Contact Us


Disruptive Competition Project

655 15th St., NW

Suite 410


Washington, D.C. 20005

Phone: (202) 783-0070
Fax: (202) 783-0534

Close

AI Act’s GPAI Code of Practice: Off to a Troubled Start, But There Is a Path Forward

Credit: Wavebreakmedia

Main takeaways

  1. Operationalising AI Act rules requires clear, proportionate, and predictable measures 
  2. Highly sensitive data and trade secrets must be protected
  3. AI Board and MEPs urgently need to weigh in on the drafting process to improve it

Boosting the EU’s declining competitiveness is a top priority for the new European Commission. This shouldn’t come as a surprise anymore, but rushed work on the Code of Practice for providers of general-purpose AI (GPAI) models is raising eyebrows – in Brussels and beyond. The Code aims to operationalise the AI Act’s most critical rules applying to developers of GPAI models – i.e. those powering AI systems capable of generating new content such as text, images, video, and audio. 

After a late kick-off and the appointment of experts to lead the drafting of the Code, the AI Office recently shared the first draft of the Code with stakeholders for feedback. Unfortunately, that draft includes measures already explicitly rejected by EU co-legislators during the AI Act negotiations, and other ideas that go far beyond the Act’s scope. The process continues to be rushed, with the next draft expected mid-December. 

1. Imbalanced and rushed process

The numerous challenges for the Code’s drafting process are well-known and have been pointed out before by leading experts. First and foremost, the process risks being derailed by the very large number of stakeholders participating in the drafting (around 1,000) and the comparatively small number of GPAI developers, who represent only 4% of all stakeholders involved.

This is highly problematic because GPAI developers not only know the technology best, they are also those who will ultimately need to apply the Code – if they decide to adhere to it, that is. This creates an imbalance that disadvantages GPAI developers. 

Second, the timeline for finalising the Code is extremely short and unprecedented for such an ambitious exercise. A final Code should be ready in April 2025, as the AI Act rules will kick in by August 2025. While this timeline is foreseen by the Act itself, which was the result of a hasty political agreement, this should not result in rushing the drafting process. 

However, the latest developments show this is unfortunately already the case. Stakeholders were given very limited time to provide feedback on the first draft, only 10 days, and a new version is already expected by mid-December. It is unclear how independent experts tasked with updating the draft based on stakeholder input will review and account for hundreds of responses within the span of two weeks. Stakeholders are then supposed to provide feedback on the second draft during the end-of-year holidays, which is unreasonable. As the saying goes, quality should take precedence over speed. If not substantially improved soon, this process cannot be reasonably expected to produce a clear Code that can stand the test of time. Which, in turn, would discourage adherence to the Code. 

2. First draft already ignores AI Act’s scope

Another challenge, and well-identified risk, has unfortunately started to materialise: the first draft includes measures already explicitly rejected during the legislative process leading up to the final AI Act, as well as proposals going far beyond the Act’s agreed scope. 

Measures previously rejected by EU co-legislators have now been resurrected in the draft, including mandatory third-party assessment requirements for providers of GPAI models. That specific notion was rejected before, because GPAI providers should be able to decide themselves whether they want to include third parties and at which stages. 

GPAI providers have strong technical expertise internally, while only a very limited number of third parties could reasonably conduct these assessments in time. The idea of differentiated treatment for smaller actors was rejected as well, as the AI Act is there to ensure that models are safe across the board, yet it has resurfaced in the first draft.

Other proposals, requiring the disclosure of highly sensitive data, raise major public security and competition concerns. As it stands, the draft Code of Practice lacks safeguards and would jeopardise trade secrets and confidential business information. These elements need to be substantially improved in the next draft, keeping in mind that disclosing sensitive information threatens model safety and security, and thus ultimately the general public. 

Last but not least, measures supplementing EU copyright rules that go beyond existing rules and interpretations are entirely outside the scope of the AI Act and should be removed from the next draft of the Code completely. For the Code to be successful, it must become a compliance tool, providing legal certainty to GPAI developers on requirements set out in the AI Act, not an undemocratic vehicle to circumvent the legislative process. 

3. How to save the GPAI Code of Practice

Both the overall process and the next draft of the Code of Practice need to see substantial improvements. That’s no small feat, but it is not too late to get the drafting of the GPAI Code back on track. Indeed, the AI Board and Members of the European Parliament (MEPs) now have a crucial role to play in this process, and should closely monitor and weigh in to improve the process – also making sure that their democratic decisions are not overturned by others. 

The focus should really shift to operationalising the AI Act’s requirements with clear, proportionate and predictable measures for GPAI developers. Ensuring that developers are better represented and heard during the drafting process is a critical first step that needs to be taken as soon as possible. 

To ensure thoughtful deliberations and robust results, it is essential to also provide reasonable amounts of time between drafts and give participants sufficient time to provide feedback. Strong safeguards for trade secrets and sensitive data are equally essential to ensure AI model safety and security. They are key to supporting EU developers’ competitiveness, as forcing them to share their ‘secret recipe’ with competitors and the general public can only result in bad outcomes. 

Conclusion

The Code of Practice’s success will be key for GPAI model developers, the broader European AI ecosystem, as well as the competitiveness of Europe’s industrial base and economy. Many innovators and developers have high expectations for the Code’s outcome, and the digital sector is dedicated to supporting the EU institutions in achieving this objective. 

Despite having only produced a first draft, the process already appears at risk of going off track. Immediate action is needed to make substantial improvements, both to the content of the Code and the process by which it is being written.

European Union

DisCo is dedicated to examining technology and policy at a global scale.  Developments in the European Union play a considerable role in shaping both European and global technology markets.  EU regulations related to copyright, competition, privacy, innovation, and trade all affect the international development of technology and tech markets.