The EU AI Office has published the first draft of its General-Purpose AI (“GPAI”) Code of Practice.

At the outset, the Draft Code makes clear that it is in the early stages of its development and therefore “light in detail” and “high-level”. Nevertheless, it provides important insights as to the structure of, and the principles that will inform, the Code in its final form. In particular, the Draft Code sets out six “high level principles” that will be followed as it is developed and drafted, and that will inform ‘Measures’, ‘Sub-Measures’ and ‘KPIs’ within it:

1. Alignment with EU Principles and Values;
2. Alignment with AI Act and International Approaches;
3. Proportionality to Risks;
4. Future-Proof;
5. Proportionality to the size of the general-purpose AI model provider;
6. Support and growth of the AI safety ecosystem.

The objectives of the Draft Code are also set out, namely: to (1) assist providers of GPAI models understand how they can effectively comply with their obligations under the EU AI Act, (2) ensure a good understanding of GPAI along the AI value chain, (3) ensure that providers of GPAI models comply with Union law on copyright, and (4) assist providers of GPAI models with systemic risks so that they can effectively – and continuously – assess and mitigate such systemic risks.

The first sections of the Draft Code deal with rules for providers of GPAI models, particularly in relation to transparency and copyright. As for the former, it sets out the type of documentation GPAI providers will need to make available for both downstream providers as well as the AI Office and national competent authorities.

As for matters relating to copyright, the Draft Code stipulates how GPAI providers will be expected to satisfy their requirement to have a policy which commits to comply with Union law on copyright and related rights (as required under Article 53(1)(c) of the EU AI Act). It makes clear, for example, that any policy shall cover the entire lifecycle of the GPAI model, and that providers will both (a) “undertake a reasonable copyright due diligence before entering into a contract with a third party about the use of data sets for the development of a general-purpose AI model” and (b) “implement reasonable downstream copyright measures to mitigate the risk that a downstream system or application, into which a general-purpose AI model is integrated, generates copyright infringing output.” The Draft Code also sets out measures that GPAI providers will be expected to implement both in order to comply with the limits of the TDM exception and also to satisfy the requirement under the EU AI Act to demonstrate “adequate transparency about the measures they adopt to comply with Union law on copyright and related rights”.

The Draft Code proceeds to tackle the matter of so-called ‘systemic risks’,  detailing a taxonomy of systemic risks (including their type, nature, and sources) which GPAI providers will be expected to draw from as a basis for their systemic risk assessments and mitigation measures.

In terms of the rules that will apply to providers of GPAI models with systemic risk, the Draft Code explains that they will be expected to adopt, implement, and make available a ‘Safety and Security Framework’, which “shall detail the risk management policies they adhere to in order to proactively assess and proportionately mitigate systemic risks from their general-purpose AI models with systemic risks”.  This will involve, for example, “continuously and thoroughly” identifying the systemic risks that may stem from their GPAI model, and engaging in a “continuous process of Evidence Collection” on the specific risks presented by their models.

Finally, the Draft Code addresses “technical risk mitigation” and “governance risk mitigation” for providers of GPAI models with systemic risk. Providers will have to create a ‘Safety and Security Report’ for any model with systemic risk that they develop. Similarly, they will, among other things, be expected to “allocate responsibility and resources at the executive level” for addressing systemic risks, enable independent risk and mitigation assessments, and implement whistleblowing channels and “appropriate whistleblowing protections”.

Last week, the Draft Code was considered by the Chairs and Vice-Chairs of various working groups, together with nearly 1000 stakeholders, EU Member States representatives and observers.  Work will continue to further develop and refine the Code of Practice before it is finalised and ultimately comes into force on 1 May 2025.

To read the Draft Code in full, click here.