Dissecting the EU AI Act: The Code of Practice
Officially entering into force on August 1st, 2024, the countdown to the EU AI Act’s numerous implications has officially begun. In light of its risk-based approach, various parts of the act will come into effect at different time points, ranging from February 2025 to August 2027.
In particular, the near horizon contains two notable effects, with the latter impacting a wide span of firms: Bans on Prohibited Use-cases (effective February 2025) and the Code of Practice (effective April 2025). In this blog post, we will take a closer look at the Codes of Practice, their scope, and what they will entail for enterprises powered by AI.
The Code of Practice: What to Expect
Applicable to general purpose AI (GPAI) models, the Code of Practice is the “interim” documentation between the EU AI Act and the harmonized standards involving the European Committee for Standardisation (CEN) and the European Committee for Electrotechnical Standardisation (CENELEC). In particular, Article 56 of the EU AI Act defines the Code of Practice as placeholder mode of compliance for GPAI models, with the core obligations outlined as:
- Provision of technical documentation to the AI Office and National Competent Authorities
- Provision of relevant information to downstream providers seeking integration of a model into their AI/GPAI system, including capabilities and limitations
- Summaries of the training data used
- Policies for complying with existing Union copyright law
In particular, the Code will have additional provisions for GPAI models with systemic risk - identified as models with “high impact” or trained with above an 1025 FLOPS threshold (for example, ChatGPT-4). These additions include:
- State of the art model evaluations
- Risk assessment and mitigation
- Serious incident reporting, including corrective measures
- Adequate cybersecurity protection
The Drafting of the Code
On July 30th, the European AI Office opened an official call for expression of interest to participate in the drawing-up of the first general-purpose AI Code of Practice. This ushers in an iterative drafting process, supported by a multi-stakeholder engagement approach.
The timeline is thus broken into three stages: Process Launch, Iterative Drafting in the Code of Practice Plenary, and the Final Code. Officially starting with the official call above, the Final Code of Practice is expected in April 2025. The stages are anticipated as follows:
Process Launch: July - Sept. 2024
- Call for interest of stakeholders
- Multi-stakeholder consultations
- Kick-off meeting of all participants (online)
Iterative Drafting: Sept. 2024 - Apr. 2025
- 1st, 2nd, and 3rd Plenary conducted virtually for discussions organized in 4 Working Groups with specified focuses of the Code
- Participants providing comments consolidated by the Chair and Vice-Chair of each Working Group
- GPAI model provider workshops with Chairs and Vice-Chairs coincidentally occurring
Final Code: April 2025
- Closing plenary
- GPAI model providers express whether they plan to use the code
Multi-stakeholder Involvement
As aforementioned, the web of stakeholder engagement will be involved in each step of the Code’s development. Noted by Latham & Watkins LLP, providers of GPAI models, downstream providers, and various industry or stakeholder organizations (including NGOs, rightsholder organizations, and any interested independent experts), along with public authorities, are invited to offer their input on the development of rules. These rules will address issues such as transparency, copyright, risk taxonomy, assessment, and mitigation, as well as the review and monitoring of the Codes of Practice for GPAI models.
In the Process Launch phase, the consultation of stakeholders will found the basis of the initial draft of the code, with stakeholders invited to become participants to the Code of Practice Plenary groups.
During the stage of Iterative Drafting, the following 4 Working Groups, supported from the previous stage’s stakeholders, will focus on the following:
1. Transparency and copyright-related issues
2. Risk identification and assessment measures
3. Risk mitigation measures
4. Internal risk management and governance for GPAI providers
Moreover GPAI Model Providers will be invited to workshops with working group Chairs and Vice-Chairs, upholding the AI Office’s focus on transparency to all Plenary participants. Once the Iterative Drafting is complete, the Final Code stage involves GPAI model providers directly, with the Final Code of Practice being presented and GPAI model providers expressing their use intentions with the code, as reflected above.
Preparing Enterprises for the Code of Practice
At Calvin, our modularized suite of AI risk management, governance, validation, compliance, and audit tools form the basis of EU AI Act readiness; in particular, Calvin’s LLM offer allows firms to take control of their generative AI compliance process with ease - providing the vital quantitative tools needed to align with the anticipated Code of Practice and various upcoming components of the EU AI Act. As the EU AI Act drives further into effect, our core mission is to lessen the needed administrative and technical efforts by providing efficient, quantitative risk management solutions - guiding firms to certainty in their EU AI Act success.