How to Finalise the GPAI Code: A Test of Europe’s Commitment to AI Innovation
Main takeaways
- Regulatory overreach risks putting GPAI Code signatories at a disadvantage
- The Code of Practice will only be successful if it’s fully aligned with the AI Act, the text is clear, practical, and proportionate, and it supports EU competitiveness
- The Code’s final text will be a key indicator of European leaders’ real AI ambitions
The European Commission’s AI Office recently released the third draft of the Code of Practice for Providers of General-Purpose AI (GPAI) Models – the last one subject to stakeholder feedback. The experts leading the drafting process will now finalise the Code. Subsequently, it must be formally adopted by the Commission and Member States this May, just before the rules start to apply in August.
In recent months, EU leaders have set bold goals to cut red tape, accelerate AI adoption, and boost competitiveness. This holds huge potential to lay a strong foundation for AI growth in Europe, but the final Code will be a key test of how these ambitions translate into concrete action.
Unfortunately, the Code’s drafting went off track early in the process – ignoring the AI Act’s agreed scope and the urgent need for clear, balanced, and workable measures to support GPAI providers’ compliance efforts. Comparing drafts isn’t relevant in this context, as the only relevant benchmark for success is the AI Act itself. And therein lies the rub: the measures in this third draft remain concerning, as they continue to go beyond the Act’s actual requirements.
1. Significant risk of regulatory overreach
The latest version of the Code still introduces entirely new measures that have no legal basis in the AI Act. The list is long and ranges from novel ‘open source’ definitions to new rights-reservation protocols (such as op-outs from text and data mining) that rightsholders can unilaterally impose without the involvement of AI developers.
It also includes an unclear EU standardisation process for rights-reservation protocols that could lead to permanent regional standard fragmentation. And then there are new requirements for the development phase of GPAI models, although many of those will never reach the market, as well as mandatory external assessments that were already explicitly rejected during the AI Act negotiations. The list goes on, with highly prescriptive measures on how to set up model-evaluation teams, and new requirements mandating model evaluations to account for their integration into systems, despite providers’ lack of visibility into downstream use.
The list is too long for a blog post, but all the examples mentioned above highlight the fundamental flaws of the draft Code that need to be addressed urgently. This is particularly important because the Code, as a voluntary compliance tool, needs to offer a meaningful alternative to companies’ individual means of demonstrating compliance.
Going beyond what the AI Act prescribes would disadvantage Code signatories compared to non-signatories, ultimately undermining its whole purpose. To ensure companies’ willingness to actually sign up to it, the Code will need to strictly align with the AI Act.
2. Clarity nowhere in sight
The current draft also suffers from a persistent lack of clarity that has yet to be fixed. The final Code needs to be assessed in light of two crucial deliverables by the AI Office.
Firstly, the forthcoming guidelines on the application of the GPAI rules, including obligations for those who adapt existing models to their own needs, commonly known as ‘fine-tuning’. These will have a considerable impact on the number of companies subject to the rules. New concepts in the third draft, such as ‘safe-originator model’ or ‘safely derived model’, although positive in principle, will have to be aligned with the Commission’s guidelines.
In addition, the AI Office will also publish a template for the public disclosure of GPAI model training data, which needs to be a ‘sufficiently detailed summary’. So far, however, the Commission’s approach raises serious concerns among industry about trade secret protection.
Without these two key elements in place, the Code remains a puzzle that misses key pieces. Moreover, the text would greatly benefit from far greater precision, leaving no room for ambiguity. For example, the Code should unequivocally state that it has no extraterritorial scope. It should also clarify that any mandatory transparency requirements may not override the protection of trade secrets, in line with established EU rules and international commitments.
The broad wording used to describe certain systemic risks, such as ‘harmful manipulation’, raises concerns as they cannot be reasonably assessed at GPAI-model level without being explicitly linked to instances of manipulation specific to a model’s high-impact capabilities. The Code also contains many unclear terms, such as vague references to undefined ‘additional information’ that should be shared with downstream providers. In other words, the clarity of the text must be substantially improved for the Code to work in practice.
3. Ensuring a strong finish: Final recommendations
The success of the Code hinges on a triple ‘yes’: Is it aligned with the AI Act? Is it clear and proportionate? Is it practical? As we approach the end of the drafting process, these questions should guide the experts, AI Office, and EU Member States in finalising the Code.
Moreover, key deliverables – such as the AI Office’s guidelines on GPAI model rules and the so-called ‘sufficiently detailed summary’ of training data – will have to follow the same principles. Companies need these deliverables in time to assess the framework as a whole and make an informed decision about their compliance options, before deciding to sign up to the Code or find their own way. Most importantly, the final Code and overall framework must align closely with EU leaders’ ambition to boost competitiveness by reducing the regulatory burden on business.
Conclusion
As we enter the final stretch of the GPAI Code’s drafting, the aim should be to achieve a balanced, workable, and sufficiently flexible Code of Practice. A Code that not only supports companies in their efforts to comply with the AI Act, but also strengthens their ability to develop and adopt AI for Europe to remain globally competitive.
