Brussels, July 10th, 2025: EU AI Office suits hand out the freshly printed Code of Practice for General-Purpose AI models, while providers like OpenAI scribble signatures—or do they?
It’s here. The Code of Practice for General-Purpose AI (GPAI, for short), that interim rulebook everyone’s pretending to care about. Dropped amid the AI Act’s slow-roll rollout, this thing’s meant to tide us over until real European standards hit in 2027 or whenever. Obligations kicked in August 2025 for GPAI providers—transparency, copyright, safety for the risky ones. But legally? It’s optional. A gentle nudge in a world of sledgehammers.
Look, the AI Act’s no lightweight. Prohibited systems? Banned since February. GPAI duties? Live now, per Articles 50-55. Yet standards from CEN-CENELEC? Years away. Three, maybe more, thanks to consensus-building drudgery and international syncing mandates. Enter the Code: a multi-stakeholder love child of experts, providers, deployers, and civil society watchdogs. Purpose? Show compliance without the binding chains—until standards save the day.
Who’s Playing Along—and Who Skipped the Party?
Signatures matter. Or do they? The final Code lists academic eggheads, indie researchers, a smattering of civil society (Future of Life Institute, shoutout), and—drumroll—GPAI heavyweights. OpenAI? Signed. Google DeepMind? Yep. Anthropic? On board. Meta? Conspicuously absent, probably too busy litigating copyright scraps. xAI? Crickets. What does it mean? Jack squat, legally. It’s voluntary, remember? Providers can flaunt adherence like a badge, but bail anytime. The Commission and AI Board called it “adequate” for Articles 53 and 55. Cute.
The Commission and the EU AI Board have confirmed that the GPAI Code is an adequate voluntary tool for providers of GPAI models to demonstrate compliance with the AI Act.
That’s the money quote. Adequate. Like saying a paper towel handles a flood.
Three chapters, folks. Transparency for all: disclose training data summaries, tech docs. Copyright: opt-out mechanisms, labeling. Safety and Security? Systemic-risk models only—like those beasts over 10^25 FLOPs or high-impact cousins. Commitments plus measures. Neat checklists. But here’s my unique hot take: this echoes the GDPR’s pre-2018 guidelines. Everyone nodded, few complied fully, fines rained later. History rhymes—providers will “adhere” publicly, cut corners privately, and we’ll see enforcement roulette by 2027.
Is This Code Actually Enforceable?
Short answer: Nope.
Long answer: The AI Act ties compliance to standards eventually, but until then? Self-certification city. Codes like this live in soft-law land—moral suasion, reputational risk. EU AI Office oversees, can nudge or shame, but no fines yet. Backstory’s a slog: drafts ping-ponged since early 2025, stakeholders bickering over systemic-risk definitions (FLOPs thresholds? Guardrails?). Published July 10, post-signoff. Paves the road to standards? Maybe. Or just delays ‘em, as providers lobby for wiggle room.
Providers of GPAI models—anyone placing ‘em on the market or putting to service. Open models? Still on hook if systemic. Deployers get relief if they stick to instructions. Scope’s broad, deliberately. But enforcement? Codes aren’t law. Breach one? No auto-penalty. Commission might reference it in audits, but that’s it. Toothless tiger.
And the drafting circus. AI Office led, stakeholders from Pour Demain to Big Tech. Consensus? Ha. Compromises everywhere—watered-down safety for signers, transparency tweaks to soothe IP hawks. Result: a 100-page PDF that’s more suggestion than scripture.
Why Does the Gap Even Exist?
Standards take forever. AI Act demands harmonized ones, but CEN-CENELEC’s multi-year grind—consultations, votes, international alignment—clashes with August 2025 deadlines. Code bridges it. Or pretends to. My bold prediction: standards slip to 2028, minimum. Too political, too technical. GPAI’s black-box magic defies tidy specs. Meanwhile, US races ahead with lighter touch; China mandates backdoors. EU’s playing catch-up with paperwork.
Corporate hype alert. Providers spin this as “responsible AI.” Please. It’s damage control—sign the Code, dodge scrutiny. Civil society got concessions (better copyright opts), but at what cost? Diluted systemic-risk rules let monsters roam.
Safety chapter’s the gem for high-riskers: red-teaming, safeguards, incident reporting. Commitments like “implement cybersecurity,” measures spelling ASL-3 protections. Solid on paper. In practice? Providers self-assess. Trust, but verify—who verifies?
Transparency’s bare minimum: model cards, datasheets. Copyright nods to TDM exceptions, but opt-outs are messy. Publishers cheer; providers groan.
The Real Sting: What Happens Next?
Adherence demos compliance—pre-standards shield. But ignore it? Risk future audits, when standards bite. EU AI Board watches. National authorities enforce eventually.
Wander a bit: remember Y2K? Billions prepped for apocalypse that fizzled. This Code’s Y2K for AI—hype, checklists, ultimate overkill or underwhelm?
Providers win short-term: voluntary virtue-signaling. Users? Meh. Regulators get a benchmark. But if standards flop, we’re back to square one.
It’s a start. Barely. Sharpens the compliance knife without drawing blood yet.
🧬 Related Insights
- Read more:
- Read more: EFF to Supreme Court: Cisco Built China’s Torture Machine—Time to Pay Up
Frequently Asked Questions
What is the EU AI Act Code of Practice for GPAI?
It’s voluntary guidelines for general-purpose AI providers on transparency, copyright, and safety—bridging to 2027 standards.
Is the GPAI Code of Practice legally binding?
No, it’s non-binding, but following it proves compliance until standards arrive.
Who must follow the GPAI Code of Practice?
GPAI model providers since August 2025; safety rules only for systemic-risk models.
