The European Union has released an updated but currently non-binding code of practice designed to help companies better understand the transparency requirements of the AI Act. Experts have largely welcomed the guidance, which is expected to provide a clearer framework for safe AI use and help users identify AI-generated content. Although the document is not legally mandatory, its strategic importance is significant for all European companies, given the anticipated strict enforcement of the Act itself.
What Does This New Guidance Mean in Practice?
The most crucial fact is that the code of practice is neither finalized nor mandatory in its current form. However, this does not mean it can be ignored. In a corporate context, this document serves as a form of official ‘guidance note,’ offering insight into the mindset of regulators. Its contents foreshadow what will be expected of companies regarding transparency once the AI Act is fully implemented.
Do you have a question about AI security? You can reach us here:
According to expert opinion, a key benefit of the code is its support for compliance functions. It can provide organizations with a clearer steer on what constitutes safe AI use under the legislation. This is particularly important as many expect the AI Act to be strictly enforced. Companies that begin aligning their internal processes and AI systems with this guidance now can gain a significant competitive advantage and reduce future compliance risks.
Another critical element of the code is user information. The requirement to clearly indicate when content is AI-generated is fundamental to combating disinformation and building digital trust. In practice, this could apply to everything from deepfake videos and AI-written texts to chatbot interactions.
The AIQ Perspective: Transparency as a Cornerstone of Security and Trust
From an AIQ standpoint, transparency extends far beyond legal compliance; it is a cornerstone of AI security. The era of ‘black box’ models is over. A lack of transparency is not just a legal risk but also a serious business and reputational threat. An opaque system is vulnerable, difficult to audit, and undermines user trust.
How does this relate to the OWASP LLM Top 10 list of vulnerabilities?
- LLM10: Unsafe Output: One of the most direct applications of transparency is the clear labeling of AI-generated content. This practice directly mitigates the risk of misleading information, manipulation, and the spread of harmful content, which is a central concern of LLM10.
- LLM09: Overreliance: If users are unaware they are interacting with an AI or are not informed of its limitations, they may be inclined to blindly trust its outputs. Transparency—such as clear communication about a system’s capabilities and limitations—helps users treat AI as a tool rather than an infallible oracle.
- LLM05: Supply Chain Vulnerabilities: Transparency extends to the AI model’s supply chain. Knowing what data a model was trained on, what preprocessing steps it underwent, and what components it is built from is essential for identifying hidden vulnerabilities and biases. The spirit of the code of practice points in this direction.
AIQ’s position is that transparency is also closely linked to the core principles of GDPR. The principle of ‘lawful, fair and transparent’ data processing is directly applicable to AI systems, especially when they process personal data. Following the AI Act’s guidance on transparency will also strengthen a company’s GDPR posture.
Preparing for an Audit: How to Align with Expectations?
Although the code of practice is non-binding, it will serve as a reference point during an AI security audit. Organizations that can demonstrate proactive adoption of the principles outlined in the code will be in a much stronger position.
From an AIQ standpoint, preparation in a corporate context involves the following practical steps:
- AI Inventory and Risk Assessment: Map out all AI systems used within the organization. Document what each system is used for, what data it processes, and whether it poses a high risk under the AI Act.
- Develop Transparency Processes: Create internal policies on how and when to inform users about AI use. This includes clear indicators on user interfaces, identification of chatbots, and labeling of AI-generated content.
- Documentation: Begin to meticulously document the lifecycle of AI models, from the source of training data to the evaluation of model performance. In a future audit, this documentation will serve as evidence of due diligence.
- Red Teaming and Testing: Test your systems to ensure that the presence and function of AI are clear to users. An LLM red teaming exercise can reveal ambiguous situations where users may not be aware they are communicating with a machine.
In summary, the EU’s new code of practice is a valuable roadmap that helps companies prepare for the era of the AI Act. Proactive alignment is not merely about avoiding legal penalties; it is a strategic investment in building secure, trustworthy, and ultimately more successful AI systems.