the rules for companies building foundation models, published after most of them already shipped, which is very on-brand for AI regulation.
The General-Purpose AI Code of Practice, published 10 July 2025 and endorsed by the European Commission on 1 August 2025. Sets transparency and governance obligations for providers of general-purpose AI (GPAI) models under Articles 53 and 55 of the EU AI Act. Covers technical documentation, training data transparency, copyright policy compliance, safety evaluations for models with systemic risk, and downstream information provision. Adherence creates a presumption of conformity with the AI Act’s GPAI obligations. Developed through a multi-stakeholder drafting process involving model providers, civil society, academia, and downstream deployers.
Why It Matters
The GPAI Code of Practice is the first binding governance instrument specifically targeting foundation model providers in the EU market. Before its publication, the AI governance conversation focused almost entirely on deployers — the organisations building applications on top of foundation models. The Code shifts accountability upstream, placing transparency and safety obligations on the companies that build the models themselves.
This matters for every organisation in the AI supply chain. If you deploy a foundation model in a high-risk AI system, you need information about that model: its training data, its capabilities and limitations, its safety evaluation results, its known failure modes. The GPAI Code obligates providers to supply this information. Without it, your own EU AI Act compliance is structurally incomplete — you cannot conduct a meaningful risk assessment of a system when you do not know what the foundation model was trained on or what it is capable of.
The timing is significant. The Code was published after the major foundation model providers had already released multiple model generations. The transparency requirements — training data summaries, copyright compliance documentation, safety evaluations — retroactively apply to models already in the market. For providers, this means documenting decisions that may not have been systematically recorded. For deployers, it means asking for information that providers may not yet be able to produce.
The Stress Test
Your organisation deploys a high-risk AI system built on a third-party foundation model. The EU AI Office requests your conformity documentation. You produce your risk assessment, your quality management system documentation, and your post-market monitoring plan. The AI Office then asks for the model card and training data summary from your foundation model provider.
Your provider has not adhered to the GPAI Code of Practice. They have no standardised technical documentation. Their training data summary does not exist in the format the Code specifies. Your own conformity assessment depends on information you do not have and cannot produce, because it describes a model you did not build. The governance gap is not in your system. It is in your supply chain. And under the AI Act, it is your problem.
In the Wild
The GPAI Code of Practice was developed through the most extensive multi-stakeholder process in EU AI governance history. Over 1,000 participants from model providers, deployers, civil society, and academia contributed across four drafting rounds. The process surfaced fundamental tensions: model providers argued for proportionality and trade secret protection; civil society pushed for maximum transparency; deployers demanded actionable information. The final Code represented a negotiated equilibrium, not a consensus.
Every line of the Code reflects a compromise between transparency and commercial sensitivity. Understanding the compromises tells you where the gaps will emerge.
The Code requires GPAI providers to describe their copyright compliance policies and publish sufficiently detailed summaries of training data. For providers who trained on web-scale datasets, this requirement created an operational challenge: how do you document the provenance of billions of training examples? Publishers and rights holders argued the summaries were insufficient. Providers argued that more detailed disclosure would reveal proprietary training methodologies. The tension between transparency and trade secrets became the Code’s most contested implementation challenge.
You cannot have full transparency about training data and full protection of training methodologies at the same time. The Code chose a middle path. Both sides consider it insufficient.
Under the EU AI Act, GPAI models with systemic risk face enhanced obligations including adversarial testing, incident reporting, and cybersecurity measures. The AI Office’s classification threshold — initially set at 10^25 FLOPs of training compute — placed several frontier models in the systemic risk category. For these providers, the Code’s safety evaluation requirements were not aspirational but immediately binding, requiring red team assessments, model vulnerability analysis, and formal safety reports.
The compute threshold turned a governance conversation into a classification event. Above the line, your model is systemically important. Below it, you still have obligations — just fewer of them.
How to Govern It
If you consume foundation models, the GPAI Code is your supply chain governance lever.
Within the AI Control Index, the GPAI Code of Practice maps to:
- GRC (S1) — The Code’s presumption of conformity mechanism integrates directly into the compliance evidence chain. For deployers, checking whether your model provider adheres to the Code is a GRC checkpoint. For providers, adherence documentation becomes part of the Evidence Factory.
- Supply Chain (S3) — The primary governance domain. Foundation model selection, provider due diligence, model card requirements, training data transparency, and ongoing monitoring of provider compliance with Code commitments.
- Strategy (L1) — The decision to use a GPAI model — and which provider to use — is a strategic governance choice that determines the downstream compliance posture. Provider selection under the Code is a strategic decision, not a procurement decision.
- Ethics & Fairness (L2) — Training data transparency requirements intersect with bias governance. If you cannot see what the model was trained on, you cannot assess whether its outputs carry systematic biases relevant to your use case.
- Security (S2) — Safety evaluation requirements for systemic risk models map to adversarial testing, vulnerability assessment, and cybersecurity measures in the Security shield.
When It's Relevant
Any organisation that builds, deploys, or integrates general-purpose AI models in the EU market. The GPAI Code of Practice is particularly relevant when:
- You are a GPAI model provider placing models on the EU market and need to establish presumption of conformity
- You deploy applications built on third-party foundation models and need provider transparency for your own compliance
- Your model exceeds the systemic risk compute threshold and faces enhanced safety evaluation obligations
- You are evaluating foundation model providers and want to assess their governance maturity through Code adherence
- You use copyrighted content in training data and need to demonstrate compliance with EU copyright rules
Related Terms
References
- [1] European Commission (2025) General-Purpose AI Code of Practice. Published 10 July 2025, endorsed 1 August 2025. Available at: digital-strategy.ec.europa.eu.
- [2] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. Available at: eur-lex.europa.eu/eli/reg/2024/1689/oj.
- [3] Bommasani, R., Hudson, D.A., Adeli, E., Altman, R., Arber, S., von Arx, S. et al. (2022) ‘On the Opportunities and Risks of Foundation Models’, arXiv preprint, arXiv:2108.07258v3. Available at: arxiv.org/abs/2108.07258.
- [4] European AI Office (2025) GPAI Code of Practice: Final Report of the Drafting Process. Directorate-General for Communications Networks, Content and Technology.
- [5] ISO/IEC (2023) ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. International Organization for Standardization.
- [6] Hacker, P. (2024) ‘The European AI Liability Directives — Critique of a Half-Hearted Approach and Lessons for the Future’, Computer Law & Security Review, 51, 105871. doi: 10.1016/j.clsr.2023.105871.
- [7] Engler, A. (2024) ‘The EU AI Act’s Provisions on General-Purpose AI: A Governance Analysis’, Brookings Institution. Available at: brookings.edu.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens