United StatesAI System Procurement Contract

EU AI Act: Procuring a High-Risk AI System Under the New Rules

Last updated: 19 May 2026 · BeforeYouSign Editorial Team

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and applies on a phased schedule, with high-risk system obligations applying from 2 August 2026. Organisations procuring AI systems classified as 'high-risk' under Annex III — including AI used in employment decisions, credit scoring, biometric identification, critical infrastructure, education, and law enforcement — must now contract with providers in a way that allocates the specific duties created by the Regulation.

What is a High-risk AI system procurement under the EU AI Act?

A high-risk AI system procurement contract is a commercial agreement under which a deployer (the buyer) acquires the right to use an AI system from a provider. Under Article 6 and Annex III of the AI Act, certain AI uses are classified as high-risk and trigger extensive obligations on the provider — including risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity. The procurement contract must enable the deployer to comply with its own Article 26 obligations, which depend on receiving information and support from the provider.

Red flags to watch for

Provider denies the system is high-risk without independent classification

Article 6 sets out the criteria. If the use case falls within Annex III, the system is high-risk unless the narrow Article 6(3) exceptions apply. A provider that simply asserts non-classification without documented analysis is shifting compliance risk to the deployer.

No commitment to provide technical documentation under Article 11

Article 11 and Annex IV require providers to maintain and supply technical documentation to deployers and authorities. A contract silent on this puts the deployer at risk of being unable to demonstrate compliance.

No support for human oversight under Article 14

Article 14 requires high-risk AI to be designed for effective human oversight. The contract should specify the oversight features, how to use them, and the provider's support obligations.

No commitment on accuracy, robustness, and cybersecurity metrics (Article 15)

Providers must declare accuracy levels and ensure resilience. The contract should include the declared metrics and SLAs to maintain them.

No incident reporting obligation back to the deployer

Under Article 73, providers must report serious incidents to market surveillance authorities within strict timelines. Deployers also have Article 26 reporting duties. The contract should establish bilateral incident reporting flows.

GDPR data-controller / data-processor allocation unclear

Training and inference data triggers GDPR. The contract should clearly allocate controller and processor roles, include a Data Processing Agreement (Article 28 GDPR), and address cross-border transfer mechanisms.

Liability cap that does not survive AI Act fines

Maximum administrative fines under Article 99 reach €35m or 7% of global turnover for prohibited practices and €15m or 3% for other breaches. A small contractual liability cap may be inadequate where the breach was caused by the provider.

No transition clause for the General-Purpose AI Code of Practice

Foundation model providers are also subject to Chapter V obligations and the General-Purpose AI Code of Practice. If a high-risk system relies on a GPAI model, the supply chain back to the model provider should be transparent.

Your legal rights

The EU AI Act (Regulation 2024/1689, OJ L 1689) creates direct obligations on providers and deployers of high-risk AI systems, alongside fundamental rights protections under the EU Charter and existing sectoral law. Article 26 sets deployer duties — appropriate technical and organisational measures, use in accordance with instructions, human oversight, input data relevance, monitoring, retention of logs, fundamental rights impact assessment for public-body deployers, GDPR Article 35 DPIA where required, and transparency to affected persons. Member State enforcement is by designated authorities (e.g. CNIL in France, BfDI in Germany, AGCOM/AGCM in Italy), and the new AI Office at EU level coordinates. The Product Liability Directive (Directive 2024/2853) extends product liability to software including AI. The GDPR (Regulation 2016/679) and Data Act (Regulation 2023/2854) also apply.

Questions to ask before you sign

  • 1Is the system classified as high-risk under Article 6 and Annex III — and has the provider provided documented analysis?
  • 2Will the provider supply Article 11 technical documentation, conformity assessment evidence, and CE marking?
  • 3What human oversight features are built in, and what is the provider's training and support obligation?
  • 4What accuracy, robustness, and cybersecurity metrics are declared under Article 15 — and are they backed by SLAs?
  • 5What is the incident reporting flow between provider and deployer under Article 73 and Article 26?
  • 6Are GDPR controller / processor roles allocated, and is a compliant DPA attached?
  • 7Does the contract address the GPAI supply chain if a foundation model is used, and is the Code of Practice referenced?
  • 8Does the liability cap permit the deployer to recover for AI Act fines caused by provider breach?

Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.

Procuring a high-risk AI system in the EU?

Upload the contract to BeforeYouSign. We will measure it against EU AI Act Articles 6, 11, 13, 14, 15, 26 and 73, the GDPR DPA requirements, and Member State guidance — and flag every provision that leaves the deployer exposed.

Analyse My Contract — from $2.99

No account · No data stored · Results in 60 seconds