AI Act Contractual Clauses: 10 Requirements to Demand from Your AI Provider.
From 2 December 2027, deployers of high-risk AI systems will be required to document their compliance. The AI Act allows for the contractual transfer of some of these obligations to providers. Here are the clauses to demand now to secure your AI purchases.
Why Contractualise AI Act Obligations with Your Provider
The AI Act imposes strict obligations on deployers but allows for their contractual transfer to providers. An opportunity to seize to secure your AI purchases.
The Article 26 of the AI Act defines the obligations of deployers of AI systems. Among these, some may be transferred to the provider via a contract, provided this transfer is explicit and documented. This mechanism, set out in Article 25(1), allows deployers to ensure that their provider assumes part of the legal responsibilities.
For buyers, DPOs and legal teams, this contractualisation offers three key advantages:
- Reduction of legal risks: in the event of non-compliance, responsibility may be shared or transferred to the provider.
- Simplification of compliance: the provider becomes responsible for technical documentation and updates.
- Better cost control: audits and maintenance are integrated into the contract, avoiding unexpected expenses.
The EDPB highlighted in its January 2025 recommendations that this contractual approach is essential for deployers, particularly for high-risk AI systems. Without an explicit clause, the deployer remains solely responsible for compliance.
The 10 Essential Clauses to Demand in Your AI Contracts
Here are the clauses to systematically include in your contracts with AI system providers, with for each: the legal basis, a sample formulation, and pitfalls to avoid.
Provision of Technical Documentation (Annex IV)
Why? Article 11 of the AI Act requires providers to supply detailed technical documentation, compliant with Annex IV. This documentation is essential for assessing the system's compliance and responding to requests from authorities.
Sample Clause:
"The Provider undertakes to deliver to the Deployer, prior to the putting into service of the AI system, comprehensive technical documentation compliant with Annex IV of Regulation (EU) 2024/1689. This documentation shall include, in particular:
- a general description of the AI system;
- instructions for use;
- the characteristics, capabilities and limitations of the system;
- post-market monitoring measures;
- residual risks and mitigation measures.
The Provider guarantees the accuracy and updating of this documentation for the duration of the contract."
Red flags:
- The provider refuses to supply the full documentation, citing trade secrets.
- The documentation is generic and does not specifically relate to the system provided.
- No guarantee of updates is provided in the event of system modifications.
Incident Notification Within 72 Hours
Why? Article 73 of the AI Act requires providers to notify serious incidents to the competent authorities. This obligation must be extended to the deployer to enable them to take necessary corrective measures.
Sample Clause:
"The Provider undertakes to notify the Deployer, within a maximum of 72 hours, of any serious incident related to the AI system, as defined in Article 3(44) of Regulation (EU) 2024/1689. This notification shall include:
- a detailed description of the incident;
- identified or suspected causes;
- corrective measures taken or planned;
- residual risks to end-users.
The Provider shall also inform the Deployer of any follow-up actions taken with the competent authorities."
Red flags:
- The provider proposes a notification period exceeding 72 hours.
- No clear procedure is defined for incident notification.
- The provider refuses to share incident details with the deployer.
Annual Audit Right
Why? Article 26(5) of the AI Act requires deployers to monitor the compliance of AI systems. An audit right enables verification that the provider is meeting its contractual and regulatory obligations.
Sample Clause:
"The Deployer or a third party appointed by them shall have the right to conduct an annual audit of the AI system and its documentation to verify compliance with the obligations set out in Regulation (EU) 2024/1689 and this contract. This audit shall cover, in particular:
- compliance of the technical documentation;
- effectiveness of risk management measures;
- traceability of data and decisions;
- incident notification procedures.
The Provider undertakes to supply all necessary information and access for the audit within a reasonable timeframe. Audit results shall be shared with the Provider, who shall have 30 days to propose corrective measures in the event of non-compliance."
Red flags:
- The provider limits the audit right to less than once per year.
- The audit is restricted to certain aspects of the system, without full access to the documentation.
- No timeframe is specified for implementing corrective measures.
Update Obligations in Case of Substantial Modification
Why? Article 14 of the AI Act requires providers to reassess the system's compliance in the event of a substantial modification. The deployer must be informed and give consent prior to any major update.
Sample Clause:
"The Provider undertakes to notify the Deployer of any substantial modification to the AI system, as defined in Article 3(23) of Regulation (EU) 2024/1689, at least 30 days prior to implementation. This notification shall include:
- a detailed description of the modification;
- an assessment of its impact on the system's compliance;
- planned corrective measures to maintain compliance.
The Deployer shall have 15 days to give consent or request modifications. In the absence of a response, the Provider may proceed with the update, subject to compliance with legal obligations."
Red flags:
- The provider reserves the right to modify the system without prior notification.
- No timeframe is specified for notifying substantial modifications.
- The provider refuses to share an impact assessment on compliance.
Declaration of the System's Risk Level
Why? Article 6 of the AI Act classifies AI systems according to their risk level. The provider must declare this level and justify its classification so that the deployer can adapt their compliance measures.
Sample Clause:
"The Provider declares that the AI system supplied is classified in the following category, in accordance with Article 6 of Regulation (EU) 2024/1689:
- [ ] Prohibited system (Article 5);
- [ ] High-risk system (Annex III);
- [ ] Limited-risk system (Article 50);
- [ ] Minimal-risk system.
The Provider shall supply a written justification for this classification, including an analysis of the criteria set out in Articles 6 and 7 of the Regulation. In the event of disagreement over the classification, the parties undertake to seek an opinion from the AI Office or a competent authority."
Red flags:
- The provider refuses to declare the system's risk level.
- No written justification is provided for the classification.
- The provider understates the risk level to avoid additional obligations.
Compliance with CE Marking Prior to Deployment
Why? Article 48 of the AI Act requires providers of high-risk AI systems to affix the CE marking before placing them on the market. The deployer must ensure that this marking is valid and compliant.
Sample Clause:
"The Provider guarantees that the AI system supplied complies with the requirements of Regulation (EU) 2024/1689 and bears the CE marking, affixed in accordance with Article 48. The Provider shall deliver to the Deployer, prior to the putting into service of the system, a copy of the EU declaration of conformity, as defined in Article 47.
In the event of non-compliance identified after deployment, the Provider undertakes to take all necessary measures to restore compliance within a maximum of 15 days."
Red flags:
- The provider cannot supply the EU declaration of conformity.
- The CE marking is affixed without technical justification.
- No timeframe is specified for correcting non-compliance.
Log Retention in Accordance with Article 12
Why? Article 12 of the AI Act requires providers of high-risk AI systems to retain logs for at least 6 months. These logs are essential for ensuring the traceability of decisions and responding to requests from authorities.
Sample Clause:
"The Provider undertakes to retain logs of the AI system for a minimum of 6 months from their generation, in accordance with Article 12 of Regulation (EU) 2024/1689. These logs shall include:
- input and output data of the system;
- operating parameters;
- decisions or predictions generated;
- any errors or anomalies.
The Provider guarantees that these logs are secure, intact and accessible to the Deployer upon request, in a readable and usable format."
Red flags:
- The provider refuses to retain logs for 6 months.
- The logs are not accessible to the deployer or are in an unusable format.
- No security measures are in place to protect the logs.
User Training Obligations (Article 4)
Why? Article 4 of the AI Act requires deployers to train their users in the use of AI systems. The provider must supply the necessary materials and, where possible, offer training sessions.
Sample Clause:
"The Provider undertakes to supply the Deployer with the necessary training materials to enable end-users to use the AI system safely and compliantly. These materials shall include:
- a detailed user manual;
- practical guides for specific use cases;
- online or in-person training modules, if available.
The Provider shall also offer, upon request by the Deployer, training sessions for users, billed at the prevailing rates."
Red flags:
- The provider supplies no training materials.
- The training materials are too generic and do not cover specific use cases.
- Training sessions are billed at prohibitive rates.
Termination Clause for Persistent Non-Compliance
Why? In the event of repeated non-compliance by the provider, the deployer must be able to terminate the contract without penalty. This clause protects the deployer against legal and financial risks associated with a non-compliant system.
Sample Clause:
"In the event of repeated failure by the Provider to meet its contractual or legal obligations, particularly regarding compliance with Regulation (EU) 2024/1689, the Deployer shall have the right to terminate this contract with 30 days' notice, without penalty or compensation. This termination may occur after two formal notices have been issued in writing, specifying the breaches identified.
The Provider undertakes to reimburse the Deployer for any sums paid for the period following termination, where applicable."
Red flags:
- The contract includes no termination clause for non-compliance.
- Termination is subject to high financial penalties.
- No notice period is specified for termination.
Applicable Law and Jurisdiction
Why? In the event of a dispute, it is essential to clearly define the applicable law and jurisdiction. This avoids lengthy and costly proceedings in third countries.
Sample Clause:
"This contract shall be governed by English law. Any dispute relating to its interpretation or execution shall be subject to the exclusive jurisdiction of the courts of London, notwithstanding multiple defendants or third-party claims."
Red flags:
- The contract specifies a foreign applicable law without justification.
- The competent jurisdiction is located in a third country, complicating legal recourse.
- No clause on applicable law or jurisdiction is included.
Ready-to-Use Template Clause for Your AI Contracts
Here is a comprehensive template clause incorporating the key requirements of the AI Act. Adapt it to your context and have it reviewed by your legal team.
"The Provider guarantees that the AI system supplied complies with the requirements of Regulation (EU) 2024/1689, particularly with regard to:
- technical documentation (Annex IV);
- risk management (Article 9);
- transparency and traceability (Article 12);
- incident notification (Article 73);
- CE marking and the EU declaration of conformity (Articles 47 and 48).
The Provider undertakes to:
- deliver to the Deployer, prior to the putting into service of the system, comprehensive and up-to-date technical documentation;
- notify the Deployer of any serious incident within a maximum of 72 hours;
- allow the Deployer to conduct an annual audit of the system and its documentation;
- notify the Deployer of any substantial modification to the system at least 30 days prior to implementation;
- retain logs of the system for a minimum of 6 months;
- supply the necessary training materials for end-users.
In the event of failure to meet these obligations, the Deployer shall have the right to terminate the contract with 30 days' notice, without penalty. This contract shall be governed by English law, and any dispute shall be subject to the exclusive jurisdiction of the courts of London."
How to Negotiate These Clauses with Your Provider
AI providers, especially major players, may resist including these clauses. Here's how to convince them and secure your interests.
1. Anticipate Common Objections
Providers often cite:
- Trade secrets: for technical documentation, propose a non-disclosure agreement (NDA) or an anonymised version of sensitive information.
- Administrative burden: for audits, limit their frequency to once per year and propose to conduct them in collaboration with the provider.
- Additional costs: for training, negotiate a package included in the contract or preferential rates.
2. Use Business Arguments
Highlight:
- Risk reduction: a termination clause for non-compliance protects both parties.
- Competitive differentiation: a provider compliant with the AI Act can leverage this compliance with its customers.
- Access to public procurement: compliance with the AI Act is often a prerequisite for responding to European tenders.
3. Prioritise Non-Negotiable Clauses
Some clauses are essential and should not be compromised:
- Provision of technical documentation (Annex IV).
- Incident notification within 72 hours.
- Annual audit right.
- Termination clause for non-compliance.
For other clauses, be prepared to make compromises, for example on the frequency of audits or the format of logs.
Alignment with GDPR and Other Regulations
AI Act clauses must be coordinated with other legal obligations, particularly the GDPR. Here's how to avoid redundancies and contradictions.
1. Complementarity with the GDPR
The GDPR already requires contractual clauses for processors (Article 28). These clauses can be supplemented by AI Act requirements without unnecessary duplication. For example:
- Notification of data breaches: the GDPR requires a 72-hour timeframe (Article 33), similar to the AI Act for serious incidents. A single clause can cover both obligations.
- Audit right: the GDPR already provides for an audit right for processors. Simply add the AI Act's specific requirements (technical documentation, risk management).
- Log retention: AI Act logs can serve as evidence for data subject rights (right of access, right to explanation) under the GDPR.
2. Coordination with Other Sectoral Regulations
Depending on your sector, other regulations may apply:
- DORA (financial sector): imposes strict requirements for operational resilience, including risk management for AI systems.
- Medical Devices Regulation (MDR): for AI systems used in healthcare, AI Act requirements are in addition to those of the MDR.
- Digital Services Act (DSA): for online platforms using AI, the DSA imposes additional transparency obligations.
To avoid contradictions, appoint a regulatory compliance officer within your organisation to coordinate AI Act requirements with other applicable regulations.
Are Your AI Contracts Compliant with the AI Act?
Identify missing clauses in your contracts with AI providers in 3 minutes and receive a personalised report with concrete recommendations.
Frequently Asked Questions
Answers to the most common questions about AI Act contractual clauses.
If your provider refuses to include these clauses, first assess their level of resistance. For essential clauses (technical documentation, incident notification, audit rights), insist on their non-negotiable nature, citing the AI Act's legal obligations and the risks of non-compliance.
If the provider remains inflexible, consider:
- Negotiating alternative clauses, for example by limiting the audit right to once every two years.
- Demanding financial guarantees to cover risks associated with non-compliance.
- Seeking a more cooperative provider, especially if the AI system is critical to your operations.
In all cases, document the provider's refusals and the reasons given in writing. This documentation may be useful in the event of a dispute or inspection by authorities.
The AI Act imposes different obligations depending on the risk level of the AI system. For non-high-risk systems, certain clauses remain relevant, particularly:
- Transparency: Article 50 requires providers of non-high-risk AI systems to provide clear information on their capabilities and limitations. A contractual clause can formalise this obligation.
- Incident notification: even for non-high-risk systems, it is advisable to require notification of serious incidents, if only for operational reasons.
- User training: Article 4 on AI literacy applies to all systems, regardless of their risk level.
However, clauses relating to technical documentation (Annex IV), CE marking or risk management do not apply to non-high-risk systems. Adapt your contracts accordingly.
To verify that your provider is meeting its contractual obligations, implement the following measures:
- Regular audits: use the audit right provided in the contract to verify the compliance of technical documentation, logs and risk management procedures.
- Monitoring dashboards: require the provider to supply regular compliance indicators, such as the number of incidents notified or system updates.
- Random tests: conduct occasional tests to verify the traceability of decisions or the effectiveness of risk management measures.
- Annual contract review: hold an annual meeting with the provider to review compliance and identify areas for improvement.
In the event of non-compliance, use the mechanisms provided in the contract, such as formal notices or termination for non-compliance.
If the provider fails to meet its obligation to notify incidents within 72 hours, follow this procedure:
- Formal notice: send a written formal notice to the provider, reminding them of their contractual and legal obligations. Demand immediate notification of the incident and an explanation for the delay.
- Risk assessment: in the absence of notification, assess the risks associated with the incident yourself, based on available information. If necessary, suspend use of the system to limit damage.
- Notification to authorities: if the incident is serious and the provider fails to notify it, you may be required to notify the competent authority yourself, in accordance with Article 73.
- Contractual sanctions: apply the sanctions provided in the contract, such as financial penalties or termination for non-compliance.
- Legal recourse: if the provider's failure causes harm to your organisation, consider legal action to seek compensation.
Document all steps of this procedure to demonstrate your diligence in the event of an inspection by authorities.
No, the AI Act does not allow for the transfer of all deployer obligations to the provider. Certain obligations remain the exclusive responsibility of the deployer, including:
- System classification: the deployer must verify that the system is correctly classified by the provider and adapt their compliance measures accordingly.
- Human oversight: Article 26(1) requires the deployer to oversee the use of the AI system, even if the provider is responsible for its maintenance.
- User training: while the provider must supply training materials, the deployer remains responsible for the effective training of their teams.
- Notification to authorities: in the event of a serious incident, the deployer may be required to notify the competent authority, even if the provider has already done so.
Article 26(5) specifies that the deployer cannot absolve themselves of their obligations by invoking a contract with the provider. Contractualisation allows for the sharing of responsibilities, but not their complete transfer.
