GovCompass
Knowledge base
Guide

Supplier Checklist: What Must Your AI Provider Deliver?

Updated: June 2026 — full revision to Validai quality standard

Introduction: The Deployer's Due Diligence Right

Art. 26.1 requires deployers to use high-risk AI systems in accordance with the provider's instructions. But before you can comply with instructions, you need to receive them. The EU AI Act creates a chain of documentation obligations that flow from provider to deployer — and deployers have a legitimate right to demand that documentation.

This guide provides a complete checklist of what deployers should demand from AI suppliers, with practical advice on how to request, verify, and file this documentation.

The Complete Supplier Documentation Request

1. EU Declaration of Conformity (Art. 47)

Providers of high-risk AI systems must draw up a written EU declaration of conformity that states the system meets all applicable requirements of the EU AI Act. The declaration must include:

  • Provider identity
  • System name, version, and intended purpose
  • Statement of conformity with all applicable requirements
  • Reference to the conformity assessment procedure used
  • Date and signature of the authorised representative

Red flag: A supplier who cannot or will not provide a declaration of conformity may not have achieved compliance.

2. Instructions for Use (Art. 13)

The instructions for use must be comprehensive and must include: the intended purpose; performance metrics and accuracy; known limitations and foreseeable failure modes; required input data specifications; human oversight requirements; and maintenance and monitoring requirements. Obtain these in writing before deployment.

3. Technical Documentation Summary

The full technical documentation (Annex IV) is the provider's internal compliance record. Deployers are not entitled to the full documentation — it contains proprietary information — but should request a summary covering: system architecture overview, training data description, performance validation results, and risk management summary.

4. EU Database Registration Number (Art. 49)

Providers must register high-risk AI systems in the EU database before market placement. Request the registration number and verify it against the public database.

5. Post-Market Monitoring Plan

Under Art. 72, providers must have a post-market monitoring plan. Request a summary that describes how the provider monitors system performance over time and what their procedure is for updating the system when performance issues are identified.

6. Incident Notification Procedure

Your supplier contract should include a bilateral incident notification obligation. The provider must notify you of any serious incident, malfunction, or significant performance change that could affect your compliance. Define response time SLAs contractually.

Supplier Compliance Red Flags

  • Cannot provide a declaration of conformity
  • Refuses to provide instructions for use in writing
  • Cannot provide a EU database registration number
  • Responds to documentation requests with generic privacy/confidentiality objections
  • Instructions for use are vague about intended purpose limitations
  • No defined incident notification procedure

Contractual Provisions to Include

Beyond documentation, your procurement contracts for high-risk AI should include:

  • Representations that the system complies with the EU AI Act
  • Obligations to notify you of system updates that affect compliance
  • Obligations to notify you of serious incidents within a defined timeframe
  • Access rights to updated technical documentation and instructions upon request
  • Indemnity provisions for provider non-compliance that causes deployer liability

Compliance Checklist

  1. Have you sent a formal documentation request to every high-risk AI supplier?
  2. Have you received and filed the EU declaration of conformity?
  3. Have you received and reviewed the instructions for use?
  4. Have you verified the EU database registration number?
  5. Do your supplier contracts include the compliance provisions listed above?
  6. Is there a named supplier relationship owner responsible for maintaining documentation?