aicomply.
aicomply.
Home
Understand OverviewLearning ModulesGlobal RegulationsEU AI Act TextGlossaryFAQ
Assess Overview1. Register2. Classify3. Requirements4. Comply5. Monitor
Implement OverviewPoliciesStandardsControlsProceduresTemplates
Resources
GitHubGet Started
Understand/GPAI Compliance/Chapter 4
Lesson15 minChapter 4 of 9

Systemic Risk Obligations

Additional requirements for GPAI models with systemic risk.

PreviousNextBack to Module

Systemic Risk Obligations (Article 55)

Learning Objectives

By the end of this chapter, you will be able to:

  • Explain the four core obligations for systemic risk GPAI models under Article 55
  • Design comprehensive adversarial testing programmes meeting regulatory standards
  • Implement systemic risk assessment methodologies at Union level
  • Establish incident tracking and reporting systems compliant with AI Office requirements
  • Develop appropriate cybersecurity measures for GPAI models and infrastructure

The Enhanced Obligation Framework

Article 55 imposes four additional obligations on providers of GPAI models with systemic risk, supplementing (not replacing) the baseline Article 53 requirements. These obligations address the heightened risks posed by the most capable AI models.

Obligation Structure Overview

ObligationArticle ReferencePrimary FocusKey Deliverable
Model EvaluationArticle 55(1)(a)Adversarial testing and capability assessmentEvaluation reports with methodology documentation
Risk Assessment & MitigationArticle 55(1)(b)Union-level systemic risk identification and controlRisk assessment documentation and mitigation plan
Incident Tracking & ReportingArticle 55(1)(c)Serious incident documentation and notificationIncident reports to AI Office
Cybersecurity ProtectionArticle 55(1)(d)Model and infrastructure securityCybersecurity assessment and measures

Obligation 1: Model Evaluation (Article 55(1)(a))

Regulatory Text Analysis

Article 55(1)(a) requires providers to:

"perform model evaluations in accordance with standardised protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risk"

State-of-the-Art Adversarial Testing

"State of the art" is a dynamic standard that evolves with the field. Current best practices include:

Testing CategoryTechniquesFocus Areas
Capability ElicitationSystematic prompting, task decompositionDangerous capabilities, dual-use potential
Jailbreak TestingPrompt injection, roleplay attacks, encodingSafeguard circumvention
Red TeamingHuman adversaries, automated attacksReal-world misuse scenarios
Bias & FairnessDemographic probing, representation analysisDiscrimination risks
Factual AccuracyKnowledge probing, hallucination detectionMisinformation potential
Multi-modal RisksCross-modality attacks (if applicable)Emergent behaviours

Comprehensive Testing Programme Structure

PhaseDurationActivitiesOutputs
Pre-deployment Testing4-8 weeksCore capability evaluation, safety assessmentsBaseline risk profile
Extended Red Team2-4 weeksExpert adversarial testing, domain specialist reviewVulnerability catalogue
Stress Testing1-2 weeksEdge cases, high-volume scenarios, combined attacksFailure mode documentation
Post-deployment MonitoringContinuousProduction monitoring, user feedback analysisOngoing risk assessment

Documentation Requirements

DocumentContentFrequency
Testing ProtocolMethodology, tools, scenarios, success criteriaPre-testing
Vulnerability RegisterIdentified weaknesses, severity ratings, statusContinuous
Mitigation RecordActions taken for each vulnerabilityPer finding
Summary ReportOverall assessment, residual risksPer evaluation cycle

Expert Insight

The AI Office has indicated that documentation should demonstrate not just that testing occurred, but that it was thorough, systematic, and appropriate to the model's capabilities. Superficial testing will not satisfy the "state of the art" requirement.

Obligation 2: Systemic Risk Assessment and Mitigation (Article 55(1)(b))

Regulatory Framework

Article 55(1)(b) requires providers to:

"assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, the placing on the market, or the use of general-purpose AI models with systemic risk"

Defining "Systemic Risk at Union Level"

Systemic risks are those that could affect the Union as a whole or significant parts of it. Categories include:

Risk CategoryExamplesUnion-Level Impact
Democratic ProcessesLarge-scale disinformation, electoral manipulationUndermining democratic institutions across Member States
Critical InfrastructureCyberattack automation, control system vulnerabilitiesCross-border infrastructure disruption
Public HealthMedical misinformation, healthcare system attacksHealth system strain across multiple countries
Public SafetyWeapons development assistance, CBRN risksSecurity threats affecting multiple Member States
Economic StabilityMarket manipulation, automated fraud at scaleFinancial system disruption
Fundamental RightsMass surveillance enablement, discrimination at scaleRights violations affecting large populations

Risk Assessment Methodology

StageActivitiesOutputs
1. Risk IdentificationCapability mapping, threat modelling, scenario analysisRisk register with systemic risks identified
2. Likelihood AssessmentProbability estimation, attack feasibility analysisLikelihood scores (1-5 or qualitative)
3. Impact AssessmentSeverity evaluation, Union-level scope analysisImpact scores and justification
4. Risk PrioritisationRisk matrix application, rankingPrioritised risk list
5. Mitigation PlanningControl identification, implementation planningMitigation roadmap
6. Residual Risk EvaluationPost-mitigation assessmentResidual risk documentation

Mitigation Measure Categories

Measure TypeExamplesEffectiveness
Training-time ControlsData filtering, RLHF, constitutional AIHigh—addresses root causes
Inference-time ControlsOutput filtering, content moderation, rate limitingMedium—can be circumvented
Access ControlsAPI restrictions, use case verification, tiered accessMedium—reduces but doesn't eliminate risk
Monitoring & ResponseUsage monitoring, anomaly detection, incident responseReactive—limits damage
External CollaborationInformation sharing, coordinated disclosureSupportive—enhances ecosystem resilience

Value Chain Risk Assessment

Article 55(1)(b) explicitly requires consideration of risks throughout development, placing on market, and use:

Value Chain StageRisk ConsiderationsAssessment Focus
DevelopmentTraining data risks, capability emergence, security of development environmentInternal processes and controls
Placing on MarketDistribution channel risks, access control adequacy, documentation sufficiencyRelease procedures and safeguards
UseDownstream applications, foreseeable misuse, unintended applicationsEnd-use scenarios and user population

Compliance Note

Risk assessment must be forward-looking. You must consider "reasonably foreseeable" negative effects—not just known, existing risks. This requires ongoing capability monitoring as models are fine-tuned or applied in new contexts.

Obligation 3: Incident Tracking and Reporting (Article 55(1)(c))

Regulatory Requirement

Article 55(1)(c) requires providers to:

"track, document and report, without undue delay, to the AI Office and, as appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them"

Defining "Serious Incidents"

While the AI Act defines serious incidents in the context of high-risk AI systems, for GPAI models with systemic risk, serious incidents likely include:

Incident CategoryExamplesReporting Priority
Actual Systemic HarmDocumented mass misinformation campaign, demonstrated critical infrastructure attackImmediate
Near-Miss EventsPrevented large-scale attack, circumvented safeguard exploitationHigh
Significant Capability FailuresMajor safety system bypass discoveredHigh
Novel Risk EmergenceUnexpected dangerous capability identifiedMedium-High
Third-Party ReportsExternal researcher identifies critical vulnerabilityMedium

Incident Management Framework

PhaseTimelineActivitiesDocumentation
DetectionImmediateMonitoring alerts, user reports, researcher disclosureInitial incident log
Triage< 1 hourSeverity assessment, classification, escalation decisionTriage record
Containment< 24 hoursImmediate mitigation measures, access restrictions if neededContainment actions
Investigation1-7 daysRoot cause analysis, scope assessment, impact evaluationInvestigation report
Reporting"Without undue delay"AI Office notification, supporting documentationFormal incident report
RemediationOngoingCorrective measures, prevention improvementsRemediation record
ClosurePost-remediationEffectiveness verification, lessons learnedClosure report

AI Office Reporting Requirements

Report ElementContent Requirements
Incident DescriptionWhat occurred, when discovered, how detected
Affected ScopeGeographic reach, user impact, downstream systems
Systemic Risk ConnectionHow incident relates to systemic risk potential
Immediate ResponseContainment and mitigation actions taken
Root CauseUnderlying technical or procedural failure
Corrective MeasuresPlanned or implemented remediation
Prevention MeasuresChanges to prevent recurrence

Expert Insight

"Without undue delay" is context-dependent. For serious incidents with ongoing harm potential, this means hours, not days. Establish clear internal escalation procedures and pre-approve notification templates to enable rapid response.

Obligation 4: Cybersecurity Protection (Article 55(1)(d))

Regulatory Requirement

Article 55(1)(d) requires providers to:

"ensure an adequate level of cybersecurity protection for the general-purpose AI model with systemic risk and the physical infrastructure of the model"

Scope of Cybersecurity Obligations

"Adequate" cybersecurity encompasses both the model itself and supporting infrastructure:

Protection DomainComponentsKey Threats
Model SecurityWeights, architecture, fine-tuning proceduresModel theft, adversarial manipulation, extraction attacks
Training InfrastructureTraining clusters, datasets, pipelinesData poisoning, compute compromise
Serving InfrastructureAPI endpoints, inference servers, load balancersService disruption, unauthorised access
Development EnvironmentCode repositories, CI/CD pipelines, testing environmentsSupply chain attacks, insider threats
Data StorageTraining data, evaluation data, user dataData breach, regulatory violations

Cybersecurity Framework Alignment

Consider alignment with established frameworks:

FrameworkApplicabilityKey Areas
ISO 27001Information security managementRisk management, access control, incident management
NIST CSFCybersecurity risk managementIdentify, Protect, Detect, Respond, Recover
SOC 2Service organisation controlsSecurity, availability, processing integrity, confidentiality
CSA STARCloud securityCloud-specific security controls

Model-Specific Security Measures

ThreatProtection MeasuresMonitoring
Model ExtractionRate limiting, output perturbation, access monitoringQuery pattern analysis
Weight TheftEncryption at rest and transit, access logging, hardware securityAccess anomaly detection
Adversarial InputsInput validation, anomaly detection, robustness testingReal-time input analysis
Prompt InjectionInput sanitisation, context separation, privilege minimisationPrompt pattern monitoring
Fine-tuning AttacksAccess controls, modification logging, integrity verificationChange detection

Physical Infrastructure Security

AreaSecurity Measures
Data CentresPhysical access controls, environmental monitoring, redundancy
NetworkSegmentation, encryption, intrusion detection
Compute ResourcesSecure boot, hardware security modules, resource isolation
Backup SystemsEncrypted backups, geographic distribution, tested recovery

Implementation Roadmap

Pre-Systemic Risk Status Preparation

ActivityTimelinePriority
Establish adversarial testing capability3-6 months before thresholdCritical
Develop risk assessment methodology2-4 months before thresholdCritical
Implement incident management system2-3 months before thresholdHigh
Conduct cybersecurity assessment2-3 months before thresholdHigh
Create documentation templates1-2 months before thresholdMedium
Train relevant personnel1 month before thresholdMedium

Ongoing Compliance Activities

ActivityFrequencyResponsible
Adversarial testing cyclesQuarterly minimumSafety/Red team
Risk assessment updatesBi-annual or on significant changesRisk team
Incident response drillsAnnualSecurity team
Cybersecurity auditsAnnualSecurity/External auditor
AI Office reportingAs requiredCompliance
Documentation updatesContinuousAll teams

Compliance Checklist

Model Evaluation (Article 55(1)(a))

  • Established adversarial testing programme with documented protocols
  • Testing covers state-of-the-art techniques appropriate to model capabilities
  • Vulnerability register maintained and updated
  • Mitigation measures documented for identified risks
  • Evaluation methodology documentation available for AI Office review
  • External red team engagement (recommended)

Systemic Risk Assessment (Article 55(1)(b))

  • Risk assessment methodology established and documented
  • All six systemic risk categories assessed
  • Value chain risks (development, market, use) evaluated
  • Mitigation measures identified for high-priority risks
  • Residual risk documented and accepted
  • Assessment updated for significant changes

Incident Management (Article 55(1)(c))

  • Incident classification criteria defined
  • Escalation procedures documented
  • AI Office reporting templates prepared
  • Response team identified and trained
  • Incident logging system operational
  • Post-incident review process established

Cybersecurity (Article 55(1)(d))

  • Model security measures implemented
  • Infrastructure security assessed and hardened
  • Access controls and logging in place
  • Security monitoring operational
  • Incident response capability tested
  • Third-party security assessment conducted (recommended)

What You Learned

Key concepts from this chapter

Article 55 imposes **four additional obligations** on systemic risk GPAI providers: model evaluation, risk assessment, incident management, and cybersecurity

**Adversarial testing** must reflect the "state of the art"—superficial testing will not satisfy regulators

**Systemic risk assessment** must address Union-level impacts across democratic, infrastructure, health, safety, economic, and rights domains

**Incident reporting** must be "without undue delay"—establish processes enabling rapid notification

**Cybersecurity** encompasses both the model and supporting infrastructure—comprehensive protection is required

Chapter Complete

GPAI Compliance

4/9

chapters

Systemic Risk ClassificationDownstream Provider Relationships