- Der dritte Entwurf des Code of Practice unterstützt GPAIM-Anbieter bei der Einhaltung des AI Act; rechtlich nicht bindend, aber konformitätsfördernd.
- GPAIM sind grosse, allgemein nutzbare Modelle; Anbieter müssen technische Dokumentation, Trainingsdaten‑Zusammenfassungen und Urheberrechtsstrategien bereitstellen.
- GPAISR sind GPAIM mit systemischen Risiken; sie unterliegen Meldepflichten, standardisierten Bewertungen und erweiterten Risikominderungs‑Pflichten.
- Der Entwurf definiert 18 Verpflichtungen (2 für alle GPAIM, 16 für GPAISR) in Transparenz, Urheberrecht sowie Safety and Security mit detaillierten Maßnahmen.
The EU Commission has published the third draft of a Code of Practice for general-purpose AI models:
- Communication with the Draft of the Code of Practice
- Code of Practice (consolidated PDF)
- Minisite with a preparation of the design
GPAIM are AI models with general usability, which is assumed if a model has at least one billion parameters and has been “trained under comprehensive self-monitoring” with a large amount of data. A GPAIM is not an AI system (AIS), nor is it an AIS with a general purpose – a GPAIM only becomes an AIS when additional components are added. The obligations of GPAIM providers are governed by the AI Act (AIA) in a separate chapter. Providers must, among other things technical documentation create the Providers of downstream AIS provide further information about the GPAIM via a Strategy for compliance with EU copyright law have a summary of the Training data and, if necessary, appoint an authorized representative.
GPAISR are GPAIM with systemic risks, i.e. risks that have a significant impact “on public health, safety, public security, fundamental rights or society as a whole” due to the “reach” of the GPAIM or potential negative consequences and can spread throughout the value chain. GPAISR must be notified to the Commission and its providers have additional obligations – they must assess the GPAIM in a standardized way, assess and mitigate systemic risks at EU level, document information on serious incidents and possible remedial measures and, if necessary, inform the AI Office and the competent national authorities, and ensure sufficient cybersecurity.
See our FAQ on the AI Act.
Against this background, the Code of Practice a guide to help GPAIM providers comply with the AEOI (Art. 56 AEOI) – to bridge the gap between the obligations of providers, which will apply from August 2025, and the introduction of standards, expected from August 2027. It is not legally binding, but compliance with it creates a presumption of conformity with the GPAI model provider obligations (Recital 117: “Providers should be able to rely on codes of practice to demonstrate compliance with the obligations”). See here for more information on the Code of Practice.
The third draft is likely to be largely mature, but will probably undergo a few more adjustments until its final adoption in May 2025 as a result of the feedback phase, which runs until March 30, and workshops.
The draft provides for 18 Obligations two for all GPAI providers and a further 16 for GPAISR providers. These obligations are divided into three main areas:
| Who is affected | Commitment | Measure |
|---|---|---|
| Transparency | ||
| all GPAIM | Documentation (I.1) | Measure I.1.1: Create and maintain up-to-date model documentation to meet the requirements of Article 53(1)(a) and (b) of the AI Act. Measure I.1.2: Provide information to downstream providers and the AI Office on request to enable the integration of the models into AI systems and to support the supervisory tasks of the national competent authorities. Measure I.1.3: Ensure the quality, security and integrity of the documented information to ensure the trustworthiness of the models. AmendmentIntroduction of a user-friendly model documentation form to simplify documentation. |
| Copyright | ||
| all GPAIM | Copyright Directive (I.2) | Measure I.2.1: Draw up and implement an up-to-date copyright directive to ensure compliance with EU legislation on copyright and related rights. Measure I.2.2: Identification of and compliance with rights reserved under Article 4(3) of Directive (EU) 2019/790. Measure I.2.3: Implementation of technologies for recognizing and complying with copyrights. Measure I.2.4: Creation of processes for handling copyright infringements. Measure I.2.5: Documentation of compliance with copyrights. Measure I.2.6: Regularly review and update the Copyright Directive. AmendmentStricter requirements for the identification of and compliance with copyrights. |
| Safety and Security | ||
| GPAISR | Risk identification and analysis (II.1) | Measures for the continuous identification of systemic risks using the CoP’s risk taxonomy. Analysis of the probability and severity of risks and categorization into risk levels. AmendmentMore detailed risk taxonomy and analysis in the third draft. |
| GPAISR | Collection of evidence and model evaluation (II.2) | Measures to collect evidence of systemic risk and assess the capabilities and limitations of AI models in accordance with the CoP rules. Amendment: Stricter requirements for evidence collection and model evaluation. |
| GPAISR | Risk assessment cycle (II.3) | Measures for continuous risk assessment during the entire life cycle of the model. AmendmentEmphasis on continuous monitoring. |
| GPAISR | Risk reduction (II.4) | Measures for assigning each risk level to appropriate safety and security measures. Amendment: More detailed risk mitigation measures. |
| GPAISR | Safety and Security Reports (SSR) (II.5) | Measures to create and regularly update safety and security reports to document risk and mitigation assessments. AmendmentRegular updating of the reports. |
| GPAISR | Risk governance (II.6) | Measures to allocate responsibility and resources for systemic risks at executive and board level. AmendmentStronger emphasis on governance. |
| GPAISR | Security measures to prevent unauthorized access (II.7) | Measures to implement security measures that at least meet the RAND SL3 security target. Amendment: Concrete safety targets defined. |
| GPAISR | Safety and security reports (II.8) | Measures for the preparation of safety and security reports containing the results of systemic risk assessment and mitigation. Amendment: More detailed reports. |
| GPAISR | Systemic risk reduction by design (II.9) | Measures to implement design principles to minimize systemic risks. AmendmentEmphasis on fairness and transparency. |
| GPAISR | Continuous monitoring and updating (II.10) | Measures for continuous monitoring and regular updating of the models. AmendmentStronger emphasis on continuous monitoring. |
| GPAISR | Cooperation with external partners (II.11) | Measures for cooperation with external partners to identify and mitigate systemic risks. AmendmentIncreased importance of cooperation. |
| GPAISR | Serious Incident Reporting (II.12) | Measures for monitoring, documenting and reporting serious incidents. AmendmentMore precise reporting mechanisms. |
| GPAISR | Non-retaliation protection (II.13) | Measures to protect employees who report risks. Amendment: Greater emphasis on protection. |
| GPAISR | Notifications (II.14) | Measures to regularly inform the AI Office about the implementation of the obligations. AmendmentRegular reporting. |
| GPAISR | Documentation (II.15) | Measures to document relevant information in accordance with the AI Act. AmendmentMore detailed documentation requirements. |
| GPAISR | Public transparency (II.16) | Measures to publish information on public transparency regarding systemic risks. AmendmentIncreased transparency. |