15

Immagine creata con IAAI-generated image

GPAI models and the Code of Practice: the voluntary route to Chapter V compliance under the AI Act

Since 2 August 2025 the obligations of Chapter V of the AI Act apply to providers of general-purpose AI models. The General-Purpose AI Code of Practice, delivered to the Commission on 10 July 2025 and signed by over twenty providers, is its voluntary implementing tool: three chapters, from transparency to copyright to the safety and security of systemic-risk models. How does it work, and what does signing up entail?

Within the AI Act, general-purpose AI (GPAI) models enjoy a dedicated regime: Chapter V, applicable under Article 113(b) “from 2 August 2025”. It is on this terrain that the AI Act’s first test of co-regulation was played out: the General-Purpose AI Code of Practice, received by the European Commission on 10 July 2025. This seems the right place to clarify the nature, contents and consequences of signing up.

The Chapter V obligations: Articles 53 and 55

Article 53(1) provides that providers of GPAI models “draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation”; followed by the information obligation towards downstream providers (point b), the obligation to put in place “a policy to comply with Union law on copyright and related rights”, including to “identify and comply with […] a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790” (point c), and the obligation to make public “a sufficiently detailed summary about the content used for training […] according to a template provided by the AI Office” (point d). For systemic-risk models, Article 55(1) adds reinforced duties: providers “perform model evaluation […] including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks”, together with EU-level risk assessment and mitigation, serious-incident reporting and cybersecurity. As to the implementing tool, Article 56(1) provides that “the AI Office shall encourage and facilitate the drawing up of codes of practice at Union level”.

The Code of Practice: nature and process

The Code is, by the Commission’s express qualification, “a voluntary tool developed by 13 independent experts, with input from over 1,000 stakeholders”, designed “to help industry comply with the AI Act’s rules on general-purpose AI”. The Commission and the AI Board have confirmed that “the code is an adequate voluntary tool for providers of GPAI models to demonstrate compliance with the AI Act”. The incentive to sign is stated: “signatories to the Code will benefit from a reduced administrative burden and increased legal certainty compared to providers that prove compliance in other ways”. At the time of our last review the signatories numbered over twenty, including the main international and European providers, with the possibility of adhering to a single chapter only.

The three chapters

The Code “consists of three chapters: Transparency and Copyright, both addressing all providers of general-purpose AI models, and Safety and Security, relevant only to a limited number of providers of the most advanced models”. The Transparency chapter implements the documentary and information obligations, its operational heart being the “user-friendly Model Documentation Form which allows Signatories to easily compile the information required […] in a single place”. The Copyright chapter is built around a single commitment, the copyright policy — “Signatories commit to drawing up, keeping up-to-date and implementing such a copyright policy” — with the caveat to keep firm: “adherence to the Code does not constitute compliance with Union law on copyright and related rights”. The Safety and Security chapter, reserved to providers of systemic-risk models, counts ten commitments, starting with the Safety and Security Framework, whose purpose is “to outline the systemic risk management processes and measures that Signatories implement to ensure the systemic risks stemming from their models are acceptable”.

Considerations

Three notes seem essential. First, the Code is not a safe harbour: signing facilitates the demonstration of compliance but does not exhaust it, and the Chapter V obligations remain the measure of what is due. Second, the dynamic is that of co-regulation: a body of commitments developed by independent experts with the public facilitator, set to evolve with the state of the art. Finally, for the Italian and European ecosystem of deployers, the documentary transparency of GPAI providers — think of the Model Documentation Form — is the precondition for fulfilling their own, distinct, obligations.

Conclusions

The GPAI Code of Practice puts the AI Act’s regulatory bet to the test for the first time: translating general obligations into shared operational commitments, before and beyond the harmonised standards. Its robustness will be measured in daily implementation and in the updates the AI Office is able to promote. In the light of the above, one wonders whether the voluntary route will hold up against the most capable models: a code of commitments is worth only as much as its implementation, and the governance of systemic risks it outlines protects fundamental rights only if it does not remain on paper, in the face of a technology that evolves faster than any code.