Article 55 — Obligations of Providers of General-Purpose AI Models with Systemic Risk

Article 55

Obligations of providers of general-purpose AI models with systemic risk

1. In addition to the obligations listed in Articles 53 and 54, providers of general-purpose AI models with systemic risk
shall:

(a) perform model evaluation in accordance with standardised protocols and tools reflecting the state of the art, including
conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks;

(b) assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development,

the placing on the market, or the use of general-purpose AI models with systemic risk;

(c) keep track of, document, and report, without undue delay, to the AI Office and, as appropriate, to national competent

authorities, relevant information about serious incidents and possible corrective measures to address them;

(d) ensure an adequate level of cybersecurity protection for the general-purpose AI model with systemic risk and the
physical infrastructure of the model.

2. Providers of general-purpose AI models with systemic risk may rely on codes of practice within the meaning of
Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised

standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to
the extent that those standards cover those obligations. Providers of general-purpose AI models with systemic risks who do
not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate
alternative adequate means of compliance for assessment by the Commission.

3. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in
accordance with the confidentiality obligations set out in Article 78.

SECTION 4

Codes of practice