Key facts

  • Ask vendors to self-classify their EU AI Act role (provider/deployer) and risk tier.
  • Request evidence of risk assessment or evaluation work, not just a description of the product.
  • Ask specifically how the system supports human oversight.
  • Request a description of data sourcing, retention and sub-processor arrangements.
  • Score responses on specificity — vague answers are themselves useful information.

Role and risk classification questions

"What role does your organisation play under the EU AI Act for this system — provider, deployer, or both?" and "How do you classify this system's risk tier, and why?" These questions immediately separate vendors who have done real compliance work from those who have not considered the question.

Evidence questions

"What technical documentation, risk assessment or evaluation evidence can you provide?" and "Do you hold any relevant certifications (such as ISO 42001) relevant to this system?" Ask for the evidence itself to be provided as part of the RFP response, not just a yes/no answer.

Human oversight questions

"How does a human user meaningfully review, override or stop this system's output?" A vendor who cannot describe a concrete oversight mechanism likely has not designed one.

Data governance questions

"Where is training and operational data sourced from, how long is it retained, and who are your sub-processors?" This supports both EU AI Act and data protection due diligence in a single question set.

Scoring the responses

Treat specificity itself as a signal. A vendor who answers precisely, with named documents and processes, has usually done the underlying work. A vendor who answers in generic marketing language likely has not — score accordingly.

Frequently asked questions

What AI-specific questions should an RFP include?

Role allocation, risk classification, data governance, human oversight design, and requests for supporting evidence.

Why ask vendors to self-classify their EU AI Act role?

It reveals whether they've done real compliance work — vendors without an answer likely haven't considered the question.

What evidence should vendors provide in an RFP response?

Technical documentation, risk assessment or evaluation evidence, and relevant certifications such as ISO 42001.

How do you score vague RFP responses?

Treat vagueness itself as a signal — specific, evidenced answers indicate real compliance work; generic language often indicates the opposite.

Should data governance questions be part of an AI RFP?

Yes — data sourcing, retention and sub-processors matter for both EU AI Act and data protection due diligence.

Related pages

Sources

Last updated 19 June 2026.