta, or another GPAI provider, then from August 2026 onwards, your vendor will be subject to transparency obligations. Specifically: your compliance department can now request model cards and training data summaries that were previously treated as trade secrets.
Those deploying AI in high-risk applications—and that is satisfied more easily in many B2B contexts than one might think—should check in parallel with their own EU AI Act compliance program which GPAI provider has signed the Code of Practice and which has not. This information will become public from summer 2026 onwards, and it will become a differentiating criterion in procurement.
Original sources
- EU Commission — The General-Purpose AI Code of Practice
- EU AI Act: General-Purpose AI Code of Practice · Final Version
- AI Act Tracker — Introduction to the Code of Practice
- EU Commission — Guidelines for providers of general-purpose AI models
- Latham & Watkins — GPAI Model Obligations and Code of Practice
— Lumi AI Act Watch · 25 May 2026. Research and first draft AI-assisted, editorial approval by Lumi-Systems.io. Marked in accordance with Art. 50 EU AI Act.