A new draft of the EU AI Act Code of Practice gives providers of general purpose AI models a clearer view of how they may be expected to comply with the bloc's rules. But the latest version also appears to soften some expectations, especially around copyright complaints and obligations for the most powerful AI systems.
The third draft was published on Tuesday, with written feedback due by March 30, 2025. It is expected to be the last draft before a May deadline to finalize guidance for GPAI model makers.
What the draft Code is meant to do
The EU AI Act is described as a risk-based rulebook for artificial intelligence. Within that framework, some obligations apply specifically to providers of general purpose AI models, covering areas such as transparency, copyright and risk mitigation.
The Code of Practice is intended to help GPAI model makers understand those duties in practical terms. For companies building or providing these models, the stakes are not only procedural. Breaches of GPAI requirements under the AI Act could lead to penalties of up to 3% of global annual revenue.
The latest draft is presented as more streamlined than the version published in December. Its structure has been revised, with commitments and measures refined after feedback on the second draft.
The process is not finished. Further feedback, working group discussions and workshops are expected to shape the final adopted version. The experts involved say they want the final Code to provide more "clarity and coherence".
Transparency gets a practical template
One of the clearest areas in the draft concerns transparency. The guidance includes an example of a model documentation form that GPAI providers might use.
The purpose is to make key information available to downstream deployers of the technology. That matters because companies and organizations using GPAI systems may have their own compliance responsibilities, and they need enough information from model providers to understand what they are deploying.
In plain terms, the draft points toward a more documented chain of responsibility. Model makers would not simply release systems and leave deployers to guess how they were built or what risks they may carry. The Code is trying to define what useful disclosure can look like, even before the final wording is adopted.
Copyright remains the most sensitive area
The copyright section is likely to remain the most contentious part of the Code for Big AI. The draft uses terms such as "best efforts", "reasonable measures" and "appropriate measures" when discussing compliance with commitments tied to data gathering and copyright risk.
That language matters because many GPAI systems depend on large-scale data collection. The draft discusses respecting rights requirements when crawling the web to acquire training data, as well as reducing the risk that models produce copyright-infringing outputs.
The softer wording may leave model makers with room to argue that they took enough action, even where rightsholders disagree. The source text frames this as potential wiggle room for data-mining AI companies that want to keep using protected information to train models and deal with objections later.
One notable change is how the draft handles rightsholder complaints. Earlier language said GPAI providers should offer a single point of contact and complaint handling so rightsholders could raise grievances "directly and rapidly". That phrasing appears to have been removed.
The current version instead says: "Signatories will designate a point of contact for communication with affected rightsholders and provide easily accessible information about it."
The draft also suggests that GPAI providers may refuse to act on copyright complaints that are "manifestly unfounded or excessive, in particular because of their repetitive character." That could become important if creatives use AI tools to detect possible copyright issues and automate complaints against large AI providers.
Safety duties narrow around the most powerful models
The AI Act's safety and security requirements for evaluating and mitigating systemic risks already apply only to a subset of the most powerful models. The source identifies those as models trained using a total computing power of more than 10^25 FLOPs.
In the latest draft, some previously recommended safety and security measures have been narrowed further in response to feedback. That continues the broader pattern of this version: clearer structure, but in some places less forceful language or more limited obligations.
The draft separates general GPAI commitments from the obligations that apply to models with systemic risk, referred to as GPAISR. That distinction is central to the EU's approach because not every general purpose AI model is treated as carrying the same level of risk.
Political pressure surrounds the final guidance
The draft is being prepared in a political environment where pressure on the EU's AI rules is visible. The source notes attacks from the U.S. administration led by president Donald Trump on European lawmaking generally and the bloc's AI rules specifically.
At the Paris AI Action summit last month, U.S. vice president JD Vance rejected the need to regulate AI for safety and said Trump's administration would focus on "AI opportunity". He also warned Europe that overregulation could harm the sector.
Since then, the bloc has moved to put the AI Liability Directive on the chopping block. EU lawmakers have also signaled an incoming "omnibus" package of simplifying reforms to existing rules, aimed at reducing red tape and bureaucracy for business, with areas such as sustainability reporting in focus.
The AI Act is still being implemented, which makes the guidance process especially important. The Code is being drafted by independent experts, while the European Commission, through the AI Office, is separately preparing "clarifying" guidance that will also affect how the law applies.
That future guidance is expected to include definitions for GPAIs and their responsibilities. The Commission says it will "clarify … the scope of the rules", which means the final shape of AI Act compliance for model makers will depend not only on this Code, but also on what the AI Office says next.