European Commission publishes first draft of GPAI Code of Practice

The Draft Code is designed to help providers of general-purpose AI models (GPAI) and providers of GPAI with systemic risk comply with the EU AI Act. The drafting process is facilitated by the AI Office, supported by four working groups of independent experts and consultations with a broad range of stakeholders. Additionally, on November 20, 2024, the European Commission released a set of Q&A related to the Draft Code. This draft outlines the guiding principles and objectives of the Code, providing stakeholders with greater insight into what to expect from the final version.

Key features of the Draft Code include:

• Transparency – the Draft Code specifies the commitments of GPAI providers to draw up and keep up-to-date the technical documentation of the GPAI model. This documentation must be available upon request to the AI Office and downstream providers intending to integrate the GPAI model into their AI systems. The Draft Code includes a table detailing the information and documentation requirements, an Acceptable Use Policy, and poses a question whether any further details should be included.
• Compliance with copyright and related rights – the Draft Code specifies measures that GPAI providers must implement to adhere to EU copyright and other related rights. This includes policies for upstream and downstream copyright compliance, employing crawlers that follow the Robot Exclusion Protocol and other machine-readable means for rights reservations, excluding pirated sources from crawling activities, and committing to adequate transparency about data sources used for training, testing and validation etc.
• Systemic risk classifications – the Draft Code identifies a taxonomy of systemic risks and requires signatories to base their systemic risk assessment and mitigation on this taxonomy. Systemic risks include cyber offences; chemical, biological, radiological or nuclear risks; loss of control over powerful autonomous GPAI models; facilitation of large-scale persuasion, manipulation or disinformation; and large-scale discrimination. The Draft Code providers further clarification on the nature of systemic risks, their sources, and ways to assess various related aspects of a GPAI model. Open questions relate to possible risk prioritisation, any further relevant considerations and criteria for defining systemic risks.
• Rules for GPAI providers with systemic risk – the Draft Code addresses compliance with additional obligations under the AI Act for providers with systemic risk. This includes incorporating a safety and security framework (SSF) for proactive assessment and proportionate mitigation of systemic risks from the GPAI model. It covers mapping potentially dangerous model capabilities, propensities and other sources of risk, addresses systemic risk indicators and their severity. The Draft Code further proposes the rules for evidence collection and the implementation of a continuous risk assessment lifecycle during established stages (e.g., before and during training, during deployment, and post-deployment monitoring).
• Technical risk mitigation for providers of GPAI with systemic risk – the Draft Code outlines future standards for cybersecurity and information security applied to these GPAI models and how these standards would differ from existing cybersecurity standards in other domains. It also covers safety and security reporting and the requirement to develop procedures for deciding whether to proceed with the development of a GPAI model with systemic risk.
• Governance risk mitigation for providers of GPAI with systemic risk – the Draft Code outlines key measures related to adequate ownership regarding systemic risk at all organisational levels, including the executive and board levels. Examples of the measures include: (a) allocating responsibility and resources at the executive level; (b) allocating oversight of systemic risks at the board level (e.g. by establishing a risk committee); (c) periodic assessment of the SSF; (d) independent expert assessments of systemic risks and the adequacy of mitigations (e.g. by the AI Office or third-party evaluators); (e) serious incident reporting procedures; (f) whistleblower protections, documentation and mandatory notifications to the AI Office; and (g) appropriate public transparency about systemic risks.

This initial draft is the first in a series of iterative drafts, with the final version expected in May 2025. Approximately 1,000 stakeholders are involved in the drafting of the Code. The stakeholders are requested to provide feedback on the first draft by November 28, 2024. The press release and Draft Code is available here and the Q&A is available here.