Source: OJ L, 2024/1689, 12.7.2024Current language: EN
- Artificial intelligence act
Basic legislative acts
- AI act regulation
Article 55 Obligations of providers of general-purpose AI models with systemic risk
Summary What does Article 55 of the AI act regulation say?
This article sets out a heightened tier of obligations that apply exclusively to providers of general-purpose AI models with systemic risk, building directly on top of the baseline obligations already established in Articles 53 and 54.
The core thrust is that these providers must actively manage the most serious potential harms their models could cause at Union level — through rigorous evaluation, ongoing risk assessment and mitigation, incident reporting, and cybersecurity protection.
The article also addresses how providers can demonstrate compliance, whether through codes of practice, harmonised standards, or alternative means assessed by the Commission.
Important points:
- Providers of general-purpose AI models with systemic risk must perform adversarial testing, assess and mitigate systemic risks, report serious incidents to the AI Office without undue delay, and ensure adequate cybersecurity protection for the model and its physical infrastructure.
- Compliance with these obligations can be demonstrated by adhering to an approved code of practice or a European harmonised standard; providers who do neither must demonstrate alternative adequate means of compliance for assessment by the Commission.
- All information and documentation obtained under this article, including trade secrets, is subject to the confidentiality obligations set out in Article 78.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
In addition to the obligations listed in Articles 53 and 54, providers of general-purpose AI models with systemic risk shall:
perform model evaluation in accordance with standardised protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks;
assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, the placing on the market, or the use of general-purpose AI models with systemic risk;
keep track of, document, and report, without undue delay, to the AI Office and, as appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them;
ensure an adequate level of cybersecurity protection for the general-purpose AI model with systemic risk and the physical infrastructure of the model.
Providers of general-purpose AI models with systemic risk may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models with systemic risks who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission.
Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78.
Relevant recitals
Recital 114 Additional obligations in case of systemic risks
The providers of general-purpose AI models presenting systemic risks should be subject, in addition to the obligations provided for providers of general-purpose AI models, to obligations aimed at identifying and mitigating those risks and ensuring an adequate level of cybersecurity protection, regardless of whether it is provided as a standalone model or embedded in an AI system or a product. To achieve those objectives, this Regulation should require providers to perform the necessary model evaluations, in particular prior to its first placing on the market, including conducting and documenting adversarial testing of models, also, as appropriate, through internal or independent external testing. In addition, providers of general-purpose AI models with systemic risks should continuously assess and mitigate systemic risks, including for example by putting in place risk-management policies, such as accountability and governance processes, implementing post-market monitoring, taking appropriate measures along the entire model’s lifecycle and cooperating with relevant actors along the AI value chain.
Recital 115 Protection of general-purpose AI models with systemic risks
Providers of general-purpose AI models with systemic risks should assess and mitigate possible systemic risks. If, despite efforts to identify and prevent risks related to a general-purpose AI model that may present systemic risks, the development or use of the model causes a serious incident, the general-purpose AI model provider should without undue delay keep track of the incident and report any relevant information and possible corrective measures to the Commission and national competent authorities. Furthermore, providers should ensure an adequate level of cybersecurity protection for the model and its physical infrastructure, if appropriate, along the entire model lifecycle. Cybersecurity protection related to systemic risks associated with malicious use or attacks should duly consider accidental model leakage, unauthorised releases, circumvention of safety measures, and defence against cyberattacks, unauthorised access or model theft. That protection could be facilitated by securing model weights, algorithms, servers, and data sets, such as through operational security measures for information security, specific cybersecurity policies, adequate technical and established solutions, and cyber and physical access controls, appropriate to the relevant circumstances and the risks involved.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
conformity assessment
Definition
instructions for use
Definition
serious incident
- the death of a person, or serious harm to a person’s health;
- a serious and irreversible disruption of the management or operation of critical infrastructure;
- the infringement of obligations under Union law intended to protect fundamental rights;
- serious harm to property or the environment;
Definition
testing in real-world conditions
Definition
provider
Definition
national competent authority
Definition
notifying authority
Definition
market surveillance authority
Definition
critical infrastructure
Definition
high-impact capabilities
Definition
AI Office
Definition
subject
Definition
conformity assessment body
Definition
deployer
Definition
intended purpose
Definition
placing on the market
Definition
systemic risk
Definition
AI system
Definition
risk
Definition
general-purpose AI model
Definition
harmonised standard