Blog
AI Procurement Compliance: Evaluating Third-Party AI Solutions Under the EU AI Act
How procurement teams, CTOs, and compliance officers can evaluate AI vendors and solutions against EU AI Act obligations, covering due diligence, contractual requirements, and deployment responsibilities.
Why AI Procurement Is Now a Compliance Decision
Procuring AI solutions has traditionally been treated as a technology purchasing decision, evaluated primarily on capability, performance, integration effort, and cost. The EU AI Act changes this fundamentally. Under the regulation, organizations that deploy high-risk AI systems bear specific obligations regardless of whether they built the system in-house or procured it from a third party. The deployer cannot outsource its compliance responsibilities through a vendor contract.
This means that procurement decisions about AI solutions are now compliance decisions. Choosing a vendor that cannot provide adequate technical documentation, logging capabilities, human oversight mechanisms, or transparency features may leave the deploying organization unable to meet its legal obligations. The procurement process must therefore evaluate not just what an AI system can do, but whether it can be operated in a manner that satisfies regulatory requirements.
For European enterprises operating in regulated sectors such as financial services, healthcare, energy, or public administration, this shift demands new procurement criteria, new due diligence processes, and new contractual frameworks that address AI-specific compliance requirements alongside traditional information security and data protection provisions.
The Provider-Deployer Responsibility Split
The EU AI Act distinguishes between AI system providers and deployers. Providers are responsible for designing, developing, and placing AI systems on the market. They must ensure that high-risk AI systems meet the regulation's essential requirements before deployment, including risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, and robustness.
Deployers, the organizations that use AI systems under their authority, have their own set of obligations. They must use AI systems in accordance with the provider's instructions, ensure human oversight, monitor the system's operation, report serious incidents, and conduct fundamental rights impact assessments where applicable. Critically, deployers must also ensure that the input data they provide is relevant and sufficiently representative for the system's intended purpose.
This split creates a practical challenge during procurement. The deployer needs assurance that the provider has fulfilled its obligations, because the deployer's ability to meet its own obligations depends on the provider's compliance. If the provider has not implemented adequate logging, the deployer cannot fulfill its record-keeping obligations. If the provider has not designed the system for human oversight, the deployer cannot implement meaningful human review.
Procurement teams must therefore evaluate providers not just on product features but on their ability to demonstrate compliance with provider obligations under the EU AI Act. This requires a new category of due diligence that goes beyond traditional vendor assessment questionnaires.
Due Diligence Framework for AI Procurement
An effective AI procurement due diligence process should evaluate vendors across several dimensions that map to EU AI Act requirements. These evaluations should be conducted before contract signing and revisited periodically throughout the relationship.
Technical documentation: Request the provider's technical documentation as specified in Annex IV of the EU AI Act. This documentation should describe the system's intended purpose, design specifications, development methodology, data requirements, performance metrics, known limitations, and instructions for use. Incomplete or vague documentation is a significant compliance risk for the deployer.
Data governance: Understand how the provider manages training data, validation data, and testing data. Evaluate the provider's data quality management processes, bias detection methods, and data provenance tracking. For systems that will process the deployer's data, clarify where data is processed, stored, and retained, and what access controls apply.
Logging and traceability: Verify that the system generates structured logs sufficient for the deployer to demonstrate traceability. Logs should capture inputs, outputs, model versions, confidence scores, and timestamps at minimum. The deployer should be able to export, query, and retain these logs independently of the provider's platform.
Human oversight: Assess whether the system supports the human oversight mechanisms that the deployer's use case requires. This may include approval workflows, confidence thresholds that trigger human review, override capabilities, and user interfaces for human reviewers. Systems that operate as black boxes without intervention points may not be suitable for high-risk deployments.
Accuracy and robustness: Request evidence of the system's performance against relevant benchmarks, including performance on edge cases and adversarial inputs. Understand the provider's approach to monitoring accuracy degradation over time and their process for addressing performance issues.
Security posture: Evaluate the provider's cybersecurity measures, including data encryption, access controls, vulnerability management, and incident response capabilities. For on-premises deployments, assess the security architecture of the deployed components and the provider's patch management process.
Contractual Requirements for AI Act Compliance
Traditional procurement contracts for software and cloud services typically address intellectual property, service levels, data protection, liability, and termination. AI procurement contracts under the EU AI Act need additional provisions that address the unique compliance dynamics of AI systems.
Documentation delivery obligations: The contract should require the provider to deliver and maintain technical documentation that meets EU AI Act Annex IV requirements. This documentation should be updated when the system is modified and delivered in a format that the deployer can present to regulators or auditors.
Logging and data export: The deployer should have contractual rights to access, export, and retain all logs generated by the AI system. This is essential for the deployer's record-keeping obligations and should survive contract termination. Log formats should be specified to ensure interoperability with the deployer's audit and compliance systems.
Change notification: The provider should be contractually obligated to notify the deployer of any changes that could affect the system's risk profile, including model updates, training data changes, architectural modifications, and performance regressions. The deployer needs this information to determine whether a reassessment or re-evaluation is required.
Incident cooperation: The contract should define the provider's obligations in the event of a serious incident, including information sharing, root cause analysis, and cooperation with regulatory authorities. Under the EU AI Act, deployers must report serious incidents to supervisory authorities, and they need the provider's cooperation to do so effectively.
Audit rights: The deployer should have the right to audit the provider's compliance with AI Act obligations or to engage a third-party auditor for this purpose. This is particularly important for high-risk AI systems where the deployer's regulatory exposure is significant.
Deployment flexibility: Consider whether the contract allows for on-premises or private cloud deployment. Organizations that require data sovereignty or operate in regulated sectors may need the AI system to run within their own infrastructure, giving them direct control over data flows, access controls, and logging.
Why On-Premises Deployment Reduces Procurement Risk
For organizations procuring AI solutions for high-risk use cases, on-premises deployment significantly reduces several categories of procurement-related compliance risk.
When an AI system runs within the organization's own infrastructure, the deployer has direct control over data residency, eliminating concerns about cross-border data transfers or data processing in jurisdictions with different regulatory requirements. The deployer controls access to inference logs, ensuring that record-keeping obligations can be met independently of the provider's platform availability or data retention policies.
On-premises deployment also simplifies the human oversight architecture. Integration with the organization's existing identity management, workflow, and review systems is more straightforward when the AI system operates within the same network and security boundary. Approval workflows can route through established governance channels rather than requiring connectivity to external platforms.
From a procurement perspective, on-premises deployment reduces the deployer's dependency on the provider for ongoing compliance. If the relationship with the provider changes, the deployer retains control of the deployed system, its logs, and its data. This is particularly important for high-risk AI systems where regulatory obligations extend beyond the contract term.
Platforms such as VDF AI are designed for this deployment model, providing model serving, RAG capabilities, agent orchestration, and governance controls that run entirely within the organization's infrastructure. This approach gives procurement teams confidence that the deployed solution supports the full range of deployer obligations without relying on external cloud services for critical compliance functions such as logging, access control, and data sovereignty.
Building Procurement Capability for the AI Act Era
Effective AI procurement under the EU AI Act requires collaboration between procurement, legal, compliance, IT security, and the AI engineering teams. No single function has the expertise to evaluate all dimensions of an AI vendor's compliance readiness.
Sysart Consulting helps organizations build structured AI procurement processes that integrate regulatory requirements into existing procurement workflows. This includes developing AI-specific vendor assessment criteria aligned with EU AI Act obligations, creating procurement checklists and evaluation scorecards, drafting contractual clauses that address provider-deployer responsibility splits, and training procurement teams on the technical and regulatory dimensions of AI system evaluation.
The practical outcome is a procurement process that identifies compliance gaps before contract signing rather than discovering them after deployment. This protects the organization from regulatory exposure, reduces the cost of post-deployment remediation, and ensures that procured AI systems can be operated within the organization's governance framework from day one.
Organizations should review their AI procurement approach with legal and compliance teams to ensure alignment with their specific regulatory context, risk appetite, and sector-specific requirements. The EU AI Act's requirements may be supplemented by national implementation measures, sector-specific regulations, and evolving guidance from national supervisory authorities.
Featured image by Egor Komarov on Unsplash.