Breaking Down the EU AI Act: What Are the Copyright Transparency Requirements?

Breaking Down the EU AI Act: What Are the Copyright Transparency Requirements?

The EU AI Act is the world's first comprehensive AI regulation — and its copyright transparency requirements are already reshaping how AI companies operate globally. Whether you build AI models, integrate them into products, or create content that could end up in training datasets, these rules affect you directly.

This guide breaks down exactly what the EU AI Act requires when it comes to copyright and transparency, who must comply, the enforcement timeline, and what happens if you don't.

What Is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is a sweeping piece of legislation that entered into force on August 1, 2024. It establishes a risk-based framework for regulating artificial intelligence across the European Union.

While much of the public discussion has focused on the Act's rules around high-risk AI systems — think facial recognition, credit scoring, and hiring algorithms — the provisions most relevant to the creative and publishing industries are buried in Articles 53 and 55, which deal specifically with general-purpose AI (GPAI) models like GPT-4, Claude, Gemini, and Midjourney.

These articles create, for the first time anywhere in the world, legally binding transparency obligations around how AI models use copyrighted content for training.

The Copyright Transparency Requirements Explained

The EU AI Act's copyright provisions rest on three pillars. Let's examine each one.

Pillar 1: Copyright Compliance Policy (Article 53(1)(c))

Every provider of a general-purpose AI model must put in place a policy to comply with EU copyright law. Specifically, they must:

• Identify and respect opt-out reservations made by rights holders under Article 4(3) of the DSM Directive (Directive (EU) 2019/790)
• Use "state-of-the-art technologies" to detect and honor these opt-outs
• Document their compliance approach

This is significant because the DSM Directive's text and data mining (TDM) exception — which allows AI training on copyrighted works — only applies when rights holders have not reserved their rights. The EU AI Act makes it an enforceable obligation for AI providers to actually check for and respect those reservations.

What this means in practice: If a publisher adds a robots.txt directive, an ai.txt file, or metadata indicating they opt out of AI training, GPAI providers must honor it. They can't simply scrape everything and sort it out later.

Pillar 2: Training Data Summary (Article 53(1)(d))

GPAI providers must draw up and make publicly available a sufficiently detailed summary of the content used to train their models. The AI Office provides a template for this summary.

This is the provision that has generated the most debate. Key questions include:

• How detailed is "sufficiently detailed"? The Act doesn't specify exact granularity. The AI Office's template will be critical in defining this.
• Must individual works be listed? Likely not — but broad categories, sources, and data provenance must be disclosed.
• What about trade secrets? The Act acknowledges intellectual property protections, but the summary must still be meaningful enough for rights holders to determine whether their content was used.

For creators and publishers, this is a game-changer. For the first time, AI companies will need to provide at least a general accounting of what went into their training data. This could enable rights holders to identify unauthorized use and pursue legal remedies.

Pillar 3: Technical Documentation (Article 53(1)(a) and Annex XI)

GPAI providers must maintain detailed technical documentation covering:

• The model's training and testing processes
• Evaluation results
• Data used for training, testing, and validation
• Type and provenance of training data
• Data curation methodologies

This documentation must be provided to the AI Office and national authorities upon request. While it's not publicly available (unlike the training data summary), it creates an accountability mechanism that regulators can use to verify copyright compliance.

Who Must Comply?

The obligations apply to providers of general-purpose AI models — meaning the companies that develop and release these models. This includes:

| Company Type | Examples | Must Comply? |

|---|---|---|

| Large GPAI providers | OpenAI, Google, Anthropic, Meta | Yes |

| Mid-size model developers | Mistral, Stability AI, Cohere | Yes |

| Open-source model providers | Meta (Llama), Mistral (open models) | Partially* |

| Companies deploying AI | Businesses using ChatGPT API | No (but downstream obligations apply) |

*Open-source models released under free licenses are exempt from some obligations (Article 53(2)), specifically the technical documentation and downstream provider information requirements. However, they are not exempt from the copyright compliance policy and training data summary requirements. And if an open-source model is classified as having systemic risk, all obligations apply in full.

Extraterritorial Reach

Like the GDPR, the EU AI Act applies to any company that places AI models on the EU market — regardless of where the company is headquartered. This means OpenAI (US), Anthropic (US), and other non-EU companies must comply if their models are available to EU users.

The Enforcement Timeline

The EU AI Act uses a phased enforcement approach:

• February 2, 2025: Prohibited AI practices banned
• August 2, 2025: GPAI model obligations (including copyright transparency) become enforceable
• August 2, 2026: Full enforcement of remaining provisions

As of May 2026, the GPAI copyright transparency requirements have been enforceable for nine months. The AI Office has been actively developing codes of practice and the training data summary template, with input from stakeholders including rights holder organizations.

Penalties for Non-Compliance

The stakes are high:

• Up to €15 million or 3% of global annual turnover (whichever is higher) for violations of GPAI obligations
• Up to €35 million or 7% of global turnover for violations involving prohibited practices

For a company like OpenAI or Google, 3% of global turnover could mean billions of euros in potential fines.

How the EU AI Act Connects to the DSM Directive

Understanding the copyright transparency requirements requires understanding the DSM Directive (Directive (EU) 2019/790), which the AI Act explicitly references.

The Text and Data Mining Exception

Articles 3 and 4 of the DSM Directive created two TDM exceptions:

1. Article 3: Research organizations and cultural heritage institutions can mine copyrighted works for scientific research purposes — no opt-out possible.

2. Article 4: Anyone can mine copyrighted works for any purpose — unless the rights holder has reserved their rights in a machine-readable way.

The EU AI Act's Article 53(1)(c) makes it mandatory for GPAI providers to use "state-of-the-art technologies" to identify and comply with Article 4(3) opt-outs. This creates a direct legal link between:

• A publisher's robots.txt or metadata opt-out →
• The AI provider's obligation to detect and honor it →
• The AI Office's power to verify compliance

What Counts as a Valid Opt-Out?

The DSM Directive requires opt-outs to be expressed in a "machine-readable" way. Common methods include:

• robots.txt directives (e.g., User-agent: GPTBot / Disallow: /)
• TDM Reservation Protocol headers
• ai.txt files (emerging standard)
• Metadata tags in HTML or content files
• Contractual terms (though machine-readability is debated)

For a practical guide on implementing these protections, see our article on how to protect your content from AI scraping.

What This Means for Different Stakeholders

For Content Creators and Publishers

The EU AI Act gives you real leverage for the first time:

• Your opt-outs must be respected — it's no longer optional for AI companies
• Training data summaries will help you identify if your content was used
• Regulatory enforcement provides a path beyond expensive private litigation
• Action step: Implement machine-readable opt-outs now if you haven't already. Use our robots.txt AI blocker tool to generate the right directives.

For AI Companies

Compliance requires concrete action:

• Audit your training data pipeline — can you demonstrate you checked for opt-outs?
• Implement opt-out detection using state-of-the-art technologies
• Prepare your training data summary using the AI Office template
• Maintain technical documentation that regulators can review
• Consider licensing — proactive licensing agreements may reduce legal risk

For Businesses Using AI Tools

While the direct obligations fall on GPAI providers, businesses that deploy AI should:

• Verify your AI vendor's compliance — ask for their training data summary
• Review downstream documentation required under Annex XII
• Understand your own obligations under the broader AI Act framework
• Build AI copyright compliance into your policies — see our compliance guide for businesses

How the EU Approach Compares Globally

The EU's copyright transparency requirements are the most detailed in the world, but other jurisdictions are moving in similar directions:

United States

The US has no equivalent legislation yet. The US Copyright Office has published reports on AI and copyright (Parts 1-3), and several bills have been introduced in Congress, but none have passed. The legal landscape is being shaped primarily through litigation — including major cases against OpenAI, Anthropic, and others.

United Kingdom

The UK initially proposed a broad TDM exception without opt-out rights, but reversed course after creator backlash. The current approach favors a voluntary code of practice between AI companies and rights holders, though legislation may follow.

Japan

Japan's broad TDM exception (Article 30-4 of the Copyright Act) allows AI training without permission, with limited exceptions. There is no transparency requirement comparable to the EU AI Act.

China

China's Interim Measures for Generative AI require providers to use "legitimate" training data and respect intellectual property, but enforcement mechanisms are less developed than the EU's approach.

Codes of Practice: The Compliance Roadmap

Article 56 of the EU AI Act empowers the AI Office to develop codes of practice that GPAI providers can follow to demonstrate compliance. These codes are particularly important for copyright because they will define:

• What constitutes "state-of-the-art technologies" for detecting opt-outs
• The level of detail required in training data summaries
• Best practices for copyright compliance policies
• How to handle edge cases (e.g., content that was freely available when scraped but later opted out)

The AI Office has been developing these codes through a multi-stakeholder process involving AI companies, rights holder organizations, civil society groups, and member state authorities. Until harmonized standards are published, compliance with an approved code of practice creates a presumption of conformity — meaning regulators will assume you're compliant unless evidence suggests otherwise.

Practical Compliance Checklist

If you're a GPAI provider, here's what you should be doing now:

1. Copyright compliance policy: Document your approach to identifying and respecting opt-outs

2. Opt-out detection system: Implement automated checking of robots.txt, ai.txt, TDM headers, and metadata

3. Training data inventory: Catalog your training data sources with provenance information

4. Public summary: Prepare your training data summary using the AI Office template

5. Technical documentation: Maintain detailed records per Annex XI requirements

6. Downstream documentation: Provide Annex XII information to companies integrating your model

7. Monitoring system: Continuously check for new opt-outs from rights holders

8. Legal review: Have legal counsel review your compliance framework

Key Takeaways

• The EU AI Act creates the world's first legally binding copyright transparency requirements for AI model providers
• GPAI providers must implement copyright compliance policies, publish training data summaries, and maintain technical documentation
• These obligations have been enforceable since August 2025 with penalties up to €15 million or 3% of global turnover
• The rules apply to any company offering GPAI models in the EU, regardless of where they're based
• Content creators should implement machine-readable opt-outs to take advantage of these protections
• Codes of practice from the AI Office will define the practical compliance standards
• The EU approach is the most comprehensive globally, but the US, UK, and others are developing their own frameworks

What to Watch Next

The copyright transparency landscape is evolving rapidly. Key developments to monitor include:

• AI Office codes of practice — the final versions will set the practical compliance bar
• First enforcement actions — how aggressively will regulators pursue non-compliance?
• Training data summary publications — what will major AI companies actually disclose?
• Ongoing litigation — EU courts may interpret these provisions in ways that expand or narrow their scope

Stay updated on these developments through our AI copyright lawsuit tracker and laws hub.

---

Disclaimer: This article is for informational purposes only and does not constitute legal advice. AI copyright law is rapidly evolving, and you should consult a qualified attorney for advice on your specific situation. This content was produced by AI Copyright Legal with AI assistance and human editorial review.