Analyzing SSF Requirements in the GPAI Code of Practice: A Case Study using Anthropic’s Frontier Compliance Framework

Publication date
March 20, 2026
authors
Max Schaffelder, Malcolm Murray
share

Contributions

The main contributions of this blog post are: 

  1. providing a translation of the EU AI Act’s Code of Practice into a detailed list of requirements for Safety and Security Frameworks (SSFs), which AI companies can consult when creating or revising their own SSFs; 
  2. providing an initial example of how a public-facing SSF can be assessed against the requirements of the Code of Practice. 

With these, we hope to contribute to the development of increasingly sound risk management frameworks at AI companies.

Introduction

In July 2025, the EU GPAI Code of Practice (CoP) was released, specifying (in Measure 1.1) what providers of general-purpose AI models need to include in their Safety & Security Frameworks (SSFs). In December 2025, Anthropic released their Frontier Compliance Framework (FCF; updated March 20261), the first public summary of an SSF explicitly designed to align with the CoP. This blog post breaks down the CoP’s SSF requirements and analyzes how well they are addressed in the example FCF from Anthropic. Through this, we aim to 1) provide a resource for companies seeking to create or revise their own frameworks and 2) offer an initial evidence base for how current industry practice maps onto specific Code of Practice requirements.

We assess the public-facing version of the FCF, which, as per Measure 10.2, is a summary of the more complete SSF provided to the EU AI Office. Although the public-facing SSF version is necessarily incomplete, we believe assessing it can provide valuable information on how AI providers address the SSF requirements of the CoP. Measure 10.2 specifies that the public summary may omit information if releasing it could undermine the effectiveness of mitigations or if it is needed to protect commercial information. At the time of writing, there is not yet any consensus on how much information can or should be redacted2. However, as of our current understanding, most requirements in Measure 1.1 would not be expected to reach such a level of sensitivity as to be affected by the exemption criteria. Thus, where information is missing from the public summary or only superficially addressed, we believe this can be indicative of its absence from the full framework. Further, if certain information is in fact deliberately withheld to protect mitigation effectiveness, the omission should be clearly marked.

Method

Measure 1.1 of the CoP specifies what SSFs need to include. To perform our analysis, we first extract the atomic (i.e., individually assessable) requirements from Measure 1.1. Since Measure 1.1 incorporates requirements from several other measures by reference, our analysis includes these as well. We then evaluate the example FCF against the resulting list of requirements. The results of this analysis, along with our assessment rubric, are provided in Table 1. We provide an assessment using a four-point scale (present, mostly present, mostly absent, absent) with reasoning for each assessment, quoting from the framework where possible. We also have two additional categories: requirements that are not necessary given their scope (“N/A”) and requirements that we cannot assess (“Assessment omitted”). When we cannot make an assessment, we provide our rationale. Our translation of the CoP text into atomic requirements can be found in Appendix A.

Results

We derive 46 requirements from the CoP (see Appendix A). When mapped to the example FCF, we find that 14 are absent, 11 are mostly absent, 3 are mostly present, 7 are present, and 11 are omitted or not required for this framework. This analysis reveals eight key takeaways:

  1. Risk acceptance determination (requirements 21, 22): Descriptions of the risk acceptance determination process are mostly absent. 
  2. Measurability of risk tiers (requirement 17): The amount of concrete information per risk tier is insufficient for proper measurement. 
  3. Risk responsibility definitions and allocation (requirements 37-43): Risk responsibilities are mostly undefined, and the allocation of resources and responsibility is mostly absent.
  4. Specifications of safety margins (requirements 25-30): Beyond brief assertions of their existence and appropriateness, no details are provided on safety margins for risk tiers.
  5. Linking of mitigations to risk tiers (requirements 31, 32): No specific mitigations are linked to individual risk tiers. 
  6. Justifications for decisions made (requirements 11, 13, 23, 24, 34): No justifications are given for the trigger points for lighter-touch evaluations, risk acceptance criteria, risk tiers, or timeline estimates.
  7. Timeline estimates (requirement 33): No timeline estimates are provided for when models may exceed the highest currently reached risk tier.
  8. Influence of external actors on decision-making (requirements 35, 36): There is no description of the influence of external actors on the development, deployment, and use of models.

We elaborate on each of these takeaways in the following paragraphs.

Discussion

Risk acceptance determination

The FCF states that Anthropic “determine[s] acceptability by reviewing [their] risk tiers“ (FCF §2.3), but does not provide details on what this review process entails. CoP §4.1(2) requires Signatories to “describe how” tiers will be used to determine the acceptability of risk. To be compliant, it seems this description would need to provide additional operational detail beyond restating the CoP’s requirements. As the FCF does not provide criteria for what makes risks acceptable or unacceptable (requirements 21 and 22), it is difficult to assess the adequacy of the process for these decisions.

Measurability of risk tiers

Most risk tiers contain quite ambiguous phrasing, e.g., “meaningful technical assistance for active cyber operations using known attack techniques and methodologies.” (FCF §2.4). Some show an effort to include more specific thresholds – for example, CBRN Tier 2 applies to models with the ability to “significantly” help creation of chemical or bioweapons “with potential for catastrophic damages far beyond those of past catastrophes in this category such as COVID-19” (FCF §2.4). Similarly, harmful manipulation Tier 1 includes models that can automate “>50% of steps normally requiring multiple sophisticated adversarial actors” (FCF §2.4). However, the combination with vague wording like “significantly” or “sophisticated”  limits their measurability in practice (requirement 17).

Risk responsibility definitions and allocation

The FCF provides little information regarding the definition of risk responsibility (requirements 37-41) and its allocation (requirement 43). The CoP calls for defining and allocating the responsibilities for systemic risk oversight, ownership, support and monitoring, and assurance. The FCF provides some of this, but not all:

  1. For systemic risk oversight, the board of directors of Anthropic Ireland Limited is assigned responsibility for overseeing “material updates” in the update and approval process (FCF §7.1) as well as the implementation (FCF §6) of the Framework. However, without further details, it is unclear whether this covers the CoP’s requirements for systemic risk oversight (requirements 37, 43). 
  2. Risk ownership responsibility is partially covered: The responsibility for managing the response to serious AI incidents is clearly defined through the “AI Incident Commander” role (requirement 39). There is also one mention of a “risk owner” (FCF §2.5), although without specifying which organizational party this refers to (requirement 43), and mentioning just one assigned responsibility (documenting the “justification for proceeding”, FCF §2.5). This falls short of fully covering the responsibility for ownership of systemic risk assessment and mitigation processes and measures, which is left largely undefined and unallocated (requirement 38). 
  3. The responsibilities for systemic risk support and monitoring (requirement 40) and for systemic risk assurance (requirement 41) are neither defined nor allocated in the FCF (requirement 43).

Specifications of safety margins

The FCF does not clearly define safety margins for its risk tiers. It mentions that tiers “incorporate appropriate safety margins” (FCF §2.3), but provides no details on their design or justification for their calibration. The lack of additional information makes it difficult to assess whether the FCF meets the CoP’s requirements.

Linking of mitigations to risk tiers

No safety or security mitigations are linked to the specific tiers (requirements 31, 32). The FCF references this by stating that Anthropic “implement[s] safeguards proportionate to that level of risk” (FCF §2.3). However, the CoP calls for an actual description of mitigations per risk tier. Further, the FCF states that “the specific mitigations [they] implement may be determined when the relevant risk tier is reached” (FCF §2.3), which seemingly conflicts with the CoP, which requires descriptions of safety and security mitigations companies would implement once each systemic risk tier is reached (requirements 31, 32). It should be noted that what is required is a “high-level description”, but this seems likely to include at least a provisional mapping of individual mitigations to risk tiers.

Justifications for decisions made

The CoP requires justification of the Signatory’s risk management decisions for trigger points for lighter-touch evaluations and their usage (requirements 11, 13), risk acceptance criteria and risk tiers (requirements 23, 24), and timeline estimates (requirement 34)3. These are absent from the FCF.

Timeline estimates

Measure 1.1 of the CoP requires the inclusion of timeline estimates for when the Signatory’s models will reach the next risk tier (requirement 33). The FCF does not mention timeline estimates.

Influence of external actors

The CoP requires a description of the influence of external actors on the decision to proceed with development, deployment, or use of the company’s models (requirements 35, 36). The FCF only refers to external actors in the context of “developing and implementing [their] risk assessment processes” (FCF §5), which falls short of the CoP’s requirement to describe their influence on go/no-go decisions.

Note: Changes from the December 2025 to the March 2026 version

Anthropic updated its FCF during the time of writing this blog post. The analysis above pertains to the most recent version (March 2026). As noted in their changelog, the changes mainly affected the risk tiers. Changes we think are worth highlighting include: 

  • risk tiers for harmful manipulation were added;
  • each risk category now has two tiers instead of four;
  • the “Examples” column was removed, with some examples being added to the “Description” column and others being omitted; 
  • CBRN tiers now include elements of harm-based thresholds (“damages far beyond those of past catastrophes in this category such as COVID-19”, FCF §2.4); 
  • classification into tier 1 for sabotage and loss of control is now heavily based on the role the model takes in AI development, rather than its capabilities alone (though capability is also part of the definition); and
  • tier 2 for sabotage and loss of control includes explicit justification about using AI R&D as a proxy for broader R&D capabilities.

Conclusion

We translate the text of the CoP into a set of requirements for SSFs and compare these to the first publicly available SSF specifically targeted at CoP compliance. Our analysis suggests several areas where this FCF is missing or short on details that seem required by the CoP. Accountability structures are largely absent, justifications are omitted, risk tiers and their safety margins are underspecified, and the process of risk acceptance determination is unclear. While some omissions from the public-facing framework would be justified under Measure 10.2, we are uncertain whether that would apply to these absences. We hope this analysis can prove valuable to AI companies as they create or revise their SSFs to comply with the CoP and continue down the path of promoting robust AI risk management.

Limitations

This assessment of whether information on specific requirements is present or absent in the FCF should not be understood as a formal review of compliance. Rather, it provides an indication of areas that would likely need to be expanded upon in future frameworks to clearly address the CoP’s requirements. Since our analysis is based on a public summary rather than the full internal SSF, an assessment of “absent” indicates missing information in the public document rather than necessarily reflecting gaps in Anthropic’s internal practices. 

We omitted assessments for several requirements due to:

  1. the difficulty of defining the state of the art for SSFs (requirement 2);
  2. the combination of “high-level description” language with broad requirement scope, which makes almost any level of detail arguably sufficient (requirements 3-6);
  3. the undefined and vague word “appropriate” (requirements 9, 16, 26);
  4. a requirement qualified by “as appropriate”, without criteria for determining when the requirement applies, making assessment indeterminate (requirement 42).

Future work should aim to clarify how those terms can be operationalized, and should assess the FCF and comparable frameworks against the CoP’s requirements using these clarified interpretations. 

Below is our list of requirements. We provide the requirement number, the requirement description, our assessment of the requirement’s presence in the FCF, and our reasoning for that assessment. We also provide a rubric for our assessments. A mapping from the requirements to the original CoP text, as well as an explanation of our method, can be found in Appendix A.

Rubric

  • Present: Information addressing the requirement is present, and/or no clear gaps appear.
  • Mostly present: Information addressing the requirement is mostly present, but minor gaps remain that should be addressed explicitly.
  • Mostly absent: Information addressing the requirement is mostly absent, with major gaps remaining that should be addressed explicitly.
  • Absent: No information is given that addresses the requirement, or the information given is vague to the degree that it does not provide relevant information.
  • Assessment omitted: The assessment was omitted due to difficulty rigorously operationalizing the requirement. 
  • Not required: No rating could be assigned due to the requirement not being necessary for this specific framework.
#Requirement textAssessmentReasoning
1
The Signatory has created a Framework.		PresentFramework published
2The Framework is state-of-the-art.Assessment omittedWe believe a Framework could be classified as “state-of-the-art” if it matches or exceeds the best practices present across currently or previously available Frameworks of frontier AI companies. A precise evaluation of the FCF’s alignment with this requirement would thus require a thorough assessment of other SSFs, which is beyond the scope of this blog post.
3The Framework contains a high-level description of implemented processes and measures for systemic risk assessment.Assessment omittedWe omit our assessment due to the vagueness of the “high-level” term in combination with the broad scope of the requirement.
4The Framework contains a high-level description of planned processes and measures for systemic risk assessment.Assessment omittedWe omit our assessment due to the vagueness of the “high-level” term in combination with the broad scope of the requirement.
5The Framework contains a high-level description of implemented processes and measures for systemic risk mitigation.Assessment omittedWe omit our assessment due to the vagueness of the “high-level” term in combination with the broad scope of the requirement.
6The Framework contains a high-level description of planned processes and measures for systemic risk mitigation.Assessment omittedWe omit our assessment due to the vagueness of the “high-level” term in combination with the broad scope of the requirement.
7The Framework includes a commitment to conducting lighter-touch model evaluations.PresentThe FCF includes an explicit commitment to conduct lighter-touch model evaluations:
“In addition to carrying out full Systemic Risk Assessments as described above, we conduct lighter-touch model evaluations (which may include running our automatic evaluations and  collaborating with external experts to test our models) to consider whether further  systemic risk mitigations may be required or a full Systemic Risk Assessment and Model Report update is required.” (FCF §4)
8The Framework describes trigger points for lighter-touch model evaluations.PresentThe FCF defines one trigger point in terms of time:
“Every nine months, unless an update of the relevant model is planned within a month of the trigger point” (FCF §4)

It also provides the baseline condition for starting lighter-touch evaluations: 
“A new model is in training and test model snapshots are available and appropriate for early evaluation.” (FCF §4)
9The Framework describes appropriate trigger points for lighter-touch model evaluationsAssessment omittedWe omit our assessment due to the current lack of clarity on what would make trigger points “appropriate”.
10The Framework defines trigger points for lighter-touch model evaluations along the entire model lifecycle.Mostly absentTrigger points are set in terms of time (“every nine months”, FCF §4), and training-phase milestones (“snapshots”, FCF §4), but no lifecycle stage-dependent triggers are defined for stages after training finishes (e.g., deployment, fine-tuning, affordance changes, user access expansion, etc.)
11The Framework’s trigger points for lighter-touch model evaluations are justified.AbsentThe FCF includes a description of the purpose of the triggers and what they trigger, but does not justify the chosen trigger points. (FCF §4)
12The Framework describes the usage of trigger points for lighter-touch model evaluations (i.e., what actions or evaluations are initiated when trigger points are passed).Mostly presentThe FCF includes a brief explanation of what lighter-touch evaluations could look like and what those might result in:
“We conduct lighter-touch model evaluations (which may include running our automatic evaluations and collaborating with external experts to test our models) to consider whether further systemic risk mitigations may be required or a full Systemic Risk Assessment and Model Report update is required.” (FCF §4)
13The Framework justifies the usage of trigger points for lighter-touch model evaluations (i.e., what actions or evaluations are initiated when trigger points are passed).AbsentThe FCF describes the purpose of the trigger points and what they trigger, but does not justify how they are used. (FCF §4)
14The Framework defines systemic risk tiers for each identified systemic risk.PresentThe FCF defines risk tiers for cyber offense, CBRN, harmful manipulation, and loss of control.
15The Framework defines systemic risk tiers in terms of model capabilities.PresentEach tier includes a description of model capabilities at that level.
16The Framework defines appropriate systemic risk tiers.Assessment omittedWe omit our assessment due to the current lack of clarity on what makes systemic risk tiers “appropriate”.
17The Framework defines measurable systemic risk tiers.Mostly absentMost risk tiers contain quite ambiguous phrasing, e.g.:
“Meaningful technical assistance for active cyber operations using known attack techniques and methodologies.” (FCF §2.4).

Some risk tiers show an effort to include more specific thresholds. For example, CBRN Tier 2 applies to models with the ability to “significantly” help creation of chemical or bioweapons “with potential for catastrophic damages far beyond those of past catastrophes in this category such as COVID-19” (FCF §2.4). Similarly, harmful manipulation Tier 1 includes models that can automate “>50% of steps normally requiring multiple sophisticated adversarial actors” (FCF §2.4). However, the combination with vague wording like “significantly” or “sophisticated”  limits their measurability in practice.
18The Framework includes at least one systemic risk tier that has not yet been reached by the Signatory’s models.Mostly presentThe FCF formally satisfies this requirement by defining two tiers per risk category, where Tier 2 appears unreached for most categories based on evidence from the Opus 4.6 system card and sabotage risk report. However, the FCF does not explicitly map current models to specific tiers, making this requirement difficult to verify for certain. The tier descriptions are also sufficiently vague that boundary cases are hard to assign. For cyber offense specifically, the system card acknowledges that Opus 4.6 “has saturated all of [their] current cyber evaluations” (Claude Opus 4.6 System Card §1.2.4.3), meaning accurate tier placement may no longer be possible with existing benchmarks. This raises the concern that higher tiers may have been reached without adequate measurement to confirm or rule out this possibility.
19The Framework defines other systemic risk acceptance criteria if risk tiers are not suitable and the systemic risk is not a specified systemic risk.Not requiredNot required if only specified systemic risks are covered, as is the case here.
20The Framework defines other appropriate systemic risk acceptance criteria if risk tiers are not suitable and the systemic risk is not a specified systemic risk.Not requiredNot required if only specified systemic risks are covered, as is the case here.
21The Framework describes how risk tiers or other criteria will be used to determine whether each systemic risk is acceptable (i.e., how these tiers/criteria link to the identified systemic risk acceptance criteria).Mostly absentThe FCF does not describe how risk tiers were used for risk acceptance determination, only including vague statements: 
“The acceptability of residual risk depends on the scale and probability of harm and the potential consequences should harm occur” (FCF §2.3). 
“We determine acceptability by reviewing our risk tiers” (FCF §2.3).

These affirm that risk tiers are used for decision making and acceptability determination, but do not describe how.
22The Framework describes how risk tiers or other criteria will be used to determine whether overall systemic risk is acceptable (i.e., how these tiers/criteria link to the overall systemic risk acceptance criteria).Mostly absentSee requirement 21.

For overall risk specifically, the FCF states that their “systemic risk tiers guide decisions on whether additional mitigations are required to keep overall systemic risk at an acceptable level prior to model release” (FCF §2.5). However, it does not describe how this is done.
23The Framework justifies how their risk tiers or other criteria ensure the identified systemic risk is acceptable.AbsentNo justification included.
24The Framework justifies how their risk tiers or other criteria ensure overall systemic risk is acceptable.AbsentNo justification included.
25The systemic risk acceptance criterion incorporates a safety margin for each identified systemic risk.Mostly absentThe FCF states that safety margins are included, but the safety margin is not referenced in the risk acceptance criteria (in this case, risk tiers) themselves: 
“We determine acceptability by reviewing our risk tiers for each systemic risk category, which incorporate appropriate safety margins(FCF §2.3, emphasis added).
“Provided the residual risk falls within acceptable levels, taking into account appropriate safety margins, the model is approved for continued development, internal use (where applicable), and launch (as the case may be)“ (FCF §2.5, emphasis added).
 
These quotes imply a recognition of the concept, but suggest a more shallow integration.
26The safety margins are appropriate for the systemic risk.Assessment omittedWe omit our assessment due to the current lack of clarity on what makes systemic risk tiers “appropriate”.
27The safety margins take into account potential limitations, changes, and uncertainties of systemic risk sources.AbsentThe FCF provides no details on whether and how safety margins take into account the limitations, changes, and uncertainties of systemic risk sources.
28The safety margins take into account potential limitations, changes, and uncertainties of systemic risk assessments.AbsentThe FCF provides no details on whether and how safety margins take into account the limitations, changes, and uncertainties of systemic risk assessments.
29The safety margins take into account the potential limitations, changes, and uncertainties of the effectiveness of safety mitigations.AbsentThe FCF provides no details on whether and how safety margins take into account the limitations, changes, and uncertainties of safety mitigations.
30The safety margins take into account the potential limitations, changes, and uncertainties of the effectiveness of security mitigations.AbsentThe FCF provides no details on whether and how safety margins take into account the limitations, changes, and uncertainties of security mitigations.
31The Framework gives a high-level description of what safety mitigations to implement once each systemic risk tier is reached.Mostly absentNo tier-specific safety mitigations are given. Instead, the FCF states that mitigations have to be “proportionate” to the level of risk. It also provides a list of general safety mitigations:
“When a model reaches a particular risk tier, we implement safeguards proportionate to that level of risk. These may include monitoring and filtering the model’s inputs and outputs, modifying model behavior through fine-tuning (such as training the model to refuse certain requests), or staged deployment (gradually expanding access from a limited group of trusted users to broader availability)” (FCF §2.3, emphasis added).

Further, it explicitly states that mitigations may be determined when specific risk tiers are reached, deferring this action to a later point in time: 
“Because we cannot always anticipate what safety and security measures will be appropriate for models beyond the current frontier, the specific mitigations we implement may be determined when the relevant risk tier is reached, informed by the threat landscape at that  time” (FCF §2.3).
32The Framework gives a high-level description of what security mitigations to implement once each systemic risk tier is reached.Mostly absentSee requirement 31.

No tier-specific security mitigations are given – just general security mitigations that Anthropic might apply:
“For risks related to model security, safeguards may include conducting evaluations in sandboxed environments, anomaly detection systems, access controls, and output rate limiting” (FCF §2.3).
33For each systemic risk for which risk tiers have been defined, the Framework gives estimates of timelines for when the provider reasonably foresees their models exceeding the highest systemic risk tier currently reached.AbsentNo timeline estimates are given.
34The Framework gives justifications for the provider’s timeline estimates, including underlying assumptions and uncertainties.AbsentNo justifications for timeline estimates are given.
35The Framework includes a statement as to whether input from external actors influences development, deployment, or use decisions.AbsentNo statement on whether input from external actors influences decisions is given.
36The Framework describes how input from external actors influences development, deployment, or use decisions.AbsentNo description of how input from external actors influences decisions is given.
37The Framework clearly defines the systemic risk oversight responsibility for overseeing systemic risk assessment and mitigation processes and measures.Mostly absentThe FCF only includes a vague description of oversight over the Framework implementation, but does not specify how this relates to oversight of risk assessment and mitigation processes and measures:
“The board of directors of Anthropic Ireland Limited oversees implementation of this Framework for EU purposes” (FCF §6).
38The Framework clearly defines systemic risk ownership responsibility for managing systemic risks stemming from Signatories’ models, including for the systemic risk assessment and mitigation processes and measures.Mostly absentExistence of a risk owner is mentioned with one associated task, but the responsibility is not defined further: 
“In each case, the justification for proceeding will be documented by the risk owner” (FCF §2.5).
39The Framework clearly defines systemic risk ownership responsibility for managing the response to serious incidents.PresentThe FCF describes in detail what the role of “AI Incident Commander” for managing the response to serious incidents entails (§2.6).
40The Framework clearly defines systemic risk support and monitoring responsibility for supporting and monitoring systemic risk assessment and mitigation processes and measures.AbsentThe systemic risk support and monitoring responsibility is not defined.
41The Framework clearly defines systemic risk assurance responsibility for providing internal assurance about the adequacy of the Signatories’ systemic risk assessment and mitigation processes and measures to the management body in its supervisory function or another suitable independent body.AbsentThe systemic risk assurance responsibility is not defined.
42As appropriate, the Framework clearly defines systemic risk assurance responsibility for providing external assurance about the adequacy of the Signatories’ systemic risk assessment and mitigation processes and measures to the management body in its supervisory function or another suitable independent body.Assessment omittedThe systemic risk assurance responsibility is not defined. However, we omit our assessment of this requirement due to its optional nature implied by the phrase “as appropriate”.
43The responsibilities for systemic risk oversight, systemic risk ownership, systemic risk support and monitoring, and systemic risk assurance are allocated across the following levels of the organization: 

1. The management body in its supervisory function or another suitable independent body (such as a council or board) 
2. The management body in its executive function
Relevant operational teams
3. If available, internal assurance providers
4. If available, external assurance providers		Mostly absentSystemic risk oversight: Responsibility for overseeing the implementation of the Framework is explicitly assigned to the board of directors of Anthropic Ireland Limited. However, it is unclear whether this responsibility completely covers the role of overseeing systemic risk assessment and mitigation processes and measures: “The board of directors of Anthropic Ireland Limited oversees implementation of this Framework for EU purposes.” (FCF §6)

Systemic risk ownership: The existence of a risk owner for making decisions on proceeding with development, use, or deployment is mentioned, but it is not specified which organizational level they sit at: “In each case, the justification for proceeding will be documented by the risk owner.” (FCF §2.5) Further, the AI incident commander is allocated responsibility for managing the response to serious incidents (see requirement 39). However, this only partly covers systemic risk ownership responsibility. 

Systemic risk support and monitoring: The responsibility for systemic risk support and monitoring is not allocated.

Systemic risk assurance: The responsibility for systemic risk assurance is not allocated.
44The Framework includes a description of the process by which the Framework will be updated.PresentThe FCF includes information on: 

Who proposes updates: “Anthropic’s Head of Safeguards, Responsible Scaling Officer, General Counsel, Head of Integrity & Compliance, or Chief Information Security Officer“ (FCF §7.1).

Who coordinates Framework updates: “Legal and Compliance function” (FCF §7.1).

Triggers for updates: “changes in law or regulatory guidance, changes in model capabilities and related technologies, new approaches to mitigations and safeguards, other incidents affecting the industry, and new industry best practices and standards” (FCF §7.1).

Timing of updates: “at least once every 12 months from the  Effective Dates of the TFAIA and the EU Code”, or when “relevant factors in the update and approval process are satisfied” (FCF §7.2).

Documentation: Changelog with changes and justifications, published within 30 days (FCF §7.1).

Board involvement: Material updates presented to the board for oversight (FCF §7.1).
45The Framework includes a description of the process used to determine that an updated Framework is confirmed.Mostly absentThe FCF mentions board oversight of updates and references “approved changes” (FCF §7.1), but does not explicitly state that the board approves (vs. merely reviews), and does not describe the process by which an updated Framework is determined to be confirmed:

“Material updates will be presented to the board of directors of Anthropic Ireland Limited for oversight, with approved changes and justifications for material updates documented in a changelog and published within 30 days of the update.” (FCF §7.1)
46The Framework includes a changelog for tracking updates, including how and why the Framework has been updated, along with a version number and date of change.Mostly presentThe FCF includes a changelog that explains how and why the framework was updated: 
“Revised risk tiers in Section 2.4 across all four systemic risk categories to better align with our evolving threat models and capability assessments. Introduced nascent risk tiers for Harmful Manipulation”.
It uses date-based versioning rather than assigning distinct version numbers alongside dates, as the CoP specifies.

We analyse Measure 1.1 by providing a breakdown of each measure into explicit requirements. If other measures are referenced, we follow these references to understand which aspects of the measure are required. We extracted the list of requirements in an iterative manner internally and verified it by soliciting feedback from an independent external reviewer.

Mapping the Code of Practice to explicit requirements

Measure 1.1 Creating the Framework

    Signatories will create a state-of-the-art Framework, taking into account the models they are developing, making available on the market, and/or using.

    1. Measure 1.1, para. 1: The Signatory has created a Framework.

    2. Measure 1.1, para. 1: The Framework is state-of-the-art.

    The Framework will contain a high-level description of implemented and planned processes and measures for systemic risk assessment and mitigation to adhere to this Chapter.

    3. Measure 1.1, para. 2: The Framework contains a high-level description of implemented processes and measures for systemic risk assessment.

    4. Measure 1.1, para. 2: The Framework contains a high-level description of planned processes and measures for systemic risk assessment.

    5. Measure 1.1, para. 2: The Framework contains a high-level description of implemented processes and measures for systemic risk mitigation.

    6. Measure 1.1, para. 2: The Framework contains a high-level description of planned processes and measures for systemic risk mitigation.

    In addition, the Framework will contain:  

    (1) a description and justification of the trigger points and their usage, at which the Signatories will conduct additional lighter-touch model evaluations along the entire model lifecycle, as specified in Measure 1.2, second paragraph, point (1)(a);

    Measure 1.2 (1)(a): Signatories will implement the processes and measures outlined in their Framework as specified in the following paragraphs.  

    Along the entire model lifecycle, Signatories will continuously:  

    (1) assess the systemic risks stemming from the model by:

    (a) conducting lighter-touch model evaluations that need not adhere to Appendix 3 (e.g. automated evaluations) at appropriate trigger points defined in terms of, e.g. time, training compute, development stages, user access, inference compute, and/or affordances;

    7. Measure 1.1, para. 3(1) → Measure 1.2, para. 2(1)(a): The Framework includes a commitment to conducting lighter-touch model evaluations.

    8. Measure 1.1, para. 3(1) → Measure 1.2, para. 2(1)(a): The Framework describes trigger points for lighter-touch model evaluations.

    9. Measure 1.1, para. 3(1) → Measure 1.2, para. 2(1)(a): The Framework describes appropriate trigger points for lighter-touch model evaluations.

    10. Measure 1.1, para. 3(1) → Measure 1.2, para. 2(1)(a): The Framework defines trigger points for lighter-touch model evaluations along the entire model lifecycle.

    11. Measure 1.1, para. 3(1) → Measure 1.2, para. 2(1)(a): The Framework’s trigger points for lighter-touch model evaluations are justified.

    12. Measure 1.1, para. 3(1)  → Measure 1.2, para. 2(1)(a): The Framework describes the usage of trigger points for lighter-touch model evaluations (i.e., what actions or evaluations are initiated when trigger points are passed).

    13. Measure 1.1, para. 3(1) → Measure 1.2, para. 2(1)(a): The Framework justifies the usage of trigger points for lighter-touch model evaluations (i.e., what actions or evaluations are initiated when trigger points are passed).

    (2) for the Signatories’ determination of whether systemic risk is considered acceptable, as specified in Commitment 4:  

    (a) a description and justification of the systemic risk acceptance criteria, including the systemic risk tiers, and their usage as specified in Measure 4.1; 

    Commitment 4:

    Signatories commit to specifying systemic risk acceptance criteria and determining whether the systemic risks stemming from the model are acceptable (as specified in Measure 4.1). 

    Signatories commit to deciding whether or not to proceed with the development, the making available on the market, and/or the use of the model based on the systemic risk acceptance determination (as specified in Measure 4.2).  

    Measure 4.1 Systemic risk acceptance criteria and acceptance determination  

    Signatories will describe and justify (in the Framework pursuant to Measure 1.1, point (2)(a)) how they will determine whether the systemic risks stemming from the model are acceptable. 

    To do so, Signatories will: 

    (1) for each identified systemic risk (pursuant to Measure 2.1), at least:  

    (a) define appropriate systemic risk tiers that: 

    14. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(a)(i): The Framework defines systemic risk tiers for each identified systemic risk.

    (i) are defined in terms of model capabilities, and may additionally incorporate model propensities, risk estimates, and/or other suitable metrics; 

    15. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(a)(i): The Framework defines systemic risk tiers in terms of model capabilities.

    16. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(a)(i): The Framework defines appropriate systemic risk tiers.

    (ii) are measurable; and 

    17. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(a)(ii): The Framework defines measurable systemic risk tiers.

    (iii) comprise at least one systemic risk tier that has not been reached by the model;

    18. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(a)(iii): The Framework includes at least one systemic risk tier that has not yet been reached by the Signatory’s models.

    or (b) define other appropriate systemic risk acceptance criteria, if systemic risk tiers are not suitable for the systemic risk and the systemic risk is not a specified systemic risk (pursuant to Appendix 1.4); 

    19. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(B): The Framework defines other systemic risk acceptance criteria if risk tiers are not suitable and the systemic risk is not a specified systemic risk.

    20. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(1)(B): The Framework defines other appropriate systemic risk acceptance criteria if risk tiers are not suitable and the systemic risk is not a specified systemic risk.

    (2) describe how they will use these tiers and/or other criteria to determine whether each identified systemic risk (pursuant to Measure 2.1) and the overall systemic risk are acceptable; and

    21. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(2): The Framework describes how risk tiers or other criteria will be used to determine whether each systemic risk is acceptable (i.e., how these tiers/criteria link to the identified systemic risk acceptance criteria).

    22. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(2): The Framework describes how risk tiers or other criteria will be used to determine whether overall systemic risk is acceptable (i.e., how these tiers/criteria link to the overall systemic risk acceptance criteria).

    (3) justify how the use of these tiers and/or other criteria pursuant to point (2) ensures that each identified systemic risk (pursuant to Measure 2.1) and the overall systemic risk are acceptable. 

    23. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(3): The Framework justifies how their risk tiers or other criteria ensure the identified systemic risk is acceptable.

    24. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 1(3): The Framework justifies how their risk tiers or other criteria ensure overall systemic risk is acceptable.

    Signatories will apply the systemic risk acceptance criteria to each identified systemic risk (pursuant to Measure 2.1), incorporating a safety margin (as specified in the following paragraph), to determine whether each identified systemic risk (pursuant to Measure 2.1) and the overall systemic risk are acceptable. This acceptance determination will take into account at least the information gathered via systemic risk identification and analysis (pursuant to Commitments 2 and 3). 

    25. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 2: The systemic risk acceptance criterion incorporates a safety margin for each identified systemic risk.

    The safety margin will:  

    (1) be appropriate for the systemic risk; and 

    26. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 3(1): The safety margins are appropriate for the systemic risk.

    (2) take into account potential limitations, changes, and uncertainties of:  

    (a) systemic risk sources (e.g. capability improvements after the time of assessment); 

    27. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 3(2)(a): The safety margins take into account potential limitations, changes, and uncertainties of systemic risk sources.

    (b) systemic risk assessments (e.g. under-elicitation of model evaluations or historical accuracy of similar assessments); and 

    28. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 3(2)(b): The safety margins take into account potential limitations, changes, and uncertainties of systemic risk assessments.

    (c) the effectiveness of safety and security mitigations (e.g. mitigations being circumvented, deactivated, or subverted).

    For each safety margin given in the Framework:

    29. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 3(2)(c): The safety margins take into account the potential limitations, changes, and uncertainties of the effectiveness of safety mitigations.

    30. Measure 1.1, para. 3(2)(a) → Measure 4.1, para. 3(2)(c): The safety margins take into account the potential limitations, changes, and uncertainties of the effectiveness of security mitigations.

    (b) a high-level description of what safety and security mitigations Signatories would need to implement once each systemic risk tier is reached; 

    31. Measure 1.1, para. 3(2)(b): The Framework gives a high-level description of what safety mitigations to implement once each systemic risk tier is reached.

    32. Measure 1.1, para. 3(2)(b): The Framework gives a high-level description of what security mitigations to implement once each systemic risk tier is reached.

    (c) for each systemic risk that Signatories defined systemic risk tiers for as specified in Measure 4.1, estimates of timelines when Signatories reasonably foresee that they will have a model that exceeds the highest systemic risk tier already reached by any of their existing models. Such estimates:

    33. Measure 1.1, para. 3(2)(c): For each systemic risk for which risk tiers have been defined, the Framework gives estimates of timelines for when the provider reasonably foresees their models exceeding the highest systemic risk tier currently reached.

    (i) may consist of time ranges or probability distributions4; and 

    (ii) may take into account aggregate forecasts, surveys, and other estimates produced with other providers. Further, such estimates will be supported by justifications, including underlying assumptions and uncertainties; and 

    34. Measure 1.1, para. 3(2)(c): The Framework gives justifications for the provider’s timeline estimates, including underlying assumptions and uncertainties.

    (d) a description of whether and, if so, by what process input from external actors, including governments, influences proceeding with the development, making available on the market, and/or use of the Signatories’ models as specified in Measure 4.2, other than as the result of independent external evaluations; 

    35. Measure 1.1, para. 3(2)(d): The Framework includes a statement as to whether input from external actors influences development, deployment, or use decisions.

    36. Measure 1.1, para. 3(2)(d): The Framework describes how input from external actors influences development, deployment, or use decisions.

    (3) a description of how systemic risk responsibility is allocated for the processes by which systemic risk is assessed and mitigated as specified in Commitment 8; and 

    Measure 8.1: Signatories will clearly define5 responsibilities for managing the systemic risks stemming from their models across all levels of the organisation. This includes the following responsibilities: 

    (1) Systemic risk oversight: Overseeing the Signatories’ systemic risk assessment and mitigation processes and measures. 

    37. Measure 1.1, para. 3(3) → Measure 8.1, para. 1(1): The Framework clearly defines the systemic risk oversight responsibility for overseeing systemic risk assessment and mitigation processes and measures.

    (2) Systemic risk ownership: Managing systemic risks stemming from Signatories’ models, including the systemic risk assessment and mitigation processes and measures, and managing the response to serious incidents. 

    38. Measure 1.1, para. 3(3) → Measure 8.1, para. 1(2): The Framework clearly defines systemic risk ownership responsibility for managing systemic risks stemming from Signatories’ models, including for the systemic risk assessment and mitigation processes and measures.

    39. Measure 1.1, para. 3(3) → Measure 8.1, para. 1(2): The Framework clearly defines systemic risk ownership responsibility for managing the response to serious incidents.

    (3) Systemic risk support and monitoring: Supporting and monitoring the Signatories’ systemic risk assessment and mitigation processes and measures. 

    40. Measure 1.1, para. 3(3) → Measure 8.1, para. 1(3): The Framework clearly defines systemic risk support and monitoring responsibility for supporting and monitoring systemic risk assessment and mitigation processes and measures.

    (4) Systemic risk assurance: Providing internal and, as appropriate, external assurance about the adequacy of the Signatories’ systemic risk assessment and mitigation processes and measures to the management body in its supervisory function or another suitable independent body (such as a council or board). 

    41. Measure 1.1, para. 3(3) → Measure 8.1, para. 1(4): The Framework clearly defines systemic risk assurance responsibility for providing internal assurance about the adequacy of the Signatories’ systemic risk assessment and mitigation processes and measures to the management body in its supervisory function or another suitable independent body.

    42. Measure 1.1, para. 3(3) → Measure 8.1, para. 1(4): As appropriate, the Framework clearly defines systemic risk assurance responsibility for providing external assurance about the adequacy of the Signatories’ systemic risk assessment and mitigation processes and measures to the management body in its supervisory function or another suitable independent body.

    Signatories will allocate these responsibilities, as suitable for the Signatories’ governance structure and organisational complexity, across the following levels of their organisation:  

    (1) the management body in its supervisory function or another suitable independent body (such as a council or board);  

    (2) the management body in its executive function;  

    (3) relevant operational teams;  

    (4) if available, internal assurance providers (e.g. an internal audit function); and  

    (5) if available, external assurance providers (e.g. third-party auditors). 

    43. Measure 1.1, para. 3(3) → Measure 8.1, para. 2: The responsibilities for systemic risk oversight, systemic risk ownership, systemic risk support and monitoring, and systemic risk assurance are allocated across the following levels of the organization:

    1. The management body in its supervisory function or another suitable independent body (such as a council or board) 
    2. The management body in its executive function
    3. Relevant operational teams
    4. If available, internal assurance providers
    5. If available, external assurance providers

    This Measure is presumed to be fulfilled, if Signatories, as appropriate for the systemic risks stemming from their models, adhere to all of the following:  

    (1) Systemic risk oversight: The responsibility for overseeing the Signatory’s systemic risk management processes and measures has been assigned to a specific committee of the management body in its supervisory function (e.g. a risk committee or audit committee) or one or multiple suitable independent bodies (such as councils or boards). For Signatories that are SMEs or SMCs, this responsibility may be primarily assigned to an individual member of the management body in its supervisory function.  

    (2) Systemic risk ownership: The responsibility for managing systemic risks from models has been assigned to suitable members of the management body in its executive function who are also responsible for relevant Signatory core business activities that may give rise to systemic risk, such as research and product development (e.g. Head of Research or Head of Product). The members of the management body in its executive function have assigned lower-level responsibilities to operational managers who oversee parts of the systemic-risk-producing business activities (e.g. specific research domains or specific products). Depending on the organisational complexity, there may be a cascading responsibility structure.  

    (3) Systemic risk support and monitoring: The responsibility for supporting and monitoring the Signatory’s systemic risk management processes and measures, including conducting risk assessments, has been assigned to at least one member of the management body in its executive function (e.g. a Chief Risk Officer or a Vice President, Safety & Security Framework). This member(s) must not also be responsible for the Signatory’s core business activities that may produce systemic risk (e.g. research and product development). For Signatories that are SMEs or SMCs, there is at least one individual in the management body in its executive function tasked with supporting and monitoring the Signatory’s systemic risk assessment and mitigation processes and measures.  

    (4) Systemic risk assurance: The responsibility for providing assurance about the adequacy of the Signatory’s systemic risk assessment and mitigation processes and measures to the management body in its supervisory function or another suitable independent body (such as a council or board) has been assigned to a relevant party (e.g. a Chief Audit Executive, a Head of Internal Audit, or a relevant sub-committee). This individual is supported by an internal audit function, or equivalent, and external assurance as appropriate. The Signatories’ internal assurance activities are appropriate. For Signatories that are SMEs or SMCs, the management body in its supervisory function periodically assesses the Signatory’s systemic risk assessment and mitigation processes and measures (e.g. by approving the Signatory’s Framework assessment).

    (4) a description of the process by which Signatories will update the Framework, including how they will determine that an updated Framework is confirmed, as specified in Measure 1.3.

    44. Measure 1.1, para. 3(4): The Framework includes a description of the process by which the Framework will be updated.

    45. Measure 1.1, para. 3(4): The Framework includes a description of the process used to determine that an updated Framework is confirmed.

    Measure 1.3: Signatories will update the Framework as appropriate, including without undue delay after a Framework assessment (specified in the following paragraphs), to ensure the information in Measure 1.1 is kept up-to-date and the Framework is at least state-of-the-art. For any update of the Framework, Signatories will include a changelog, describing how and why the Framework has been updated, along with a version number and the date of change.

    46. Measure 1.3, para. 1: The Framework includes a changelog for tracking updates, including how and why the Framework has been updated, along with a version number and date of change.

    Signatories will have confirmed the Framework no later than four weeks after having notified the Commission pursuant to Article 52(1) AI Act and no later than two weeks before placing the model on the market.

    1. We have included an overview of the changes made in the updated version in the section “Note: Changes from the December 2025 to the March 2026 version”. ↩︎
    2. An example of information that may justifiably be withheld for security reasons is the specific limitations of a provider’s security mitigations. ↩︎
    3. The CoP does not specify what such justifications should include. For this analysis, we expect a justification to explain why the Signatory’s approach is effective for their intended purpose of systemic risk assessment and/or mitigation. ↩︎
    4. For statements beginning with ‘may’, we do not consider them a requirement but rather guidance. ↩︎
    5. We interpret “clearly define” as a description of tasks and teams or processes the role holds responsibility for, which should be specific to the providers’ processes and teams. ↩︎

    Back to top

    Publication date
    March 20, 2026
    authors
    Max Schaffelder, Malcolm Murray
    share
    More like this
    • 20.03.2026
    Analyzing SSF Requirements in the GPAI Code of Practice: A Case Study using Anthropic’s Frontier Compliance Framework
    Max Schaffelder, Malcolm Murray
    read more
    • 02.02.2026
    SaferAI selected to support EU AI Act implementation through CBRN risk assessment
    read more
    • 29.01.2026
    An overview of existing and potential future GenAI/GPAI standards
    read more