Written by Kieran Harte

On November 14, 2024, the European AI Office unveiled the initial draft of its General-Purpose AI Code of Practice, representing a significant milestone in AI governance. This draft is a key element of the EU’s strategy to establish a comprehensive framework for artificial intelligence, offering guidance to providers on compliance, accountability, and societal benefits.

General-purpose AI (GPAI) models are capable of performing a wide range of tasks and are increasingly forming the backbone of many AI systems within the EU.  However, some of these models could pose systemic risks if they are very capable or widely used.  To ensure the safety and trustworthiness of these AI systems, the EU AI Act established rules for providers, including rules on transparency and copyright. For models that may present systemic risks, providers will be required from August 2025 to assess and mitigate these risks accordingly (Article 55(1)(b)), including State of the art model evaluations, risk assessments and mitigation, serious incident tracking, and cybersecurity measures.

Until harmonised GPAI model standards are established, GPAI model providers can rely on the Code of Practice as a compliance measure.  This Code will serve as a bridge between the enforcement of GPAI model provider obligations in August 2025 and the eventual adoption of standards, which may take over three years.  The Code of Practice is expected to form the foundation for future GPAI standards.  Consequently, its contents are designed to faithfully reflect the AI Act’s intentions, particularly concerning health, safety, and fundamental rights.  Compliance with harmonised GPAI standards will grant providers the presumption of conformity, provided those standards address the relevant obligations.  The timing of a standardisation request from the EU Commission will largely depend on the effectiveness of the Code of Practice in implementing the AI Act’s obligations.

The EU AI Office has a pivotal role throughout the process and is facilitating the development of the Code under Article 56, aiming for a collaborative process that involves nearly 1,000 stakeholders, including representatives from EU Member States, European and international observers. The Code must be sufficiently detailed, regularly monitored, and adaptable to technological changes to ensure a high standard of compliance across the EU.

The drafting of the Code focuses on four key objectives aligned with the EU AI Act (Articles 53 (GPAI models) and 55 (GPAI models with systemic risks)):

• Documenting and Demonstrating Compliance: Providers must be able to document and demonstrate compliance with the Act, particularly for advanced GPAI models, enabling the AI Office to assess compliance under the Code.
• Transparency: Fostering transparency across the AI value chain so that downstream developers understand model functionalities and limitations.
• Copyright Compliance: Safeguarding creators’ rights while balancing innovation, ensuring compliance with copyright law and related rights including the Text and Data Mining (TDM) exception.
• Risk Assessment and Mitigation: Establishing a framework for the continuous assessment and mitigation of systemic risks associated with GPAI models throughout their lifecycle, from development to deployment.

Proportional compliance measures are introduced for small and medium enterprises to support innovation while ensuring accountability, including the provision of standardised templates by the EU AI Office (Article 62).

Following the publication of the first draft of the Code of Practice, three additional drafting rounds are expected over the coming months. This process will culminate in the publication of a final Code of Practice in April 2025, in advance of the AI Act’s 2 May 2025 deadline, reflecting stakeholder input and ensuring cogent implementation of the legal framework. The requirements for Providers of GPAI models will take effect on August 2, 2025.

Separately, the Data Protection Commission (DPC) has sought guidance from the European Data Protection Board (EDPB) on handling AI-related data protection issues under the GDPR, including whether personal data continue to exist within the training model.  Following the Irish request, the EDPB is expected to provide its opinion before the end of the year, helping harmonise regulatory approaches across Europe.