EU publishes AI code of practice weeks before new rules take effect

The European Commission has published the General-Purpose AI Code of Practice to help enterprises comply with transparency, copyright, safety, and security obligations under the EU AI Act. The voluntary code arrives just ahead of the second wave of EU AI Act rules taking effect on August 2, providing critical guidance for companies developing and distributing AI models.

What you should know: The code of practice offers enterprises a structured pathway to demonstrate compliance with EU AI Act requirements, though following it remains voluntary.

• The Commission positioned the code as a way for businesses to ensure they meet their legal obligations under the sweeping AI legislation.
• Additional “guidelines on key concepts related to general-purpose AI models” are promised by the end of July to complement the code.
• The code was developed by 13 independent experts with input from model providers, enterprises, academics, and AI safety experts.

Key requirements: The code establishes comprehensive documentation and compliance frameworks across three main areas.

• Transparency: A model documentation form covers aspects including data sources, training, energy consumption, licensing, distribution, and acceptable use—requiring enterprises to fill out detailed forms for each AI model they create.
• Copyright protection: Companies must respect web scraping protection measures like robots.txt and Cloudflare’s AI bot identification systems, while designing models to prevent regurgitation of copyrighted works.
• Safety and security: The most extensive 40-page chapter outlines measures for creating safety frameworks, identifying systemic risks, implementing security mitigations, allocating responsibility, and reporting on incidents.

The paperwork burden: Enterprises face significant documentation requirements that extend well beyond initial model deployment.

• Companies must maintain comprehensive records for at least 10 years after each AI model has been placed on the market.
• The safety and security chapter alone requires extensive documentation covering risk analysis, mitigation strategies, and incident reporting protocols.

Timeline pressure: The code’s publication comes after delays that had some European enterprises calling for postponement of the AI Act’s implementation.

• Originally scheduled for May publication, the code arrives just weeks before the August 2 deadline for the next wave of EU AI Act rules.
• A Commission spokesperson confirmed earlier this week that there would be no pause in the AI Act’s implementation timeline despite the delayed guidance.