The Code of Practice is a helpful starting point, but it does not write your assurance process for you. Most buyers want something simpler: predictable documents on each release, clear responsibilities, and a way to pause when confidence is missing. This piece outlines a lean approach that works now and converts naturally into EN‑aligned assurance later on.
From 2 August 2025, GPAI obligations apply to new models. For existing models, the transition runs until 2 August 2027. The Code, the Guidelines, and the Public Summary template are the practical bundle to start with today.
Why vendor assurance matters now
In earlier posts I showed how to embed the GPAI Code in procurement (procurement under the EU AI Act) and how to publish a useful Public Summary (Public Summary of training content). The next step is to bring those strands together. Vendor assurance turns transparency into something you can actually rely on: up‑to‑date documents, a steady cadence, and the willingness to zoom in when something does not add up. It keeps decisions about integration grounded in facts rather than in assumptions.
From code to evidence
The essentials are modest and concrete. An up‑to‑date Model Documentation Form is your backbone. Next to it sits the Public Summary with a link and a date. Explain how text‑and‑data‑mining opt‑outs are respected, how complaints are handled, and how removal requests flow through. On the safety side, show how risks are managed, which evaluations and benchmarks you ran, and which incidents triggered improvements. These artefacts are not paperwork for its own sake; they are the same materials your teams need to use the model responsibly.
How to judge quality
A questionnaire without evidence is little help. Ask for a compact bundle of documents and links on every release and read it with two simple questions in mind: is it complete, and is the rhythm there. Good assurance looks boring on purpose. Changes are recorded, limitations are stated plainly, and the documentation lines up with your own risk view. If essentials keep missing or opt‑outs are ignored in practice, you have a clear place to stop and reconsider terms.
Contract terms that hold up
Write down what you expect at three moments: at the start, on each release, and when incidents occur. At the start, agree which documents you receive and how quickly changes are reported. On each release, update the documentation and include a simple changelog. For incidents, keep the reporting line short and follow up with a clear account of cause and fix. If there are sub‑vendors in the chain, make the same terms flow down. When the base model changes, reassess.
Towards EN standards
By EN standards I mean official European norms (European Norms) adopted by bodies like CEN and CENELEC. When the European Commission lists such norms as “harmonised”, they create a presumption of conformity: follow the norm and you are, in principle, compliant with the relevant legal requirements. For AI, expect concrete, testable requirements on transparency, safety and security, risk management, data governance, and monitoring. Many EN standards build on ISO/IEC documents that have been adopted in Europe.
You can run a pragmatic process against the Code of Practice today and map it to those EN standards later without rebuilding. Choose formats that are easy to reuse, put an annual assurance checkpoint on the calendar, and maintain a short gap analysis. When the texts are final, you can align your process without starting from scratch.
Public sector, FRIA and DPIA
For public bodies and services of public interest, vendor assurance lands directly in FRIA and often also in DPIA. There is no need to duplicate effort. Reuse the same artefacts in your assessments, refer to them rather than copying, and keep update moments in sync. For background, see DPIA vs FRIA.
Closing thoughts
Start small and make it regular. Ask for a filled‑in model document, a dated Public Summary, and a short changelog. Add simple terms on updates and incidents, and write them into your contract. Within weeks you will have a vendor‑assurance routine that scales with you and slots neatly into EN‑aligned audits when the time comes.
Want a second pair of eyes on your approach? Get in touch via the contact form.