Key facts

  • Contracts should explicitly allocate provider and deployer roles between buyer and supplier.
  • Audit rights over the AI system and its risk documentation should be included, not assumed.
  • Incident notification timeframes need to be explicit, not left to "reasonable efforts".
  • Ask suppliers to commit contractually to providing evidence you'll need for your own compliance file.
  • Use the free vendor due diligence checklist alongside contract negotiation.

Role allocation clauses

Contracts should state explicitly which party is the provider and which is the deployer for the AI system in question, including for any features where the buyer's own configuration or use might shift the allocation. Ambiguity here creates real risk if a regulator or auditor later asks who was responsible for what.

Audit and evidence clauses

Include the right to audit the supplier's AI system documentation, risk management process and, where relevant, conformity assessment records. Also specify what evidence the supplier will proactively provide — technical documentation, risk assessments, incident logs — rather than relying on the buyer to request it each time.

Transparency and disclosure clauses

Where the AI system is subject to transparency obligations (such as Article 50 disclosure requirements), the contract should commit the supplier to providing the necessary information in a form the buyer can pass on to end users or use in its own disclosures.

Incident notification clauses

Set an explicit timeframe for the supplier to notify the buyer of any AI-related incident, malfunction or serious risk discovered in the system — vague commitments to notify "promptly" or "as soon as reasonably possible" are harder to enforce and to plan around.

Frequently asked questions

What should an AI procurement contract cover?

Role allocation, audit rights, transparency and disclosure commitments, incident notification timeframes, and evidence obligations.

Why does role allocation matter in AI contracts?

It determines who is responsible for which EU AI Act obligations, and ambiguity creates risk if this is ever questioned by a regulator or auditor.

What audit rights should be included?

The right to audit the AI system's documentation, risk management process, and conformity assessment records where applicable.

How specific should incident notification clauses be?

Very — a defined timeframe is far more enforceable than vague commitments to notify "promptly".

What evidence should suppliers commit to providing?

Technical documentation, risk assessments and incident logs needed to support the buyer's own compliance file.

Related pages

Sources

Last updated 19 June 2026.