EU closes AI Act consultation

Europe just finished the part of the European Union Artificial Intelligence Act where companies could still argue over what the words mean. On 22 May 2025, the European Commission closed a targeted consultation on rules for general-purpose artificial intelligence models, the kind of models that sit underneath chatbots, coding tools, and image generators. (digital-strategy.ec.europa.eu) That consultation was not about whether Europe should regulate artificial intelligence at all. It was about who counts as a provider, what counts as putting a model on the market, and how the European Union Artificial Intelligence Office plans to interpret the law when it starts checking real products. (digital-strategy.ec.europa.eu) The European Union Artificial Intelligence Act itself was already on the books as Regulation (EU) 2024/1689. It is the bloc’s main artificial intelligence law, and it uses a risk-based system that bans a small set of uses outright and puts heavier duties on higher-risk systems. (digital-strategy.ec.europa.eu) General-purpose artificial intelligence models got their own track because they are foundation models for many other products. The Commission says these models are the base layer for many different artificial intelligence systems, so one compliance decision at the model level can ripple into dozens of downstream apps. (digital-strategy.ec.europa.eu) The first big deadline already arrived on 2 August 2025. From that date, providers of general-purpose artificial intelligence models in the European Union had to meet duties such as drawing up technical documentation, putting in place a copyright policy, and publishing a public summary of the training content used for the model. (digital-strategy.ec.europa.eu) The most advanced models face a second layer of rules. If a model is treated as posing systemic risk, the provider may have to notify the Commission and handle risk assessment, incident reporting, and cybersecurity protections, which is much closer to a safety regime than a simple disclosure regime. (digital-strategy.ec.europa.eu) The consultation fed into guidance and a code of practice that turned those broad duties into checklists. The Commission said the guidelines would explain core concepts, while signing the code of practice could reduce administrative burden and serve as a benchmark for compliance. (digital-strategy.ec.europa.eu) That code of practice was delivered to the Commission on 10 July 2025 after input from more than 1,000 stakeholders and work by 13 independent experts. It has three chapters, with Transparency and Copyright for all general-purpose model providers and Safety and Security for the small group building the most advanced models. (digital-strategy.ec.europa.eu) The code is voluntary, but “voluntary” here does not mean irrelevant. The Commission says companies that sign it can use it to demonstrate compliance with the Artificial Intelligence Act and get more legal certainty than firms trying to prove compliance from scratch. (digital-strategy.ec.europa.eu) The practical shift is that Europe is no longer talking about artificial intelligence in slogans like “safe” or “trustworthy.” It is now asking for documents, summaries, notices, risk processes, and security controls, and those are the kinds of things lawyers, auditors, and regulators can actually inspect. (digital-strategy.ec.europa.eu) For model makers, the hard question is no longer whether the European Union will operationalise the law. The hard question is whether their training records, copyright workflows, incident systems, and model-risk reviews are good enough before enforcement tightens for new models one year after the rules started applying and for existing models two years after that. (digital-strategy.ec.europa.eu)