In a landmark move, the European Union (EU) has published the first draft of the General-Purpose Artificial Intelligence (GPAI) Code of Practice, aiming to set a new standard in how AI is developed, deployed, and managed across industries. This draft, prepared by a team of independent experts under the guidance of the EU’s AI Office, represents a significant milestone in the EU’s strategy for AI governance, as it tackles concerns around transparency, copyright, and risk management. It’s expected to set the stage for the AI Act, scheduled to take effect in August 2025.

The release of this draft comes amid increasing global scrutiny on AI, as businesses, governments, and individuals seek to balance innovation with ethical and safe AI use. I will introduce and summarize some of the main principles, and its potential impact on the future of AI in the EU and the rest of the world.

Key Principles of the General-Purpose AI Code of Practice

At its core, the GPAI Code of Practice revolves around three foundational principles: transparency, accountability, and risk management. These principles are designed to foster trust in AI systems, promote responsible innovation, and safeguard user interests.

1. Transparency: The draft Code places a significant emphasis on transparency, pushing AI providers to disclose relevant information about their systems’ functionalities, limitations, and risks. By standardizing transparency requirements, the Code seeks to empower both businesses and consumers with the knowledge needed to make informed decisions about AI. Transparent practices help demystify AI systems, allowing users to understand the underlying algorithms, data sources, and decision-making processes at play.

1. Accountability and Copyright Enforcement: The Code emphasizes the need for robust copyright enforcement, especially given the rising concerns around intellectual property in AI systems. As AI models rely heavily on large data sets, which may include copyrighted materials, there is a growing risk of misuse. The GPAI Code establishes guidelines to protect intellectual property rights, ensuring that creators and content owners are respected. It also lays out accountability frameworks that designate clear responsibilities for AI providers, developers, and users in instances of infringement or misuse.

1. Risk Management Framework: Recognizing the potential for AI systems to impact society on a systemic level, the Code introduces a comprehensive risk management framework. This framework includes a taxonomy of risks associated with AI, methodologies for assessing these risks, and strategies for mitigation. By establishing structured approaches for risk identification and mitigation, the Code aims to reduce the likelihood of unintended consequences, especially in high-stakes sectors like healthcare, finance, and public safety.

Breaking Down the GPAI Code’s Main Components

Each of these principles is backed by concrete guidelines and frameworks that will shape the way organizations interact with AI systems.

1. Transparency Requirements

The GPAI Code specifies the types of information AI providers must disclose, such as details about the algorithms used, training data sources, and potential biases in decision-making. This transparency is intended to not only build trust among end-users but also provide regulators and stakeholders with a clear view of how these AI models function and the types of outcomes they can generate.

Under these requirements, organizations deploying AI solutions will need to develop clear documentation and standardized reports that communicate the capabilities and limitations of their systems. The transparency guidelines extend to explaining “black box” models—those complex, less interpretable models—to the extent feasible, allowing stakeholders to better grasp how and why decisions are made.

2. Copyright and IP Enforcement Standards

The issue of copyright in AI is complex, with AI models often trained on vast swathes of data that may include copyrighted works. The GPAI Code lays out copyright enforcement standards to ensure AI providers respect the rights of content creators and intellectual property holders. This section of the Code may require companies to vet and document the data used in training their models, minimizing the risk of infringing on copyrights or exposing organizations to legal liabilities.

Moreover, the accountability framework within the Code of Practice requires providers to maintain records and documentation on data usage and sourcing, enabling a traceable process if issues of copyright infringement arise. This layer of accountability helps foster a responsible AI ecosystem that respects individual and corporate ownership rights.

3. Systemic Risk Management Framework

One of the most notable parts of the draft Code is the detailed risk management framework. This framework is particularly critical as it serves as a guiding structure for identifying and addressing systemic risks associated with AI. The Code categorizes risks based on their potential impact on public safety, data privacy, economic stability, and social equity. This taxonomy of risks not only aids in prioritizing mitigation efforts but also provides guidance for risk assessment methodologies.

For example, in high-risk environments like healthcare or finance, organizations may need to conduct regular risk assessments and implement specific risk mitigation measures, such as bias detection algorithms, continual model monitoring, and fail-safe mechanisms. By enforcing a standardized risk assessment approach, the Code helps ensure that AI systems operate within acceptable safety margins, reducing the potential for harm.

What’s Next? Stakeholder Input and Implementation Timeline

The EU has opened the floor for comments and input from stakeholders and representatives of EU Member States until November 28. These comments will help refine the draft Code and align it with the practical needs of industries and consumers. Following the feedback period, working groups are set to meet for further discussions, with a Plenary on November 22 to formalize recommendations and finalize updates.

The timeline is designed to ensure that the final GPAI Code of Practice, expected by May 2025, will be comprehensive, actionable, and aligned with the AI Act’s implementation in August 2025. With the involvement of industry experts, government representatives, and public voices, the EU is positioning itself as a leader in AI governance, potentially influencing AI policy frameworks worldwide.

A Blueprint for Responsible AI

The EU’s draft GPAI Code of Practice is more than just a regulatory document; it is a blueprint for fostering responsible, safe, and transparent AI. By emphasizing transparency, copyright respect, and risk management, the EU is setting a new benchmark in AI regulation, providing organizations with a structured approach to deploying AI systems responsibly.

As the global AI landscape continues to evolve, this Code of Practice could serve as a model for other regions seeking to balance the benefits of AI with the safeguards necessary to protect societies. For businesses and organizations within the EU, the draft Code provides an opportunity to shape the future of AI policy and demonstrate their commitment to responsible AI practices.

The GPAI Code of Practice represents a significant step forward in ensuring that AI technology can be innovative, beneficial, and ethically aligned with society’s needs. As we look toward the future, this draft signals a new era of AI governance, where accountability, transparency, and safety are foundational elements of technological progress.