Summary of Article 55
- Provider’s Role in Evaluating and Mitigating Systemic Risks: Providers must conduct state-of-the-art model evaluations, including adversarial testing, and assess and mitigate systemic risks at the Union level.
- Provider’s Role in Incident Reporting, Cybersecurity, and Compliance: Providers must report serious incidents, ensure cybersecurity, and demonstrate compliance using codes of practice, harmonised standards, or alternative methods.
- Confidentiality Obligations for Providers: Providers must safeguard all obtained information, including trade secrets, in accordance with Article 78.
Provider’s Role in Evaluating and Mitigating Systemic Risks
1. In addition to the obligations listed in Articles 53 and 54, providers of general-purpose AI models with systemic risk shall:
(a) perform model evaluation in accordance with standardised protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks;
(b) assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, the placing on the market, or the use of general-purpose AI models with systemic risk;
Provider’s Role in Incident Reporting, Cybersecurity, and Compliance
(c) keep track of, document, and report, without undue delay, to the AI Office and, as appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them;
(d) ensure an adequate level of cybersecurity protection for the general-purpose AI model with systemic risk and the physical infrastructure of the model.
2. Providers of general-purpose AI models with systemic risk may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models with systemic risks who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission.
Confidentiality Obligations for Providers
3. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78.
