EU AI Act — GPAI Code of Practice (Draft 3)

Narrative

• The EU AI Office's third draft of the GPAI Code of Practice represents a critical implementation milestone for the EU AI Act
• operationalizing Articles 53-55 with specific technical and procedural requirements for general-purpose AI model providers. This guidance establishes binding transparency
• documentation
• and risk management obligations that create downstream compliance dependencies for AI system deployers. For the affected AI systems
• this code directly impacts vendor management and compliance verification processes. Organizations deploying AI systems that incorporate GPAI models must now verify their providers' adherence to the Code of Practice requirements
• including transparency documentation
• incident reporting protocols
• and for high-capacity models
• adversarial testing and cybersecurity measures. The code's presumption of conformity mechanism makes provider compliance a critical component of overall EU AI Act compliance strategy.

AI-Specific Regulation

Yes — this regulation specifically targets AI systems

Recommended Actions

• Review all AI systems to determine if they utilize GPAI models subject to Article 53-55 obligations
• For systems using GPAI models
• verify upstream provider compliance with Code of Practice transparency requirements
• Establish documentation processes to maintain technical specifications and training data summaries from GPAI providers
• Implement downstream communication protocols with GPAI model providers regarding system modifications or incidents
• For high-risk AI systems using GPAI models with systemic risk
• establish incident monitoring and 24-hour reporting procedures
• Update vendor assessment procedures to evaluate GPAI provider adherence to Code of Practice requirements
• Document reliance on Code of Practice compliance for presumption of conformity with EU AI Act obligations

Severity Assessment