The EU AI Act is the first comprehensive AI regulation in any major market and the most consequential change in enterprise AI procurement in a decade. The risk-classification logic is straightforward; the deployer obligations are not. Enterprise buyers in scope — and that means most large organisations with EU exposure — need to translate the framework into purchase-order-level controls before high-risk obligations apply.
The EU AI Act, formally Regulation (EU) 2024/1689, classifies AI systems into four risk categories: prohibited, high-risk, limited risk, and minimal risk. It also creates a parallel regime for general-purpose AI (GPAI) models, with additional obligations for GPAI models with systemic risk. Risk classification drives obligations. The same large language model embedded in two different deployer use cases can be high-risk in one and minimal-risk in the other.
Prohibited categories are narrow but absolute: social scoring by public authorities, predictive policing solely on profiling, untargeted biometric scraping for facial recognition databases, emotion recognition in workplace or education contexts (with exceptions), real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions). High-risk categories follow Annex III and cover most of the AI use cases that matter commercially: employment and worker management, credit-scoring and creditworthiness assessment, essential public services, critical infrastructure, education access, law enforcement, migration, and administration of justice.
The Act distinguishes providers (who develop or place the AI system on the market) from deployers (who use the AI system under their authority for a particular purpose). Enterprise buyers are typically deployers and have specific obligations independent of the provider's compliance: ensuring fitness for purpose, human oversight, monitoring, logging retention, and — for some categories — fundamental rights impact assessment (FRIA).
A practical procurement risk in our experience across 340+ engagements: deployer obligations cannot be contractually offloaded to the provider. Many AI vendor MSAs include clauses indicating the provider takes responsibility for "regulatory compliance" — these clauses do not affect the deployer's residual obligations and are misleading to procurement teams that read them as risk transfer.
We run buyer-side AI Act assessments for high-risk system procurement — classification, deployer obligations, contractual flow-through.
The AI Act's obligations apply on a phased schedule: prohibitions from 2 February 2025; literacy and general-purpose AI provider obligations from 2 August 2025; most high-risk system obligations from 2 August 2026; remaining provisions (including Annex II-related systems) from 2 August 2027. Buyers in scope should treat the high-risk obligation date as the binding constraint for procurement and align renewal cycles accordingly. Contracts renewed before August 2026 should include forward-looking compliance clauses if they will be in force after that date.
General-purpose AI models (foundation models, frontier LLMs) sit outside the risk-classification scheme and face their own obligations under the GPAI provisions. Providers of GPAI models must maintain technical documentation, comply with EU copyright law in training data, publish a sufficiently detailed summary of training data, and — for models with systemic risk — additional risk assessment, mitigation, and reporting obligations. This matters to enterprise buyers because most enterprise AI use cases sit downstream of one or more GPAI models, and provider failure upstream may interrupt downstream service.
Clause-by-clause analysis of AI vendor MSAs against the AI Act, GDPR, IP and indemnity standard expectations.
Standard AI vendor MSAs do not address most of the AI Act flow-through that deployers need. Five contractual clauses are essential for any high-risk AI system procurement:
Vendor pushback on these clauses is genuine and informative — vendors that resist all five are either uncertain about their own AI Act readiness or attempting to keep the regulatory risk with the customer. Both are negotiation signals. Reading those signals correctly is the core of disciplined SaaS procurement advisory on any high-risk AI system.
The AI Act is one of three EU frameworks that govern AI-adjacent procurement. GDPR continues to govern personal data processing, including by AI systems — Data Protection Impact Assessments under Article 35 GDPR are required alongside fundamental rights impact assessments under the AI Act for relevant high-risk systems. The Digital Services Act governs algorithmic systems in online intermediary services. Procurement teams treating any of the three in isolation miss material risk.
We represent enterprise buyers exclusively. No vendor relationships. Built around former licensing executives from Oracle, Microsoft, SAP and the major cloud vendors.
Weekly compliance intelligence for IT leaders.