The EU’s AI Code of Practice: A Step Forward, or a Missed Opportunity?
The European Commission has unveiled its voluntary Code of Practice for general-purpose AI (GPAI) models - an interim framework designed to guide compliance with the forthcoming EU AI Act. On paper, it promises greater transparency, copyright safeguards and risk management. Yet, as with all voluntary initiatives, its impact will depend on adoption, enforcement and trust.
Is this Code a landmark in global AI governance or simply a halfway measure that risks leaving too many questions unanswered?
The Promise: Why the Code Matters
1. A Head Start on Compliance
The AI Act - the world’s first comprehensive AI regulation - won’t be fully enforceable until August 2026. The Code bridges that gap giving companies a structured way to demonstrate alignment now. For signatories, it offers reduced administrative burden and legal clarity, which can be invaluable in an evolving regulatory landscape.
2. Transparency by Design
Model providers will need to disclose critical information about training data, licensing, energy consumption and usage policies. This kind of documentation, if implemented properly, could help demystify how AI systems are built and build much-needed public confidence.
3. Copyright and Fair Use
The Code explicitly addresses scraping practices and copyrighted outputs. In an industry where lawsuits against AI providers are mounting, these provisions set a precedent for respecting intellectual property and protecting creative industries.
4. Safety Nets for Systemic Risk
For large, general-purpose models, the Code requires risk assessments, incident reporting and cybersecurity protocols. While not as binding as the AI Act itself, these measures provide an early framework for mitigating potential harms before models are deployed at scale.
The Limitations: Where Concerns Remain
1. Voluntary by Nature
The Code’s greatest weakness is also its defining feature: compliance is optional. Companies that opt out avoid the additional scrutiny yet still benefit commercially from deploying AI across the EU. This could create a two-tier system, where responsible firms bear extra costs while others gamble on enforcement delays.
2. Uneven Industry Buy-In
Already, reactions are split. Google has agreed to sign the Code, while Meta has refused, citing legal uncertainties. If leading AI providers fail to align, the Code risks losing credibility as a global benchmark. Without broad adoption, its power to shape standards is limited.
3. Administrative Burden
For smaller firms and startups, even voluntary compliance may prove onerous. Documenting data sources, auditing copyright risks and conducting bias assessments require resources that smaller innovators may struggle to provide. Ironically, this could strengthen the position of large incumbents - the very opposite of what Europe intends.
4. Risk of Regulatory Fragmentation
The EU positions itself as a global leader in AI governance, but without alignment from the U.S., China, or other regions, companies may face competing codes and overlapping requirements. Instead of harmonisation, we may end up with fragmented global AI governance, complicating compliance and undermining clarity.
What the EU (and Industry) Must Do Next
If the Code is to succeed, three things are vital:
• Wider Participation: The Commission must incentivise more companies to sign, whether through legal certainty, reputational benefits or clearer pathways to full compliance with the AI Act.
• Practical Guidance: Documentation and transparency requirements should be simplified for smaller players ensuring that innovation is not stifled by bureaucracy.
• Global Engagement: The EU should work with other jurisdictions to align codes of practice, or at least to ensure interoperability. Otherwise, firms may prioritise jurisdictions with lighter or more consistent requirements.
A Useful Bridge, but Not the Destination
The EU’s new Code of Practice should not be dismissed; it offers a pragmatic way to start embedding principles of transparency, fairness and safety before the AI Act comes into full force. However, voluntary codes cannot substitute for robust, enforceable regulation.
In the end, the Code’s greatest value may not be in the rules themselves, but in what they signal: that the era of unchecked AI deployment in Europe is ending. Standards are rising, and those who fail to prepare will soon find themselves left behind.
The real test will come in two years, when the AI Act moves from principle to practice. Until then, this Code is both an opportunity and a warning.





