10 Jul 2025
by Theo Maiziere

EU releases final version of AI Code of Practice

On 10 July 2025, the EU Commission published the final version of the General Purpose AI Code of Practice. Drafted by Commission-appointed experts, the Code faced delays and significant criticism, with some stakeholders arguing that the rules exceeded the scope of the AI Act and could stifle innovation. This final version aims to address these criticisms.  

As a reminder, under Article 2 of the AI Act, the law and by extension, these Code of Practice guidelines applies to providers regardless of whether they are established within the EU or in a third country, as long as the output produced by the AI system is used in the EU. 

The Code aims to assist industry compliance with the AI Act's rules on general-purpose AI, which will come into effect on 2 August 2025. It consists of three chapters: Transparency and Copyright, which address all providers of general-purpose AI models, and Safety and Security, relevant only to a limited number of providers of the most advanced models. 

Transparency 

The transparency chapter which aims to enhance transparency and foster trust and accountability, covers three key measures which are designed to ensure compliance with  Article 53(1), points (a) and (b), and the corresponding Annexes XI and XII of the AI Act:  

  • Drawing up and keeping up-to-date model documentation 
  • Providing relevant information 
  • Ensuring quality, integrity, and security of information 
Drawing up and keeping up-to-date model documentation 

The first measure is facilitated through the provision of a Model Documentation Form present in the chapter. The form aims to provide clarity to signatories by clarifying when information is intended for the EU AI Office, the national competent authority, or downstream providers.  

Providing relevant information 

Signatories, should they be asked to through the AI Office, must provide specific information quickly and up to date. Companies must also share important information with other businesses that use their AI models. They should respond to these requests within 14 days so as to ensure that downstream providers can comply with their obligations under the AI Act. Additionally, companies are encouraged to share some of this information publicly to be transparent. Some information might also need to be summarised and made public as part of the model's training content. 

Ensuring quality, integrity, and security of information 

Signatories should ensure their documented information is controlled for quality and integrity, and retained as evidence of compliance with their obligations under the AI Act.  

Copyright 

This chapter aims to serve as a guiding document for demonstrating compliance with the obligations provided for in Articles 53 and 55 AI Act. To do so it outlines five key measures to be followed:  

  • Draw up, keep up-to-date and implement a copyright policy 
  • Reproduce and extract only lawfully accessible copyright-protected content when crawling the World Wide Web 
  • Identify and comply with rights reservations when crawling the World Wide Web 
  • Mitigate the risk of copyright-infringing outputs  
  • Designate a point of contact and enable the lodging of complaints 
Draw up, keep up-to-date and implement a copyright policy 

Companies must create, update, and follow a policy to obey EU copyright laws for all general-purpose AI models they sell in the EU. They need to write this policy in one document and assign people within their organisation to make sure the policy is followed.  Companies are encouraged to share a summary of their copyright policy publicly and keep it up to date. 

Reproduce and extract only lawfully accessible copyright-protected content 

Companies who either directly use web crawler(or have others use them on their behalf) should make sure not to bypass any technological measures that prevent unauthorised access to protected works, such as paywalls. Additionally they should Avoid crawling websites known for repeatedly infringing copyright on a commercial scale, using a dynamic list of such sites provided by EU authorities. 

Identify and comply with rights reservations when crawling the World Wide Web 

Companies must ensure their web crawlers respect copyright rules by following the Robot Exclusion Protocol (robots.txt) and complying with other machine-readable rights reservations. They should actively support the development of these standards and keep content owners informed about their practices. Additionally, companies that provide online search engines should ensure that compliance with rights reservations does not negatively impact the indexing of content. 

Mitigate the risk of copyright-infringing outputs 

Companies should commit to implementing technical safeguards that prevent their models from generating outputs that infringe on copyrighted training content. Additionally, they should also prohibit copyright-infringing uses of their models in their usage policies, terms and conditions, or other relevant documents. When it comes to open-source models, signatories will need alert users about the prohibition of copyright-infringing uses in the model's documentation. 

Designate a point of contact and enable the lodging of complaints 

Companies will need to provide a contact point for copyright holders and set up a system for submitting complaints about non-compliance. They will address “sufficiently precise and adequately substantiated complaints” promptly and informally, unless they are unfounded or repetitive. This will not affect legal copyright enforcement measures. 

Safety and Security  

This chapter, which is more detailed than the others aims to ensure that signatories assess and mitigate systemic risks by providing ten commitments to be followed (further detailed by specific measures):  

  • Adopting a state-of-the-art Safety and Security Framework 
  • Identifying systemic risks stemming from the model 
  • Analysing each identified systemic risk 
  • Specifying systemic risk acceptance criteria and determining whether the systemic risks stemming from the model are acceptable 
  • Implementing appropriate safety mitigations along the entire model lifecycle 
  • Implementing an adequate level of cybersecurity protection 
  • Reporting to the AI Office information about the model and its systemic risk assessment and mitigation processes (through a Safety and Security Model Report) 
  • Defining clear responsibilities for managing the systemic risks while promoting a “healthy risk culture” 
  • Implementing appropriate processes and measures for keeping track of, documenting, and reporting to the AI Office 
  • Documenting the implementation of the Safety and Security Chapter  

The chapter also provides signatories with a wide range of definitions to ensure coherent interpretation and implementation of each measure.  

Next steps  

The code now needs to be endorsed by EU Member States and the EU Commission. Once this is done, providers of general-purpose AI models who voluntarily sign the Code will be able to demonstrate compliance with the relevant AI Act obligations by adhering to the Code. Signatories to the Code should benefit from a “reduced administrative burden” and increased legal certainty.  

The Code will be complemented by Commission guidelines on general-purpose AI to be published ahead of the entry into force of the general-purpose AI obligations (2 August). The guidelines will clarify who is in and out of scope of the AI Act's general-purpose AI rules.  

techUK will continue to analyse the Code of Practice and assess how to best support members.  


Theophile Maiziere

Theophile Maiziere

Policy Manager - EU, techUK

Theo joined techUK in 2024 as EU Policy Manager. Based in Brussels, he works on our EU policy and engagement.

Theo is an experienced policy adviser who has helped connect EU and non-EU decision makers.

Prior to techUK, Theo worked at the EU delegation to Australia, the Israeli trade mission to the EU, and the City of London Corporation’s Brussels office. In his role, Theo ensures that techUK members are well-informed about EU policy, its origins, and its implications, while also facilitating valuable input to Brussels-based decision-makers.

Theo holds and LLM in International and European law, and an MA in European Studies, both from the University of Amsterdam. 

Email:
[email protected]
Website:
www.techuk.org
LinkedIn:
linkedin.com/in/théophile-maiziere-a32772111

Read lessmore

techUK International Policy and Trade Programme activities

techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.

 

 

Upcoming events

Latest news and insights 

Learn more and get involved

 

International Policy and Trade updates

Sign-up to get the latest updates and opportunities from our International Policy and Trade programme.

 

Here are the five reasons to join the International Policy and Trade Programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

Meet the team 

Sabina Ciofu

Sabina Ciofu

Associate Director – International, techUK

Daniel Clarke

Daniel Clarke

Policy Manager for International Policy and Trade, techUK

Theophile Maiziere

Theophile Maiziere

Policy Manager - EU, techUK

Lewis Walmesley-Browne

Lewis Walmesley-Browne

Head of Market Access and Consumer Tech, techUK

Tess Newton

Team Assistant, Policy and Public Affairs, techUK

 

Authors

Theo Maiziere

Theo Maiziere

Policy Manager - EU, techUK

Theo joined techUK in 2024 as EU Policy Manager. Based in Brussels, he works on our EU policy and engagement.

Theo is an experienced policy adviser who has helped connect EU and non-EU decision makers.

Prior to techUK, Theo worked at the EU delegation to Australia, the Israeli trade mission to the EU, and the City of London Corporation’s Brussels office. In his role, Theo ensures that techUK members are well-informed about EU policy, its origins, and its implications, while also facilitating valuable input to Brussels-based decision-makers.

Theo holds and LLM in International and European law, and an MA in European Studies, both from the University of Amsterdam. 

Read lessmore