By Sapumal Herath · Owner & Blogger, AI Buzz · Last updated: February 1, 2026 · Difficulty: Beginner
Foundation models (general-purpose AI models) sit underneath a huge part of today’s AI: chatbots, copilots, image generators, and tool-connected agents.
That power creates a new reality: if a foundation model is unsafe, unclear, or legally risky, every downstream product inherits that risk.
The EU AI Act introduces specific obligations for general-purpose AI (GPAI) model providers. And the GPAI Code of Practice is meant to make those obligations practical—so providers can follow a clear “how-to,” and buyers can ask better questions before integrating models into products.
Note: This article is for educational purposes only. It is not legal advice. If you provide models in the EU (or your model outputs are used in the EU), consult legal/compliance professionals for your specific obligations.
🎯 What the GPAI Code of Practice is (plain English)
The GPAI Code of Practice is a voluntary, practical guide designed to help model providers comply with the EU AI Act’s obligations for general-purpose AI models.
It is not the law itself. The AI Act is the law.
Think of the Code as a “compliance shortcut”:
- If you are a model provider and you follow the Code, you can use it as a structured way to demonstrate compliance.
- If you are a buyer (building AI apps on top of a model), you can use the Code as a checklist for what to request from your provider.
🗓️ Timeline: the dates that matter (so you don’t get caught off guard)
The AI Act is phased in, and GPAI has its own schedule. Here are the key dates in one place:
| Date | What happens | Why you should care |
|---|---|---|
| July 10, 2025 | GPAI Code of Practice published | Practical guidance becomes available (Transparency, Copyright, Safety & Security). |
| August 2, 2025 | AI Act GPAI obligations enter into application | If you place GPAI models on the EU market, obligations begin applying. |
| August 2, 2026 | Most AI Act rules start applying; enforcement ramps up | Many organizations feel the “compliance pressure” most strongly from this point. |
| August 2, 2027 | Transition deadline for GPAI models placed on the market before Aug 2, 2025 | Existing models generally have extra time, but “wait until 2027” is risky if you need enterprise buyers now. |
As of February 1, 2026: the GPAI obligations are already in application (since Aug 2, 2025). The next major milestone for broad enforcement and the rest of the AI Act is Aug 2, 2026.
👥 Who this applies to: Providers vs Buyers (and why both should care)
🏭 If you are a GPAI model provider
You are responsible for meeting the AI Act’s GPAI obligations. The Code of Practice gives you a structured way to document transparency, copyright policies, and—if relevant—systemic-risk safety/security measures.
🧩 If you are a buyer (building an AI product on top of someone else’s model)
You may not be the “provider of the model,” but you still inherit risk:
- Your customers will blame your product if the model leaks data, hallucinates policy, or produces unsafe outputs.
- You will still need governance, monitoring, and incident response for your application.
- You should treat “GPAI provider compliance artifacts” as part of vendor due diligence.
If you want a simple procurement backbone, pair this with: AI Vendor Due Diligence Checklist.
📚 The 3 chapters (the easiest way to understand the Code)
The Code is organized into three chapters. This structure is the fastest way to understand what the EU is asking for:
1) 🪟 Transparency (for all GPAI model providers)
Goal: make it possible for downstream developers, deployers, and regulators to understand what the model is, what it can do, and how to integrate it responsibly.
In practice, “transparency” often means:
- Model documentation that is complete and consistent
- Clear intended use + limitations + known failure modes
- Integration guidance (especially when models connect to tools or external systems)
2) ©️ Copyright (for all GPAI model providers)
Goal: have a practical policy and process for respecting EU copyright law, including how training data is handled and how rights holders can exercise rights.
For creators and teams that publish content, see also: AI and Copyright (Beginner Guide).
3) 🛡️ Safety & Security (primarily for “systemic risk” models)
Goal: reduce systemic risks from the most advanced models through risk assessment, mitigations, incident reporting, and cybersecurity controls.
Safety & Security becomes especially important when models can materially increase harm (scaling misuse, enabling unsafe capabilities, or creating widespread downstream impact).
✅ Provider checklist (copy/paste): “Are we Code-of-Practice ready?”
Use this as a lightweight internal checklist for GPAI model providers.
🪟 A) Transparency
- Model documentation exists and is updated per version/release.
- Intended use is clear (what it’s for, and what it is not for).
- Limitations are explicit (known weaknesses, out-of-scope areas, common failure modes).
- Integration guidance is provided (rate limits, safe prompting guidance, tool-use guidance, logging guidance).
- Change notes exist (what changed between versions and what risks might shift).
- Support + contact exists for issues and incident reporting.
©️ B) Copyright
- Copyright compliance policy exists and is operational (not just a statement).
- Training data transparency is addressed with the required public summary approach.
- Process for rights holders exists (requests, complaints, escalation path).
- Internal records exist for how copyright risk is managed (so you can prove it later).
🛡️ C) Safety & Security (if you are in systemic-risk territory)
- Risk assessment exists for systemic risks and is repeated as models evolve.
- Adversarial testing / red teaming is performed and documented.
- Serious incident process exists (what counts as serious, how fast you respond, who is accountable).
- Cybersecurity controls exist for the model and its infrastructure.
- Monitoring exists to detect safety regressions and abuse patterns.
Helpful internal “evidence generators”:
- AI System Cards (document the full system, not just the model)
- AI Monitoring & Observability
- AI Incident Response Playbook
🧾 Buyer checklist (copy/paste): What to ask your model provider before integrating
If you are buying a model API or integrating an open model into your product, use this checklist in procurement / security review.
🪟 A) Transparency artifacts
- Do you provide a model documentation pack (capabilities, intended use, limitations, known risks)?
- Do you provide versioning + change logs (so we can track regressions)?
- Do you provide integration guidance for safe use (rate limits, safety settings, logging)?
- Do you support auditability (logs, incident traceability, enterprise controls)?
©️ B) Copyright posture (practical, not vague)
- Do you have a documented copyright compliance policy?
- Can you provide a public training content summary (where required)?
- How do you handle complaints/claims related to IP?
🛡️ C) Safety, security, and incident handling
- Do you have a documented security program (access controls, vulnerability handling, incident notifications)?
- Do you support enterprise guardrails (policy controls, data controls, admin visibility)?
- What is your incident process for serious AI failures (unsafe outputs, leakage, abuse)?
- Do you provide safety evaluation or red-teaming summaries for advanced models (when relevant)?
Buyer reality check: Even if your provider is “perfect,” your application can still fail. You still need your own monitoring, approvals, and incident playbook—especially if you connect tools or sensitive data.
🚩 Red flags that should slow your rollout
- “We comply” with no documentation, no artifacts, and no concrete processes.
- No clear versioning or change communication (silent behavior changes).
- No incident response path (or vague “contact support” with no commitments).
- No meaningful transparency pack (intended use, limitations, safety posture).
- For tool-connected/agent scenarios: no clear guidance on safe permissions and approvals.
One red flag does not always mean “do not use.” It usually means: restrict scope, pilot with low-risk data, and require stronger controls.
🧮 Simple scoring rubric (Green / Yellow / Red)
If you want a fast procurement decision method, score each area 0–2 and sum it.
- 2 (Green): clear documentation + operational controls + good defaults
- 1 (Yellow): partial controls or unclear details; workable with restrictions
- 0 (Red): missing artifacts or vague answers; high risk of avoidable problems
| Category | Score (0–2) | Notes |
|---|---|---|
| Transparency artifacts | __ | ________________________________________ |
| Copyright posture | __ | ________________________________________ |
| Safety & security posture | __ | ________________________________________ |
| Operational readiness (monitoring + incidents) | __ | ________________________________________ |
Interpretation:
- 7–8: approve (with standard safeguards)
- 5–6: approve with restrictions (no sensitive data; draft-only; approvals; monitoring)
- 0–4: do not approve for production use (or require formal review)
📝 Copy/paste: GPAI integration decision record (for buyers)
Model/provider: __________________________
Integration type: API / hosted / self-hosted (circle one)
Use case: __________________________
Data allowed: public / internal / restricted (circle one)
Prohibited data: credentials, regulated data, sensitive personal data (and other: ____________)
Customer-facing outputs: draft-only / human review required / automated (circle one)
Tool/agent actions: none / read-only / write with approval / write without approval (circle one)
Monitoring: quality + safety + privacy + drift + cost (circle all that apply)
Incident process: owner + escalation path defined (yes/no)
Decision: approved / approved with restrictions / not approved
Next review date: __________________________
📚 Further reading (official sources)
- European Commission: The General-Purpose AI Code of Practice (chapters + signatories)
- European Commission: GPAI Code of Practice now available (press release)
- European Commission: Template + explanatory notice for public summary of training content
- AI Office: General-Purpose AI Models in the AI Act (Q&A)
- European Commission: AI Act overview + timeline
- EUR-Lex: Regulation (EU) 2024/1689 (AI Act)
🏁 Conclusion
The GPAI Code of Practice is not just “EU paperwork.” It’s the practical layer that turns the AI Act’s model obligations into real documentation and operational habits—especially around transparency, copyright, and (for the most advanced models) safety and security.
If you are a provider: treat the Code as your compliance playbook. If you are a buyer: treat the Code as your vendor checklist. Either way, combine it with monitoring, incident response, and clear internal accountability so you can scale AI without surprises.
Leave a Reply