Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

EU’s General-Purpose AI Obligations Are Now in Force, With New Guidance

Skadden Publication / AI Insights

Nicola Kerr-Shaw David A. Simon Stuart D. Levi Susanne Werry Aleksander J. Aleksiev

Executive Summary

  • What is new: The EU AI Act’s obligations on general-purpose AI providers have now come into force alongside the publication of guidance, a code of practice and a disclosure template that flesh out GPAI model providers’ obligations.
  • Why it matters: The new guidance sets out who is subject to GPAI obligations; the code of practice can be used by signatories to demonstrate compliance with certain AI Act obligations relating to transparency, copyright, and safety and security; and the template sets out mandatory disclosures for GPAI model providers.
  • What to do next: In light of the new guidance, companies should assess whether they are subject to the AI Act’s GPAI obligations and, if so, whether to sign the code of practice.

__________

In July 2025, the European Commission (the Commission) published guidance, a code of practice and model template related to the obligations of providers (i.e., developers) of general-purpose AI (GPAI) models under the European Union Artificial Intelligence Act (AI Act), which came into effect on 2 August 2025.

Delays in the publication of this and other related documentation had led to speculation that the AI Act’s GPAI obligations would be pushed back. While no formal delay was announced, the Commission’s new GPAI guidance informally acknowledges that an enforcement grace period may be required. Nonetheless, providers of GPAI models will still need to assess and work toward compliance with the AI Act.

Background

The last-minute flurry of documentation the Commission issued regarding GPAI obligations included:

  • Guidance on the scope of GPAI obligations (GPAI Guidance) and associated FAQ for GPAI model providers, published on 18 July 2025, which describe who the AI Act’s GPAI obligations apply to.
  • The GPAI Code of Practice (GPAI Code), published on 10 July 2025 and formally approved on 1 August 2025. Adherence to the GPAI Code is not mandatory, but providers can “rely on codes of practice … to demonstrate compliance” with the AI Act’s GPAI obligations. The GPAI Code will likely shape regulators’ expectations for AI Act compliance.
  • The form through which GPAI model are required to summarise the data used to train their GPAI model, published on 24 July 2025 (GPAI Template).

Each of these are discussed in more detail below.

The GPAI Guidance – To Which Providers Do GPAI Obligations Apply?

The AI Act defines GPAI models as those “trained with a large amount of data” that display “significant generality” across a “wide range of distinct tasks.” Since these terms are imprecise and difficult to interpret, the GPAI Guidance proposes an “indicative” test: Models trained with greater than 10e23 FLOPs of computing power, and which are capable of generating text, audio, images or video, should be considered GPAI models.

This approach has the benefit of providing a single clear and quantifiable test of whether a model is a GPAI model, though the 10e23 FLOP threshold may quickly become out-of-date as technology advances.

The GPAI Guidance also provides some much-needed clarification as to when organizations modifying or fine-tuning an existing GPAI model could themselves be deemed a “provider” — a result suggested in the Recitals to the AI Act.

The GPAI Guidance provides specific guidance on this point, stating that a GPAI modifier or fine-tuner only becomes a GPAI provider in its own right if “the modification leads to a significant change in the model.” The Commission indicatively sets a threshold of the modifier using one-third of the compute of the model being modified (or, if that compute threshold is not known, one-third of 10e23 FLOPs). In practice, companies’ fine-tuning or modification will rarely meet this threshold.

The GPAI Code of Practice – What Do Signatories Have To Do?

The GPAI Code is broken down into three chapters: 

  1. Transparency 
  2. Copyright
  3. Safety and Security

The GPAI Code is not mandatory, but adherence to it can be relied upon to demonstrate compliance with certain provisions of the AI Act. In addition, the GPAI Guidance makes clear that adherence to the GPAI Code will mean “increased trust from the Commission” and, conversely, that nonadherence will result in “a larger number of requests for information and requests for access.”

The GPAI Guidance also states that adherence to the GPAI Code is a relevant factor when setting fines.

Despite concerns about the breadth of earlier GPAI Code drafts, most prominent GPAI providers are listed on the Commission’s site as signatories to the GPAI Code.

1. Transparency

This section of the GPAI sets out obligations on GPAI model providers to supply information about their GPAI model to:

  • Users that integrate the GPAI model into other AI systems.
  • The Commission’s AI Office.

The information required to be provided is set out in a template provided by the Commission, and includes:

  • Model properties — architecture, input/output modalities, model size.
  • Distribution and license detailse.g., enterprise subscription.
  • Uses of the GPAI model — intended and acceptable use-cases.
  • Training — training process, types and quantities of data used, computational power and energy used for training.

The information requested in these fields is notably terse: The Commission’s recommended word limits are, in most cases, 200 or 300 words, suggesting that they expect brief and high-level summaries rather than detailed explanations.

2. Copyright

This chapter of the GPAI Code sets out obligations in relation to copyright and, in particular, obligations to:

  • Put in place and make publicly available a copyright policy to comply with EU law on copyright and related rights. In particular, the policy must identify the means to comply with, “including through state-of-the-art technologies,” any limitations imposed by rightsholders on data mining of their text and data.
  • Only scrape lawfully accessible content, and in particular (1) not deliberately circumvent technical protections (e.g., paywalls), and (2) not scrape websites known to “persistently and repeatedly” infringe copyright, such as websites used for piracy. (The Commission will make available a list of such websites.)
  • Comply with robots.txt and similar rights reservations when scraping website content.
  • Mitigate risks of copyright-infringing outputs through technical safeguards and obligations on users (e.g., end-user licence agreement terms).
  • Designate a point of contact for copyright-related complaints.

3. Safety and Security

This section, which is the most detailed of the three in the GPAI Code, sets out a broad range of requirements for providers of GPAI model that present “systemic risk.” These include:

  • Implementing a “state of the art safety and security framework” and defining responsibilities for, and assigning resources to, these risks.
  • Identifying, analysing and mitigating known and emerging risks throughout the model life cycle.
  • Establishing reporting processes to surface and address systemic safety issues.
  • Instituting cybersecurity measures for the GPAI model.

The GPAI Template – What Disclosures Are Required About Training Data

Separately, the Commission has also published the GPAI Template, which sets out information that GPAI model providers are required to publish about their GPAI models’ training data.

Unlike the GPAI Code, completing the GPAI Template is mandatory for all GPAI model providers, and all information must be made public (not just made available to downstream integrators of the GPAI model into other GPAI systems).

The GPAI Template requires information about:

  • General model information — quantity and types of data used, e.g., text vs. images.
  • List of data sources — identification of public or private datasets used to train a model, including any user data and web-scraped data.
  • Compliance — measures implemented to remove illegal content and respect copyrights.

Final Thoughts

Compliance programs for the AI Act have already required significant resources for GPAI providers. The additional clarity in the form of the finalized GPAI Code and GPAI Guidance is therefore welcome — though given how late in the day this clarity has been provided, GPAI providers are likely to already have existing compliance programs in place; those providers should now gap-assess and uplift those programs to reflect the new documentation.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP