15 July 2025

Final AI Code of Practice Published

The European Commission has published the final version of the AI Code of Practice, a voluntary tool to help AI providers meet obligations under the Artificial Intelligence Act. Among them is the obligation for AI providers to ‘put in place a policy to comply with EU copyright law’ (Article 53(1c)). It is a particularly important point for the cultural sector, given how much cultural content has been used to train AI without permission or compensation.

The Code was co-drafted by independent experts and shaped through consultations with over 1400 stakeholders, including Culture Action Europe. We participated in the Copyright Working Group that contributed input and critical feedback to earlier drafts of the Code (you can read our reports on the first, second, third drafts and the final plenary).

The final version is structured around three chapters: Transparency, Copyright, and Safety & Security. General-purpose AI providers operating in the EU are strongly encouraged to sign the Code. While not mandatory, signing demonstrates compliance with the AI Act and reduces administrative burden. Refusing to sign may lead to increased regulatory scrutiny.

What are AI providers actually committing to when they sign (the Copyright Chapter)?

Measure 1.1 – Copyright policy

Signatories commit to developing, keeping up-to-date, and implementing a copyright policy incorporating the measures from the Copyright chapter. They must assign responsibilities within their organisation for policy implementation and oversight.

Signatories are only encouraged to publish and regularly update a summary of the policy.

Measure 1.2 – Lawful data use

Signatories commit to using only lawfully accessible, copyright-protected content when scraping data for AI training. They must not bypass paywalls, subscription models, or access pirated content.

Several caveats here: piracy websites are defined as those infringing copyright ‘on a commercial scale’ (as if the non-commercial character makes piracy acceptable). Also, the Code promises the Commission will make publicly available ‘a dynamic list of hyperlinks to lists of these websites’ (but will that mean only websites that make it onto the list will be considered piracy?).

Measure 1.3 – Respecting opt-outs

Signatories commit to respecting rights reservations expressed via machine-readable opt-outs when crawling the internet for training data.

Specifically, they commit to using crawlers that respect the robots.txt protocol and any future version of this protocol (this addition appeared after criticism that robots.txt is outdated and insufficient as an opt-out mechanism).

They also commit to recognising alternative machine-readable opt-outs (e.g., asset-based or location-based metadata), if these tools are either:
– officially adopted by EU/international standardisation bodies, or
– widely used, state-of-the-art, and endorsed through EU-level discussions.

This measure doesn’t limit the rightsholders’ ability to opt out by other appropriate machine-readable means.

Signatories must also publish information about their crawlers, their robots.txt features and other measures they adopt to handle opt-outs. They must also allow affected rightsholders to be automatically notified when such information is updated.

Finally, signatories are encouraged to ensure that opt-outs do not negatively impact the discoverability of content in their search engines.

Measure 1.4 – Preventing copyright infringement by AI output

Whether using models directly as part of their own AI systems or providing them to third parties, signatories commit to preventing those models from generating copyright-infringing content. They also must include a clear ban on copyright-infringing uses in their acceptable use policies.

Measure 1.5 – Complaint mechanism

Signatories commit to designating an electronic point of contact for rightsholders to submit copyright-related complaints. Complaints must be ‘sufficiently precise and adequately substantiated.’

Signatories commit to handling complaints ‘in a diligent, non-arbitrary manner and within a reasonable time’, unless a complaint is manifestly unfounded or the signatory has already responded to an identical complaint by the same rightsholder.

As compared to the earlier versions, the final Code brings notable gains for rightsholders. Almost all relevant measures (except for the ones concerning the publication of copyright policy and content discoverability) have been upgraded from ‘best’ or ‘reasonable’ efforts to commitments. Hopefully, it will bring about stronger accountability for AI providers.

That said, some elements still leave room for improvement. For example, the provision on complying with alternative machine-readable opt-outs includes a conditional clause: such tools must either be standardised or broadly agreed upon in future EU-level discussions. Similarly, the definition of piracy websites hinges on a ‘commercial scale’ qualifier and the publication of a dynamic list of such websites, raising questions about whether only listed sites will be treated as piracy.

What’s next? In the coming weeks, Member States and the European Commission will assess the Code’s adequacy. Meanwhile, the Commission will release additional guidelines later this July to clarify the scope of the Code, namely what constitutes a general-purpose AI model, when a model qualifies as having systemic risk, and who is considered the provider of such a model.

After 2 August 2025, new AI models deployed on the EU market must comply with the obligations under the AI Act. During the first year, the AI Office plans to apply a grace period for signatories. It will work closely with them, and if full implementation isn’t immediate, these providers won’t be penalised as long as they act in good faith and cooperate toward compliance. From 2 August 2026, the Commission will begin full enforcement, including the possibility of fines. Models already on the market before 2 August 2025 will need to comply with the AI Act by 2 August 2027.

At the same time, the Code remains a non-legally binding document. Culture Action Europe urges close and cautious monitoring of how it is implemented in practice. As the preamble to the Copyright chapter states, ‘adherence to the Code does not constitute compliance with Union law on copyright and related rights.’ It is up to national courts and the Court of Justice of the European Union to interpret and enforce copyright law. If signatories are suspected of copyright infringement, rightsholders must still turn to the courts for recourse.

We are also watching with concern the emerging discussion around selective adherence to the Code where signatories commit only to certain chapters. At the time of writing, both Mistral and OpenAI have announced their intention to sign the Code of Practice.

Culture Action Europe stresses the need for the cultural sector’s interests to be considered across all AI-related policymaking. The principles of authorisation, remuneration, and transparency must be upheld not only in the implementation of this Code, but also in broader files including the AI Strategy for Cultural and Creative Industries, the AI Continent Action Plan and AI Factories, and any potential revision of the Copyright Directive.

Knowledge

On Digital Ethics for Cultural Organisations – ENCC Toolkit

Events

Action Group on Digital & AI

News

With days before budget draft, CAE again calls on Ursula von der Leyen

Advocacy

Culture Action Europe opposes 3rd draft of the EU General-Purpose AI Code of Practice

[ Digital Transformation ]

Cookie	Duration	Description
connect.sid	1 day	This cookie is used for authentication and for secure log-in. It registers the log-in information.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
COMPASS	1 hour	No description
foo	never	No description available.
loglevel	never	No description available.

Cookie	Duration	Description
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_TTP6ES223J	2 years	This cookie is installed by Google Analytics.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
S	1 hour	Used by Yahoo to provide ads, content or analytics.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.

Related