Procurement workflow surface
EU General-Purpose AI Code of Practice — vendor disclosure form
This is a sample disclosure form a procurement team can adapt for vendor RFPs and ITTs evaluating systems against EU General-Purpose AI Code of Practice. The provision-specific questions below were derived from the catalog's coverage cells; before issuing, a qualified procurement lawyer should review the adapted version against your jurisdiction's contract law. This form is NOT legal advice (see charter §7.4).
1. Vendor identification
2. AI system identification
3. Provision-specific questions
- Foundation Models / GPAI. Does the offered system meet the threshold for a general-purpose / foundation model under EU General-Purpose AI Code of Practice (Chapter 3 (Safety & Security) operationalises Art. 55 systemic-risk-tier obligations for GPAI providers)? If yes, identify the specific obligations you will satisfy and the evidence you will provide.
(Cite: Chapter 3 (Safety & Security) operationalises Art. 55 systemic-risk-tier obligations for GPAI providers)
- Transparency Obligations. Provide the documentation required under the transparency obligations of EU General-Purpose AI Code of Practice (Chapter 1 (Transparency) — 13 commitments + ~40 measures operationalising Art. 53(1)(a)-(c) model documentation + training-data summary) — including (as applicable) model card, system card, training-data summary, evaluation results, and known limitations.
(Cite: Chapter 1 (Transparency) — 13 commitments + ~40 measures operationalising Art. 53(1)(a)-(c) model documentation + training-data summary)
- Training-Data Rights. Identify the legal basis for training-data sourcing for the offered system (including copyright, consent, and any text-and-data-mining exemptions relied upon) and confirm consistency with EU General-Purpose AI Code of Practice (Chapter 2 (Copyright) — Art. 53(1)(c) training-data summary obligations + Art. 53(1)(d) text-and-data-mining opt-out compliance).
(Cite: Chapter 2 (Copyright) — Art. 53(1)(c) training-data summary obligations + Art. 53(1)(d) text-and-data-mining opt-out compliance)
- Catastrophic & Existential Risk. Has the offered system been evaluated against catastrophic-risk thresholds (e.g., CBRN information uplift, autonomous replication) consistent with EU General-Purpose AI Code of Practice (Chapter 3 systemic-risk-tier capability evaluations + serious-incident reporting + model-weight access controls (Art. 55 substrate))? Provide the evaluation report or its public-disclosure equivalent.
(Cite: Chapter 3 systemic-risk-tier capability evaluations + serious-incident reporting + model-weight access controls (Art. 55 substrate))
4. Documentation enclosures expected
Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.
- Safety / capability evaluation results
- Training-data summary / provenance log
- Transparency documentation (per-instrument schema)
- Copies of submitted regulatory reports / registrations
- Vendor company registration + insurance certificates
- Sub-processor / supply-chain list (including model upstream)
5. Vendor attestation
The undersigned, on behalf of the vendor, attests that the disclosures above are true and complete to the best of their knowledge at the date signed, and undertakes to notify the buyer in writing within 30 days of any material change to those disclosures.
This is a sample form derived from the catalog at /wiki/gpai-code-of-practice. Adapt before issuing. Not legal advice; not jurisdiction-specific. See charter §7.4.