Open-Source AI and EU Privacy Standards

Sovereign AI: Germany’s Competitive Edge Just Moved Back Home — Will You? What does ChatGPT-oss mean for AI? It means the smartest models no longer have to live in someone else’s cloud. OpenAI’s new open-weight releases — from laptop-friendly gpt-oss-20 B to the heavyweight gpt-oss-120 B — can be downloaded, fine-tuned and served behind your own firewall under an Apache-2.0 licence. “Local-first” just became enterprise-grade. Now overlay that with the calendar: on 2 August 2025 the EU AI Act begins levying fines of up to €35 million for any model that can’t prove exactly where its data came from. Seventy-one per cent of German executives already insist that AI touching personal data be European-made. Put the regulation and the tech together and the strategic split becomes obvious: - House intelligence, on-prem. - Mid-size models answer day-to-day questions with crown-jewel data that never crosses a cable. - Visiting professors, in the cloud. - Trillion-parameter giants are summoned only for the truly novel problems local brains can’t crack. The payoff is immediate: latency falls from nine seconds to two, audit trails shrink from binders to log lines, and the per-token bill for predictable workloads disappears. Keep the magic, share the mystery 1. Lock up the secret sauce. Raw CRM, CAD and sensor logs stay inside the building — full stop. 2. Mask everything else. A gateway tokenises prompts, hashes embeddings and stamps every request with policy metadata before it leaves the LAN. 3. Escalate sparingly. Only the hardest 5-10 % of queries burst to confidential GPUs in a regional cloud. The answer returns scrubbed, detokenised and cached locally so the next one never leaves. End result: privacy where it matters, limitless IQ where it counts — and neither side sees more than it should. AI is no longer a binary choice between “all-in cloud” and a nostalgic server room. It’s a division of labour: Local models whisper the company secrets. Cloud models shout only when the problem demands thunder. Keep the secrets in the building; rent the genius only when the question truly needs thunder. Draw that line — thin, sharp and newly draw-able — before your competitors do. https://lnkd.in/eehFpV9v #AI #Business #Transformation #Digital

Understanding AI Compliance: Key Insights from the COMPL-AI Framework ⬇️ As AI models become increasingly embedded in daily life, ensuring they align with ethical and regulatory standards is critical. The COMPL-AI framework dives into how Large Language Models (LLMs) measure up to the EU’s AI Act, offering an in-depth look at AI compliance challenges. ✅ Ethical Standards: The framework translates the EU AI Act’s 6 ethical principles—robustness, privacy, transparency, fairness, safety, and environmental sustainability—into actionable criteria for evaluating AI models. ✅Model Evaluation: COMPL-AI benchmarks 12 major LLMs and identifies substantial gaps in areas like robustness and fairness, revealing that current models often prioritize capabilities over compliance. ✅Robustness & Fairness : Many LLMs show vulnerabilities in robustness and fairness, with significant risks of bias and performance issues under real-world conditions. ✅Privacy & Transparency Gaps: The study notes a lack of transparency and privacy safeguards in several models, highlighting concerns about data security and responsible handling of user information. ✅Path to Safer AI: COMPL-AI offers a roadmap to align LLMs with regulatory standards, encouraging development that not only enhances capabilities but also meets ethical and safety requirements. 𝐖𝐡𝐲 𝐢𝐬 𝐭𝐡𝐢𝐬 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐭? ➡️ The COMPL-AI framework is crucial because it provides a structured, measurable way to assess whether large language models (LLMs) meet the ethical and regulatory standards set by the EU’s AI Act which come in play in January of 2025. ➡️ As AI is increasingly used in critical areas like healthcare, finance, and public services, ensuring these systems are robust, fair, private, and transparent becomes essential for user trust and societal impact. COMPL-AI highlights existing gaps in compliance, such as biases and privacy concerns, and offers a roadmap for AI developers to address these issues. ➡️ By focusing on compliance, the framework not only promotes safer and more ethical AI but also helps align technology with legal standards, preparing companies for future regulations and supporting the development of trustworthy AI systems. How ready are we?

What if AI wasn’t owned by Big Tech? Switzerland has an answer. When it comes to AI, the headlines are dominated by technical specs: GPT-5’s 400K token context window Claude’s 1M token memory Benchmarks that feel like an arms race But raw capability isn’t the whole story. Switzerland’s upcoming open-source LLM — built by ETH Zurich, EPFL, and the Swiss National Supercomputing Centre — reminds us there are other dimensions where AI must compete: ethics and economics. And on those fronts, Switzerland may prove the real rival. 🌍1. Multilingual by Design Most commercial LLMs are English-first. They translate into other languages, but that’s not the same as being trained on them. Why does this matter? Accuracy & Bias: Translation distorts nuance. Access: Billions of people shouldn’t need English to access AI’s benefits. Future of Work: Global collaboration only works if AI tools understand everyone natively. Switzerland’s model is trained on 1,000–1,500 languages. An unprecedented push for linguistic inclusion. That’s not just a feature. It’s a statement about who AI is for. 💰2. Open License, New Economics Switzerland’s LLM will be released under Apache 2.0, meaning anyone can use, adapt, and deploy it. This completely changes the economics of AI for businesses: From Rent to Ownership: Instead of paying per query, companies can self-host. CapEx > OpEx: AI shifts from SaaS tax to infrastructure you own and optimise. Customisation Without Premiums: Fine-tune for your industry without enterprise-only contracts. Global Equity: Startups and SMEs outside the U.S. gain access without U.S. SaaS pricing. This could be AI’s Linux moment where open models pressure the entire industry to rethink how AI is priced and delivered. ⚖️3. Ethics Built-In, Not Bolted-On Switzerland: EU AI Act-ready from day one. Transparent datasets. Privacy by design. Auditable by the public. OpenAI: Ethics mostly handled through output filters and usage restrictions — layered after training. Anthropic: “Constitutional AI” — still closed, centralised. The difference? Switzerland is making ethics a foundation, not a patch. For governments, educators, and regulated industries, that’s not just attractive, it’s essential. 🚀The Bigger Point Switzerland’s model may not (yet) match GPT-5’s 400K context window or Claude’s million-token memory. But it challenges them where it matters most: Who AI serves (multilingual inclusion) Who controls AI (open licence vs. corporate lock-in) How AI is governed (ethics built in, not bolted on) That’s why we should pay attention. Because the real rivalry in AI isn’t just about scale. It’s about what values we choose to embed in the systems that will shape our future of work, education, and society. 👉The Swiss LLM isn’t just another model. It’s a blueprint for a different kind of AI future. ♻️If this resonated, share it. Someone needs this reminder today. 🔔Follow Alex Issakova for more reflections on building a life without burning out.

The EDPS - European Data Protection Supervisor has issued a new "Guidance for Risk Management of Artificial Intelligence Systems." The document provides a framework for EU institutions acting as data controllers to identify and mitigate data protection risks arising from the development, procurement, and deployment of AI systems that process personal data, focusing on fairness, accuracy, data minimization, security and data subjects’ rights. Based on ISO 31000:2018, the guidance structures the process into risk identification, analysis, evaluation, and treatment — emphasizing tailored assessments for each AI use case. Some highlights and recommendations include: - Accountability: AI systems must be designed with clear documentation of risk decisions, technical justifications, and evidence of compliance across all lifecycle phases. Controllers are responsible for demonstrating that AI risks are identified, monitored, and mitigated. - Explainability: Models must be interpretable by design, with outputs traceable to underlying logic and datasets. Explainability is essential for individuals to understand AI-assisted decisions and for authorities to assess compliance. - Fairness and bias control: Organizations should identify and address risks of discrimination or unfair treatment in model training, testing, and deployment. This includes curating balanced datasets, defining fairness metrics, and auditing results regularly. - Accuracy and data quality: AI must rely on trustworthy, updated, and relevant data.  - Data minimization: The use of personal data in AI should be limited to what is strictly necessary. Synthetic, anonymized, or aggregated data should be preferred wherever feasible. - Security and resilience: AI systems should be secured against data leakage, model inversion, prompt injection, and other attacks that could compromise personal data. Regular testing and red teaming are recommended. - Human oversight: Meaningful human involvement must be ensured in decision-making processes, especially where AI systems may significantly affect individuals’ rights. Oversight mechanisms should be explicit, documented, and operational. - Continuous monitoring: Risk management is a recurring obligation — institutions must review, test, and update controls to address changes in system performance, data quality, or threat exposure. - Procurement and third-party management: Contracts involving AI tools or services should include explicit privacy and security obligations, audit rights, and evidence of upstream data protection compliance. The guidance establishes a practical benchmark for embedding data protection into AI governance — emphasizing transparency, proportionality, and accountability as the foundation of lawful and trustworthy AI systems. 

The EU draft AI Code of Practice could affect open models and small developers in unintended ways. The draft Code (which outlines how model developers can comply with the AI Act): 1. Defines systemic risk too broadly. An open model with systemic risk is not exempt from the AI Act, and a lot depends on how the EU defines systemic risk.* However, the Code endorses an impossibly nebulous list of risks, including: persuasion, "loss of trust in media", “large-scale discrimination”, and "oversimplification of knowledge". Yet these are not model-layer risks, and aren't amenable to precise evaluation. Any 2B model can be easily tuned into a disinformation parrot or spambot. We need to be careful lifting regulatory language from ethics literature. 2. Envisions pre-deployment audits. Developers of these models must submit to “independent testing” and file a safety report before deployment. But the Act did not mandate third-party testing or reporting before deployment. The Code would prevent an open release until the AI Office and “appropriate third party evaluators” have finished their work. 3. Requires developers to test the unforeseeable. Developers must test not just "reasonably foreseeable" applications but also applications that expose the model’s “maximum potential” for systemic risk. It's a costly and indeterminate obligation that means testing for possible risks—not just foreseeable or probable risks. And it becomes more difficult and expensive in an open source context, where developers can modify or integrate the model in ways that aren’t possible in a paywalled API environment. 4. Doesn't clarify the urgent obligations. All developers need to understand how to comply with e.g. opt-outs. The Code defers the question, requiring developers to "make best efforts" with "widely used standards". But there are still no widely used standards (especially for text data) and developers are already training models that will be subject to the Act. If it’s unclear how to comply, that exposes all developers to potential litigation—especially those with open datasets or auditable models. 5. Requires developers to draw a line in the sand. Developers must identify conditions under which they would pause, withdraw, or delete models. This isn’t the first attempt to crystallize risk thresholds (see e.g. WH or SB1047), and the Code doesn’t mandate a specific threshold. But if regulators disagree, or if thresholds vary widely—as they certainly will—that could trigger future intervention that adversely impacts open models. To be clear, no one expects the EU to enforce the Code in a plainly ridiculous or adverse way. I know from experience the AI Office is led by good people who value open innovation in Europe. But the unintended effects of well-meaning rules can be significant. We should use this opportunity to get it right from day one. * Still TBD whether the threshold will be 1E25 FLOP alone, or include other criteria e.g. audiovisual risks like NCII.

𝗘𝗨 𝗔𝗜 𝗔𝗰𝘁 𝘅 𝗢𝗽𝗲𝗻 𝗦𝗼𝘂𝗿𝗰𝗲 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲𝗱: 𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝗚𝗣𝗔𝗜 𝗢𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀; 𝗮𝗻𝗱 𝘄𝗵𝗲𝘁𝗵𝗲𝗿 𝘁𝗵𝗲𝘆 𝗮𝗽𝗽𝗹𝘆 𝘁𝗼 𝘆𝗼𝘂 🇪🇺 Today we're releasing a new guide as a joint effort between researchers at Hugging Face, The Linux Foundation, and Mozilla to help developers understand the new EU AI Act obligations for General Purpose AI models that just came into force on August 2nd: https://lnkd.in/eSWjgrJW A lot of effort went into making sure that the AI Act meets its goals in a way that works with rather than against open research and open-source 🤝🇪🇺 The result is 𝗽𝗿𝗲𝘁𝘁𝘆 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲 𝗼𝘃𝗲𝗿𝗮𝗹𝗹 - most developers training and releasing model for research or outside of a commercial activity can continue building and sharing them without any changes, and non-"systemic risk" models released under an open-source license are exempt from obligations that are redundant or incompatible with open sharing 🔍🤗 Still, given the sheer length of the AI Act text and assorted official guidance from the European Commission (including the Code of Practice, GPAI guidance, data transparency template, etc.), it can be difficult for individual developers to understand which models fall within or without the scope of the regulation, to what extent exemptions apply, and how to comply with the relevant obligations - which is why we worked on distilling information from all of these sources along with Cailean Osborne, Maximilian Gahntz, Lucie-Aimée Kaffee, Bruna Sellin Trevelin, and Brigitte Tousignant 📚 Go have a look at our guide and interactive app, drop us a comment here or on HF, and let us know what other questions have come up for you regarding the AI Act and open-source and open science AI! - Blog post: https://lnkd.in/ewTWmDH6 - User Journey App for GPAI developers: https://lnkd.in/e726q8-5 - Discussion thread on Hugging Face: https://lnkd.in/eTVPwyfq

The European Commission published official guidelines for general-purpose AI (GPAI) providers under the EU AI Act. This is especially relevant for any teams working with foundation models like GPT, Llama, Claude, and open-source versions. A few specifics I think people overlook: -If your model uses more than 10²³ FLOPs of training compute and can generate text, images, audio, or video, guess what…you’re in GPAI territory. -Providers (whether you’re training, fine-tuning, or distributing models) must: -Publish model documentation (data sources, compute, architecture) Monitor systemic risks like bias or disinformation -Perform adversarial testing -Report serious incidents to the Commission -Open-source gets some flexibility, but only if transparency obligations are met. Important dates: August 2, 2025: GPAI model obligations apply August 2, 2026: Stronger rules kick in for systemic risk models August 2, 2027: Legacy models must comply For anyone already thinking about ISO 42001 or implementing Responsible AI programs, this feels like a natural next step. It’s not about slowing down innovation…it’s about building AI that’s trustworthy and sustainable. https://lnkd.in/eJBFZ8Ki

🚨 BREAKING: Meta claims that its AI model Llama 4 is open-source. However, according to the latest EU guidelines, the company will likely NOT be able to benefit from the EU AI Act's open-source exemptions: A few days ago, the EU Commission released its "Guidelines on the scope of obligations for providers of general-purpose AI models under the AI Act." Among the topics covered are the exemptions from certain EU AI Act obligations for some AI models released as open-source (pages 21-25). First, it's important to remember that being considered open-source under the EU AI Act is a big deal from a compliance perspective, as the following obligations will not apply (unless the AI model is classified as a general-purpose AI model with systemic risk): - Article 53(1), point (a): "draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in Annex XI for the purpose of providing it, upon request, to the AI Office and the national competent authorities" - Article 53(1), point (b): "draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems" - Article 54 AI Act, on the obligation to appoint an authorized representative for providers of general-purpose AI models established in 3rd countries. - So, which models can be considered open-source? To qualify for the exemptions, the AI model must be released under a "free and open-source licence that allows for the access, use, modification, and distribution of the model." As a group of EU lawmakers have already criticized in the past, Meta's Llama license has specific prohibitions and conditions, including forcing those who develop a successful AI system based on Llama to negotiate a special license with them. When reading the EU's latest guidelines, it seems that these restrictions make Llama ineligible to benefit from the open-source exemptions. Why? The EU states it only allows very limited licensing conditions restricting access, use, modification, or distribution, including the requirement of "crediting the author(s) and retaining their copyright notice (attribution)." The EU also states that: "the recipient of the licenced model should be able to modify it and redistribute the resulting derivative work under different licence terms, including closed-source proprietary terms." I'm adding the link to the full guidelines below. Pages 21-25 cover open-source conditions. - As I told you in my recent post about Meta REFUSING to sign the code of practice for general-purpose AI: Meta is unhappy with the EU AI Act as a whole, and its legal disputes with the EU regarding AI compliance are likely just starting... - 👉 Never miss my analyses and curations on AI: join my newsletter's 69,600+ subscribers (link below).