The EU has published a Code of Practice for general-purpose AI (GPAI) that helps providers demonstrably comply with transparency, copyright and safety requirements. Formally, this code is voluntary, but substantively it forms the practical translation of obligations from the AI Act, particularly for transparency (art. 53) and, for a limited group of highly advanced models, safety and security for systemic risk (art. 55). When procuring, you want to anchor these expectations not just leave them to the supplier but establish them as contractual requirements.
Practical impact: From August 2, 2025, GPAI obligations apply to new models. As a procurer, you want suppliers to deliver at minimum what the code and accompanying documents reasonably presume.
Why procurement is decisive now
From August 2, 2025, GPAI obligations apply to new models. The Commission has published the code with three chapters: transparency, copyright, safety & security. In parallel, the template for the "Public Summary of Training Content" appeared that model providers must use for their public summary of training content.
All this directly impacts procurement conditions: you want suppliers to deliver at minimum what the code and accompanying documents reasonably presume.
Brief framework: what to regulate contractually
The main line is simple: establish in the contract which parts of the code and guidance the supplier demonstrably follows, how you can verify this, and what happens if that fails. You fill in the details per topic.
1. Definitions, scope and warranties
Start with clear definitions of GPAI-model, provider, downstream integrator and release. Have the supplier declare whether they are a signatory of the GPAI code or, if they don't sign, that they apply functionally equivalent measures.
Connect this to a warranty that what is delivered complies with applicable AI Act obligations for GPAI and, where applicable, the additional duties for models with systemic risk. This prevents discussions about "voluntary" versus "mandatory".
Clause example (extract)
Supplier warrants that the Model and associated documentation are in line with the EU AI Act, including obligations for general-purpose AI models as referred to in Article 53 and, where applicable, Article 55. If Supplier is not a signatory to the GPAI Code of Practice, it applies measures that provide equivalent safeguards as described in the Transparency, Copyright and Safety & Security chapters of that code.
2. Transparency and model documentation
The transparency chapter of the code contains a Model Documentation Form. Establish contractually that the supplier completes this form, delivers it as an appendix and updates it with each release.
For you as a customer, this is the basis for due diligence, risk assessments and technical integration decisions. Link this to a delivery moment (e.g., before production use) and an update term (e.g., within 15 days of new release).
Clause example (extract)
Supplier provides at start and with each release a completely filled Model Documentation Form in accordance with the Transparency chapter of the GPAI code. This document forms a contractual appendix and is deemed part of the Specifications.
3. Training content summary (public summary)
For GPAI providers, the public summary of training content is mandatory, to be published in the template provided by the Commission. Don't just ask for a link, but establish that the content is complete and current and that the supplier informs you when the summary is updated.
For models that were on the market before August 2, 2025, the transition period runs until August 2, 2027; include in your contract how the supplier ensures transparency during this period.
Clause example (extract)
Supplier publishes and maintains the Public Summary of Training Content in accordance with the template provided by the European Commission and shares the link and modification date with Customer. In the absence thereof, Supplier provides the data requested in the template directly to Customer upon first request.
4. Copyright and TDM opt-outs
The copyright chapter of the code asks for concrete safeguards: respecting text and data mining opt-outs, procedures for removing unlawful content, and clear documentation about data use.
Translate this into operational requirements (policy, processes) and evidence (reports, logs). Also anchor an indemnification for claims arising from non-compliance with these agreements, with a reasonable carve-out for data provided by the customer.
Copyright compliance: Violations that lead to claims from rights holders are handled by Supplier, without prejudice to Customer's right to damages.
5. Safety, security and systemic risk
All GPAI providers must be transparent; the safety and security obligations in the code are particularly relevant for providers with systemic risk.
Establish that suppliers, when they fall or could fall into that category, perform periodic evaluations, red-teaming, adversarial testing and risk reduction and that they report serious incidents to the AI Office and national authorities. Make this a contractual reporting obligation towards you, with content, term and contact channel.
Clause example (extract)
In case of a serious incident as referred to in Article 55 of the AI Act, Supplier reports this immediately to Customer and provides within 72 hours a report with nature of the incident, impact, measures taken and follow-up actions.
6. Change management and version pinning
Models change rapidly. Describe major and minor releases, enable version pinning and link reassessment to material changes. Request release notes that connect to the Model Documentation Form and the public training summary. This prevents an unchanged API from unexpectedly running on a fundamentally different model.
7. Supply chain and subcontractors
Many providers build on other models or infrastructure. Require an overview of dependencies (base model, hosting, critical tooling), plus flow-down of agreements from your contract to subcontractors, including notification obligation for changes. This aligns with the supply chain perspective in the safety chapter of the code.
8. Assurance, audit and evidence
Without evidence, compliance remains a promise. Therefore establish assurance moments: for example annual self-attestations against the code chapters, an independent audit report or a conformity assessment as soon as relevant harmonized standards become available.
Use recognized references today and migrate later to AI-specific EN standards as soon as they appear in the Official Journal and can provide presumption of conformity.
Assurance strategy
Supplier provides annually an assurance report that includes at minimum the controls from the Transparency, Copyright and, where applicable, Safety & Security chapters of the GPAI code. As soon as relevant harmonized standards for the AI Act become available, audits show demonstrable coverage thereof.
9. Liability, remedies and price incentives
Agree on what happens if documentation is missing, the public summary is incorrect or incidents are reported too late. Think of remediation terms, service credits or the right to charge costs for additional assessments.
For fines and supervisory measures, full transfer is often not realistic; choose shared risks: the supplier bears what lies on their side (e.g., non-compliance with TDM opt-outs), the customer bears what stems from their own use outside specifications.
10. Downstream obligations of the customer
A GPAI provider doesn't take away all obligations. As a customer you retain your own responsibilities, especially if you deploy the model in a context that later qualifies as high risk.
Therefore integrate in the contract a responsibility matrix: what does the supplier deliver, what do you do yourself (such as human intervention, logging, user information) and when must you reassess. The transparency artifacts from the code make this feasible.
What a minimal contract set looks like
A workable set consists of:
- Main agreement with definitions, warranties, incident reporting, change management and liability
- Appendix A: Model Documentation Form (living document)
- Appendix B: Link and version of the Public Summary of Training Content, plus fallback information if publication is not yet available
- Appendix C: Assurance and audit plan with timeline towards harmonized standards
Two brief scenarios
Public sector procures a generative API
The contracting authority requires the Model Documentation Form before production start, version pinning on model 3.x and a procedure for serious incidents with 72-hour reporting. The provider is not yet a signatory but commits to equivalent measures from the code. The Public Summary is already published and is updated semi-annually.
This gives the authority sufficient basis to feed their own FRIA/DPIA and draft user information.
Scale-up purchases an embedded model from an ISV
The ISV integrates a third-party base model. In the contract, supply chain agreements are flowed down: if the ISV switches base models, a reassessment follows and update of the Model Documentation Form. Assurance happens via annual audit against the code chapters, later to migrate to harmonized standards.
Practical implementation in the procurement cycle
Start with a vendor questionnaire that mirrors the Model Documentation Form and Public Summary. Ask for evidence with the answers, not marketing texts. In your assessment rubric, put weight on transparency artifacts, copyright processes and incident response.
Then make a contract matrix: which passage from the code corresponds to which clause and which evidence. Finally plan a release rhythm: with each new release you check the updated documentation and determine if reassessment is needed.
This takes time in the first round but delivers predictability in subsequent releases.
What you can do tomorrow
- Inventory with existing suppliers whether they follow the GPAI code and where their public summary stands
- Request the Model Documentation Form and park it as contract appendix
- Add in ongoing contracts an addendum with transparency, copyright, incident reporting and assurance
- Set up an audit path: now attestations on the code, later audits against EN standards as soon as they appear in the Official Journal
End result: With this approach you create procurement agreements that align with the letter and spirit of the EU AI Act and are directly executable. The GPAI code, the training summary template and the guidelines provide the building blocks; your contracts ensure that suppliers actually deliver those building blocks, on time and verifiably.
Official sources:
- European Commission: General-Purpose AI Code of Practice
- European Commission: Guidelines on GPAI Model Providers
- European Commission: Public Summary Template
- EU AI Act Article 53 & 55
- CEN-CENELEC: Artificial Intelligence Standards
- Joint Research Centre: Harmonised Standards for AI Act
Want to know more about GPAI compliance in your organization? Contact us for a personal consultation.