Home  ›  Blog  ›  EU AI Act Procurement
Compliance · EU AI Act

EU AI Act procurement — from risk class to contract clause.

The EU AI Act is the first comprehensive AI regulation in any major market and the most consequential change in enterprise AI procurement in a decade. The risk-classification logic is straightforward; the deployer obligations are not. Enterprise buyers in scope — and that means most large organisations with EU exposure — need to translate the framework into purchase-order-level controls before high-risk obligations apply.

Updated: June 2026 Reading time: 15 min Audience: CIO, Legal, Procurement, Risk
EU AI Act Procurement
What the AI Act regulates

A risk-based regulation, read by category.

The EU AI Act, formally Regulation (EU) 2024/1689, classifies AI systems into four risk categories: prohibited, high-risk, limited risk, and minimal risk. It also creates a parallel regime for general-purpose AI (GPAI) models, with additional obligations for GPAI models with systemic risk. Risk classification drives obligations. The same large language model embedded in two different deployer use cases can be high-risk in one and minimal-risk in the other.

Prohibited categories are narrow but absolute: social scoring by public authorities, predictive policing solely on profiling, untargeted biometric scraping for facial recognition databases, emotion recognition in workplace or education contexts (with exceptions), real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions). High-risk categories follow Annex III and cover most of the AI use cases that matter commercially: employment and worker management, credit-scoring and creditworthiness assessment, essential public services, critical infrastructure, education access, law enforcement, migration, and administration of justice.

Provider versus deployer

The Act distinguishes providers (who develop or place the AI system on the market) from deployers (who use the AI system under their authority for a particular purpose). Enterprise buyers are typically deployers and have specific obligations independent of the provider's compliance: ensuring fitness for purpose, human oversight, monitoring, logging retention, and — for some categories — fundamental rights impact assessment (FRIA).

A practical procurement risk in our experience across 340+ engagements: deployer obligations cannot be contractually offloaded to the provider. Many AI vendor MSAs include clauses indicating the provider takes responsibility for "regulatory compliance" — these clauses do not affect the deployer's residual obligations and are misleading to procurement teams that read them as risk transfer.

AI procurement under the AI Act?

We run buyer-side AI Act assessments for high-risk system procurement — classification, deployer obligations, contractual flow-through.

Contact Us →
Applicability timeline

Phased application — plan the renewal calendar.

The AI Act's obligations apply on a phased schedule: prohibitions from 2 February 2025; literacy and general-purpose AI provider obligations from 2 August 2025; most high-risk system obligations from 2 August 2026; remaining provisions (including Annex II-related systems) from 2 August 2027. Buyers in scope should treat the high-risk obligation date as the binding constraint for procurement and align renewal cycles accordingly. Contracts renewed before August 2026 should include forward-looking compliance clauses if they will be in force after that date.

General-purpose AI models — the upstream constraint

General-purpose AI models (foundation models, frontier LLMs) sit outside the risk-classification scheme and face their own obligations under the GPAI provisions. Providers of GPAI models must maintain technical documentation, comply with EU copyright law in training data, publish a sufficiently detailed summary of training data, and — for models with systemic risk — additional risk assessment, mitigation, and reporting obligations. This matters to enterprise buyers because most enterprise AI use cases sit downstream of one or more GPAI models, and provider failure upstream may interrupt downstream service.

Download the AI Vendor Contract Red Flags playbook.

Clause-by-clause analysis of AI vendor MSAs against the AI Act, GDPR, IP and indemnity standard expectations.

Get the playbook →
Contractual flow-through

Five contractual clauses for AI procurement.

Standard AI vendor MSAs do not address most of the AI Act flow-through that deployers need. Five contractual clauses are essential for any high-risk AI system procurement:

  1. Risk classification representation. The provider represents the risk classification of the system under the AI Act and commits to notify the customer of any reclassification. The customer reserves the right to dispute classification with reasonable evidence.
  2. Conformity assessment and documentation. The provider commits to provide the customer with the technical documentation required under Article 11 and Annex IV, conformity assessment outcomes, and the EU declaration of conformity, on request and at renewal.
  3. Logging and traceability. The provider commits to AI Act-compliant automatic event logging (Article 12) with log retention sufficient to support the customer's deployer obligations, and access for the customer to logs relevant to its use case.
  4. Post-market monitoring and incident reporting. The provider commits to AI Act-compliant post-market monitoring (Article 72) and serious incident reporting (Article 73) with customer notification within defined windows of incidents affecting the customer's deployment.
  5. Training data and copyright. For GPAI components, the provider represents copyright compliance and provides the Article 53 training data summary; for downstream systems, the provider represents the lawful basis for training data including any customer-provided data.

Vendor pushback on these clauses is genuine and informative — vendors that resist all five are either uncertain about their own AI Act readiness or attempting to keep the regulatory risk with the customer. Both are negotiation signals. Reading those signals correctly is the core of disciplined SaaS procurement advisory on any high-risk AI system.

Interaction with GDPR and the Digital Services Act

The AI Act is one of three EU frameworks that govern AI-adjacent procurement. GDPR continues to govern personal data processing, including by AI systems — Data Protection Impact Assessments under Article 35 GDPR are required alongside fundamental rights impact assessments under the AI Act for relevant high-risk systems. The Digital Services Act governs algorithmic systems in online intermediary services. Procurement teams treating any of the three in isolation miss material risk.

When independent advisory pays back

FAQ

Common questions on this topic.

Does the EU AI Act apply to non-EU buyers?
Yes when the output of the AI system is used in the EU or when the system is placed on the EU market. Non-EU enterprises with EU customers, EU subsidiaries, or EU-impacting use cases fall in scope regardless of vendor or buyer location.
What is a "deployer" versus a "provider" under the AI Act?
The provider develops or places the AI system on the market. The deployer uses the AI system under its authority for a particular purpose. Enterprise buyers are typically deployers and have specific obligations for high-risk systems including human oversight, monitoring, and impact assessment.
What are the risk categories under the AI Act?
Prohibited (banned outright), high-risk (subject to detailed obligations under Annex III), limited risk (transparency obligations), and minimal risk. General-purpose AI models are subject to a separate set of obligations with additional requirements for systemic-risk models.
When do the AI Act obligations start applying?
Phased: prohibitions from 2 February 2025, general-purpose AI model obligations from 2 August 2025, high-risk system obligations from 2 August 2026 (most cases), and full applicability from 2 August 2027 for certain Annex II-related systems.
Can buyers rely on vendor self-declarations of AI Act conformity?
For most high-risk systems, providers self-declare conformity via internal control assessment; some categories require third-party conformity assessment. Buyers as deployers cannot offload deployer obligations to provider declarations and must independently assess fit-for-purpose use.
How does the AI Act interact with GDPR?
The frameworks operate in parallel. GDPR covers personal data processing including by AI systems; the AI Act covers the AI system itself. High-risk AI systems processing personal data must satisfy both, including DPIA obligations under GDPR and fundamental rights impact assessment under the AI Act.

AI procurement under the AI Act?
We translate the regulation into contractual clauses.

We represent enterprise buyers exclusively. No vendor relationships. Built around former licensing executives from Oracle, Microsoft, SAP and the major cloud vendors.

The Compliance Brief

Weekly compliance intelligence for IT leaders.