The European Commission is closing its consultation on a draft implementing regulation on detailed arrangements for certain proceedings under the AI Act.
The draft states that it lays down detailed arrangements and conditions for the evaluation of general-purpose AI models under Article 92, including procedures for involving independent experts and selecting them. It also lays down detailed arrangements and procedural safeguards for proceedings in view of the possible adoption of decisions under Article 101 of Regulation (EU) 2024/1689.
Under Article 2, a European Commission decision requesting access to a general-purpose AI model would have to specify the technical means, components, and conditions by which the provider must provide that access. The draft states that access may include APIs, internal access, source code, model weights, access to the infrastructure used to host the model, access to inspect and modify system state, and all levels of access granted to the provider’s own employees.
The draft also states that the European Commission may require a provider to disable and remove logging measures that could track or record the Commission’s access, to the extent necessary to ensure the integrity and confidentiality of the evaluation process. Providers who requested access would have to provide it in a timely and effective manner.
Regarding independent experts, the draft states that the European Commission must take into account factors such as shared ownership, governance, management, personnel, resources, and contractual relationships when assessing independence. It also states that appointed experts must remain independent throughout their appointment and that the confidentiality, integrity, and availability of sensitive information must be protected.
For proceedings that may lead to fines, the draft states that the European Commission may initiate proceedings against relevant conduct by providers of general-purpose AI models. It also states that the Commission may, by decision, order interim measures on grounds of urgency due to a risk of serious damage to health, safety requirements, or other grounds relating to the public interest covered by Regulation (EU) 2024/1689, including preventing a general-purpose AI model from being made available on the market, based on a prima facie finding of an infringement.
Procedural safeguards include written observations on preliminary findings, with a time limit of at least 14 days set by the European Commission, and rules governing access to the file. The draft states that the addressee may obtain access to documents mentioned in the preliminary findings, subject to redactions protecting business secrets and other confidential information, while broader access may be granted under terms of disclosure set by the Commission.
The annex sets format and length requirements for written observations submitted under Article 7. It states that observations must be submitted in a format that allows electronic processing, digitisation, and character recognition, and sets requirements for page format, font, spacing, margins, and numbering. Written observations must not exceed 50 pages, while annexes do not count towards that limit if they have a purely evidential and instrumental function and are proportionate in number and length.
The draft also lays down limitation periods for the imposition and enforcement of penalties, rules on the beginning and setting of time periods, and provisions on the transmission and receipt of information. It states that documents transmitted by digital means must use at least one qualified electronic signature and that, for real-time or near real-time information shared through APIs or equivalent means, the European Commission will define the methods and duration of that sharing.
The regulation states that it would enter into force on the twentieth day following its publication in the Official Journal of the European Union.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
Two decades since the launch of the .eu domain, the EU has marked its role in establishing a unified digital identity across member states.
On 7 April 2006, the .eu top-level domain (TLD) was launched, offering businesses, citizens, and organisations a pan-EU online identity.
Over time, .eu has developed into one of the largest country-code domains globally, with millions of registrations and consistent growth.
Its technical stability and security record, including uninterrupted service since launch, have reinforced its reputation as a reliable digital infrastructure. Investments in fraud detection and data integrity have further strengthened trust in its ecosystem.
The domain has also evolved to reflect the EU’s linguistic diversity, with the introduction of internationalised domain names and additional scripts such as Cyrillic and Greek. These developments have expanded accessibility and reinforced inclusivity within the European digital space.
Looking ahead, .eu is positioned as a key instrument for advancing digital sovereignty and supporting the Single Market. Its role in global internet governance discussions is expected to grow, particularly as the EU institutions seek to shape a more open, secure, and rights-based digital environment.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The European Union has entered a new phase in the governance of AI, moving from the legislative adoption of the Artificial Intelligence Act (AI Act) towards its practical implementation. This particular phase places particular emphasis on obligations of providers of general-purpose AI (GPAI) models, reflecting the increasing role of such systems in the broader digital ecosystem.
The AI Act, adopted in 2024, establishes a comprehensive legal framework for AI within the EU. It introduces a risk-based approach that classifies AI systems into categories ranging from minimal risk to unacceptable risk, with corresponding regulatory requirements.
According to the official text of the regulation, the framework is designed to ensure that AI systems placed on the market in the Union are ‘safe and respect existing law on fundamental rights and Union values.’
While earlier discussions around the Act focused on its legislative negotiation and scope, the current phase centres on how its provisions will be applied in practice.
General-purpose AI models within the AI Act
A key element of this implementation phase concerns general-purpose AI models. These models, which can be integrated into a wide range of downstream applications, occupy a distinct position within the regulatory framework.
The AI Act defines general-purpose AI models as systems that can be used across multiple tasks and contexts and may ‘serve a variety of purposes, both for direct use and for integration into other AI systems.’
That positioning reflects the broad applicability of these models, particularly in areas such as natural language processing, content generation, and data analysis.
The Act also recognises that the widespread deployment of such models may have implications beyond individual use cases, particularly when integrated into high-risk systems.
Obligations for providers of GPAI models
The European Commission, together with the European AI Office, has begun outlining expectations for compliance with provisions related to general-purpose AI.
According to official EU materials, providers of GPAI models are required to ensure that technical documentation is drawn up and kept up to date.
Image via Freepik
The regulation specifies that providers should ‘draw up and keep up-to-date technical documentation of the model,’ ensuring that relevant information is accessible for compliance and oversight purposes. In addition, transparency obligations require providers to make certain information available to downstream deployers.
The intention of this is to support the responsible integration of GPAI models into other systems.
Distinction between GPAI and systemic-risk models
The AI Act introduces a distinction between general-purpose AI models and those considered to pose systemic risk.
Models that meet specific criteria, such as scale, capability, or deployment level, may be classified as having a systemic impact.
For such models, additional obligations apply, including requirements related to evaluation, risk mitigation, and reporting. The European Commission has indicated that further guidance will clarify how systemic risk thresholds are determined, including through delegated acts and technical standards.
Role of the European AI Office in implementation
The European AI Office, established within the European Commission, plays a central role in supporting the implementation of the AI Act.
Its responsibilities include contributing to the consistent application of the regulation, coordinating with national authorities, and supporting the development of methodologies for compliance.
According to the European Commission, the AI Office is tasked with ‘ensuring the coherent implementation of the AI Act across the Union.’ The Office is also expected to contribute to the development of benchmarks, testing frameworks, and guidance documents that support both regulators and providers.
Phased implementation timeline
The implementation of the AI Act is structured as a phased process, with different provisions becoming applicable over time.
That phased approach allows stakeholders to adapt to the regulatory requirements while enabling authorities to establish enforcement mechanisms.
Provisions related to general-purpose AI models are among the earlier elements to be operationalised, reflecting their central role in the current AI landscape.
The European Commission has indicated that additional implementing acts and guidance documents will be issued as part of this process.
Coordination with national authorities
While the European AI Office plays a coordinating role at the EU level, enforcement remains the responsibility of national authorities within member states.
The AI Act establishes mechanisms for cooperation and information-sharing to support a harmonised approach across the European Union.
National authorities are expected to work closely with the AI Office and the European Commission to oversee compliance and address emerging challenges.
Stakeholder engagement and technical guidance
The implementation phase also involves engagement with a range of stakeholders, including industry actors, civil society organisations, and technical experts.
Also, the European Commission has initiated consultations and workshops to gather input on practical aspects of implementation, such as documentation standards and risk assessment methodologies.
The following process supports the development of operational guidance applicable across sectors and use cases.
Interaction with the EU digital regulatory framework
These frameworks address different aspects of the digital ecosystem, including data protection, platform governance, and market competition.
The relationship between the AI Act and these instruments is expected to be clarified further during implementation.
International context: OECD and UN approaches
The governance of general-purpose AI models is also being addressed at the international level.
The OECD AI Principles state that AI systems should be ‘robust, secure and safe throughout their entire lifecycle,’ and emphasise accountability for their functioning.
At the UN level, the Global Digital Compact process addresses issues related to transparency, accountability, and oversight of digital technologies, including AI.
The listed initiatives provide non-binding guidance, in contrast to the legally binding framework established by the EU AI Act.
Ongoing development of technical standards
The development of technical standards is an important component of the implementation process.
The European Commission has indicated that it will work with standardisation organisations to develop specifications related to documentation, evaluation, and risk management.
These standards are expected to support the practical application of the AI Act’s provisions.
From regulatory framework to regulatory practice
The current phase of the EU AI Act marks a transition from legislative design to regulatory practice.
For providers of general-purpose AI models, this involves preparing to meet obligations related to documentation, transparency, and risk management. For regulators, the focus is on ensuring consistent application of the rules across member states, supported by coordination mechanisms and guidance from the AI Office.
The implementation process is expected to evolve as further guidance is issued.
Conclusion
The European Union’s AI Act is entering its implementation phase, with a particular focus on general-purpose AI models.
That phase involves translating the regulation’s legal provisions into operational requirements, supported by guidance from the European Commission and the AI Office.
The development of technical standards, coordination mechanisms, and compliance frameworks will play a central role in this process. As implementation progresses, further clarification is expected through additional guidance and regulatory measures, contributing to the operationalisation of the EU’s approach to AI governance.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The European Union Agency for Cybersecurity has published a draft candidate scheme for the European Digital Identity Wallet and the electronic identity schemes under which it is provided. ENISA describes it as a draft version of the European Cybersecurity Certification Scheme for European Digital Identity Wallets.
ENISA states the draft addresses the certification of the cybersecurity of cloud services and is being developed under Article 48(2) of Regulation (EU) 2019/881, the Cybersecurity Act.
As per ENISA, an ad hoc working group has been set up to prepare the candidate scheme. The agency says the public review is intended to validate the principles and general organisation of the proposed scheme and to gather feedback on the draft and its annexes.
ENISA also says the draft candidate scheme is accompanied by an early draft of a separate document, Wallet-Related Service Provider Security Requirements, version 0.5.614, which is provided as a reference and for early opinion on the approach used to define those requirements.
The public review will remain open until the end of April 2026. ENISA has also said it will organise a webinar on 8 April to provide information about the draft candidate scheme and answer questions.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask ourDiplo chatbot!
Researchers from the University of California and Iowa have warned that structural weaknesses in the digital advertising ecosystem continue to expose advertisers to hidden risks and fraud. The study highlights how complexity and limited transparency enable manipulation across the supply chain.
A key issue identified is ‘dark pooling’, in which lower-quality advertising inventory is bundled with premium placements, obscuring their true value. This practice can mislead buyers and distort pricing across the market.
The authors argue that current safeguards fail to address these vulnerabilities effectively, as responsibilities are fragmented among multiple stakeholders. This lack of coordination allows systemic issues to persist.
To address the problem, the researchers propose a shared vulnerability notification framework involving advertisers, publishers and intermediaries. The study suggests such collaboration could strengthen accountability and improve trust in digital advertising markets in the US.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
A newly released ‘Student AI Bill of Rights’ in the US outlines a proposed framework to protect learners as AI tools become increasingly widespread in education. The initiative aims to establish clear standards for fairness, transparency and accountability.
The document highlights the need for students to be informed when AI systems are used in teaching, assessment or administration. It also stresses that students should retain control over their personal data and academic work.
Another central principle is accountability, with students given the right to question and appeal decisions made or influenced by AI systems. The framework also calls for safeguards to prevent bias and ensure equal access to educational opportunities.
While not legally binding, the proposal is designed to guide higher education institutions in developing responsible AI policies. It reflects growing efforts to define ethical standards for AI use in education in the US.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
An independent review by UK Research and Innovation has assessed the performance of The Alan Turing Institute. The evaluation examined whether the institute meets expectations as a national centre for AI and data science.
Findings recognise scientific excellence, strong partnerships and valuable contributions within the UK research system. However, the review identifies the need for a clearer strategic purpose and stronger delivery.
The panel concludes that alignment with national priorities and value for money is not yet satisfactory. Recommendations include improved governance, clearer prioritisation and renewed external scientific scrutiny.
Additional proposals call for stronger stakeholder engagement and a defined mission focused on resilience, security and defence. A framework for value for money is also expected to be agreed with the Engineering and Physical Sciences Research Council.
UK Research and Innovation will work with the institute’s leadership and partners to implement the changes. A development plan is expected by September 2026, with further assessment to follow.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The European Union Agency for Cybersecurity (ENISA) is holding the 2026 European Cybersecurity Certification Conference in Ayia Napa, Cyprus, with support from the Cyprus Presidency of the Council of the EU and the European Commission.
The agency says the conference will address the evolution of the EU cybersecurity certification, updates on certification schemes for the European Digital Identity Wallet and managed security services, exchange across the European cybersecurity ecosystem, and interplays with the Cyber Resilience Act, the Cyber Solidarity Act, and NIS 2.
The programme includes keynote contributions from Despoina Spanou, Deputy Director-General for Communications Networks, Content and Technology at the European Commission, Juhan Lepassaar, Executive Director of ENISA, and Kyriakos Iordanou, General Manager at the Ministry of Energy, Commerce and Industry of Cyprus.
It also includes a presentation by Steffen Zimmermann, Head of Industrial Security at VDMA, followed by an EU cybersecurity certification award ceremony involving Chloe Blondeau, Seconded National Expert at ENISA.
Sessions on ‘CSA2’, the European Digital Identity Wallet, conformity assessment bodies, national accreditation bodies, certification bottlenecks, and managed security services are also included in the agenda.
Speakers listed in the programme include Maika Fohrenbach, Head of Sector for product security and certification policy at DG CONNECT, Apostolos Malatras, Head of the Cybersecurity Certification Unit at ENISA, Xenia Kyriakidou, Head of the National Cybersecurity Certification Authority of Cyprus, Evgenia Nikolouzou, Cybersecurity Expert at ENISA, and Nikolaos Soumelidis, IT/Cyber Security Certifications Director at Q-CERT.
Franz Weprazjetzky of the European Commission, Vicente Gonzalez Pedros, Cybersecurity Expert at ENISA, and Philippe Blot, Deputy Head of Unit and Head of Sector in the Cybersecurity Certification Unit at ENISA, are also listed in the programme.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The European Union Agency for Cybersecurity (ENISA) has launched a public consultation on a draft candidate certification scheme for the EU Digital Identity (EUDI) Wallets.
The draft was developed with a dedicated ad hoc working group, and the consultation aims to gather feedback on its structure, core elements, and annexes. Responses are open until 30 April 2026.
The initiative follows the adoption of a regulation establishing the European Digital Identity Framework. The European Commission has mandated ENISA to support the certification of EUDI Wallets, including the development of a European cybersecurity certification scheme under the Cybersecurity Act.
The objective is to define cybersecurity requirements for digital identity solutions and support their consistent implementation across the EU.
In February 2026, ENISA signed a €1.6 million contribution agreement with the European Commission for two years to support the development and rollout of national certification schemes.
Funded under the Digital Europe Work Programme 2025–2027, the agreement supports capacity development, skills development, and alignment with a future European certification framework. Member states are expected to provide at least one certified EUDI Wallet by the end of 2026.
Digital identity wallets are intended to enable secure identification and the protection of personal data in both digital and physical environments.
The proposed certification scheme aims to verify compliance with cybersecurity requirements, addressing the limited use of formal certification in current wallet implementations.
The initiative carries significant regulatory weight as it translates the European Digital Identity Framework into enforceable cybersecurity standards. It ensures harmonised compliance across member states while strengthening trust, interoperability, and legal certainty within the EU’s digital identity ecosystem.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Members of the European Parliament (MEPs) completed a visit to Beijing and Shanghai to address pressing e-commerce challenges affecting the European single market.
The delegation studied local business models and market supervision frameworks, engaging with Chinese regulators, e-commerce platforms, and the EU company representatives.
The discussions highlighted the surge of parcels from China, which now account for 91% of small shipments to Europe, and the resulting pressures on fair competition.
MEPs stressed that regulatory compliance must be consistent across all operators, ensuring consumer protection is not compromised by disparities in market practices or enforcement gaps.
The delegation urged representatives of e-commerce platforms to implement preventive measures, reinforcing accountability in areas such as product safety, customs compliance, and the removal of unsafe goods from the market.
MEPs underscored that these standards are essential to maintaining a sustainable and secure e-commerce environment for European citizens.
The visit, the first in eight years, demonstrated the EU’s commitment to safeguarding consumer rights, strengthening international cooperation, and ensuring digital commerce evolves in a manner that is fair, transparent, and safe for all citizens.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
