Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Guide

The AI Act for procurement: supplier requirements and contract clauses

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

Whoever procures AI often becomes a deployer under the AI Act and carries their own obligations. A supplier claiming to be "AI Act compliant" is no guarantee. This guide explains what to ask up front and which clauses belong in the contract.

Short answer: Procurement is the gateway through which AI enters the organisation โ€” and therefore a control point for compliance. Whoever buys an AI system usually becomes a deployer under the AI Act and acquires their own obligations. A supplier's statement "we are AI Act compliant" means little without evidence. Procurement must ask, record and make it demonstrable.

Your role changes when you buy

If you procure an AI system, you are usually not a provider but a deployer. That sounds lighter, but it carries its own duties: deploying the system according to the instructions for use, ensuring human oversight, monitoring input data and, for high-risk AI, keeping logs. Beware: if you substantially modify a procured system or place it on the market under your own brand, you can become a provider yourself, with far heavier obligations.

Due diligence before signing

A supplier must be able to demonstrate, not merely claim. Ask:

  • Risk classification. Which AI Act class does the system fall into, and why?
  • Conformity. Is there a conformity assessment, CE marking and EU declaration of conformity where required?
  • Documentation. Will you receive technical documentation and usable instructions for use?
  • Transparency and data. What data was used, and how is bias controlled?
  • Security. How were accuracy and robustness tested โ€” coordinate with the CISO.

What belongs in the contract

Pin the arrangements down firmly. See AI in contracts for the broader clause set; for procurement these core points are essential:

  • Role allocation: who is provider, who is deployer, and who carries which obligation?
  • Compliance warranties with the burden of proof on the supplier.
  • Duty to cooperate with audits, incidents and supervisory requests.
  • Update and maintenance duties for as long as the system is in use.
  • Liability and indemnity โ€” link this to the liability risk.

Cooperate, do not buy solo

Procurement can formulate requirements but cannot assess them all. Involve the DPO for personal data, the CISO for security and the board for risk appetite. Anchor this in the governance framework.

What to do

  • Determine your role (provider or deployer) per procurement.
  • Use a due diligence checklist for AI suppliers.
  • Demand evidence, not statements: documentation, conformity, test results.
  • Standardise contract clauses for AI procurement.
  • Allocate liability explicitly to the right party.

Procurement is the first line of defence. What is not asked here becomes a compliance gap the organisation has to close itself later.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): the provider/deployer split and obligations per risk class.
  2. https://eur-lex.europa.eu/eli/dir/2024/2853/oj
    Directive (EU) 2024/2853 (revised Product Liability Directive): the liability risk you can allocate through contracts.

Share on LinkedIn

Read next

A

Buying HR AI: the vendor due-diligence checklist for ATS software

Procuring HR AI or ATS software means inheriting AI Act obligations. This checklist gives the questions to ask the vendor before you sign โ€” high-risk or not, CE marking, technical documentation, bias tests, logging โ€” plus the contractual safeguards and the oversight that follows.

U

Procuring AI in government: AI Act compliance as a tender requirement

A public body that procures an AI system becomes a deployer under the AI Act, and sometimes a provider itself. Make compliance, documentation and the rights impact assessment hard tender requirements, not loose ends in the contract.

W

AI in contracts: the clauses to set when buying and supplying

There is no separate AI contract law, but the AI Act, product liability and the Data Act together determine what you must set contractually: role allocation, compliance warranties, documentation, liability, data and IP, logging and exit. This guide lays out the core clauses.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.