The growing use of AI models for general purposes in every sector makes such systems increasingly central to the economic and social development of the European and global context. The adoption of the The General-Purpose AI (GPAI) Code of Practice, published by the European Commission on 10 July 2025, therefore constitutes a crucial step in ensuring that these technologies are used safely and reliably, safeguarding the rights and interests of the parties involved and ensuring their use in compliance with the law.
The AI Act defines a general-purpose AI model (GPAI) as “an AI model […] that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications. ” These models represent the basis of many AI systems, and it is therefore essential that providers ensure transparency by offering adequate technical documentation and by cooperating throughout the entire supply chain.
To this end, on 10 July 2025, the Commission finally published the The General-Purpose AI (GPAI) Code of Practice, albeit with a few weeks’ delay. In the coming weeks, specific guidelines supplementing the Code are also expected to be issued. Subsequently, the Commission and the Member States will assess the adequacy of the text, which, once approved by means of an adequacy decision, may be signed - on a voluntary basis - by AI model providers. Adherence will constitute an important instrument enabling providers to demonstrate the compliance of their systems with the requirements and standards of the AI Act on general-purpose AI, which, otherwise, from 2 August 2025, will have to be demonstrated in practice by providers of such systems for each new AI model placed on the European Union market.
As regards the content of the Code, which was drafted on the basis of an inclusive and transparent process conducted by the Office for AI, involving general-purpose AI model providers, downstream providers, industry organisations, civil society, rightsholders and other entities, as well as academia and independent experts, it consists of three chapters: the Transparency chapter , the Copyright chapter, and the Safety and Security chapter .
The chapters on transparency and copyright provide all GPAI model providers with a useful tool for demonstrating compliance with the obligations set out in Article 53 of the AI Act. Conversely, the chapter concerning safety and security relates only to a limited number of providers, namely those developing the most advanced models, subject to the additional obligations established for GPAI models with high systemic risk, governed by Article 55 of the AI Act.
In fact, therefore, the Code serves as a guide for providers to demonstrate compliance with the obligations laid down in Articles 53 and 55 of the AI Act, while clarifying that adherence does not constitute conclusive evidence of compliance with those obligations. The aim is to ensure, in any case, that GPAI model providers comply with the obligations established by the AI Act and to enable the Office for Artificial Intelligence to assess the compliance of providers who have chosen to adhere to it.
This paper will briefly examine only the chapter concerning copyright, which identifies various obligations incumbent upon GPAI system providers, specifying, however, that such measures must be proportionate to the size of the provider, with particular attention to SMEs and start-ups, and that these obligations do not replace compliance with EU copyright law, which remains fully applicable.
The Code provides, first, that GPAI model providers must adopt their own comprehensive and documented policy to ensure compliance with Union law on copyright. This policy must be constantly updated, contained in a single document (preferably published online) and supplemented by the measures provided for in the Code. Providers shall also assign, within their organisation, specific responsibilities for the implementation and supervision of such policy.
The second measure provides that, where web crawling technologies are used, in order to ensure that GPAI providers reproduce and extract only lawfully accessible protected works and other content, providers undertake not to circumvent the technological protection measures defined in Article 6(3) of Directive 2001/29/EC and to exclude from their web crawling processes any websites recognised by judicial or administrative authorities as responsible for systematic commercial-scale infringements of copyright and related rights. A dynamic list of sites to be excluded will be made public by the competent European institutions.
Furthermore, in order to ensure respect for the rights reserved by rightsholders, providers undertake to: use crawlers that comply with the robots.txt protocol and other forms of machine-readable metadata; adopt widely accepted technical standards to identify confidential content; publish transparent information on crawling methods and copyright compliance measures; and activate automatic notification systems for rights holders when this information is updated. It is also established that, if the provider also operates a search engine, it shall ensure that compliance with rights reservations does not result in the penalisation of the indexing of the relevant rights holders’ content.
The fourth measure is aimed at mitigating the risk that models generate content and outputs infringing copyright. To this end, providers undertake to adopt appropriate and proportionate technical measures to prevent the unlawful reproduction of protected content, as well as to define terms of use prohibiting any use of the model involving copyright infringement, including in the case of GPAI models released under open-source licences.
Finally, the Code provides for the obligation to establish direct communication channels with rightsholders, through the creation of an electronic contact point for communications with rightsholders and the activation of a mechanism for the submission of reasoned and documented reports, including by collective management organisations. Such complaints must be handled diligently, impartially and within a reasonable timeframe, unless they are manifestly unfounded or duplicated. This commitment does not preclude rights holders from seeking ordinary judicial and administrative remedies under EU and national law.
