GovCompass
Knowledge base
GuideAccountability

Supplier checklist: what must your AI provider deliver?

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

A supplier checklist for AI procurement verifies what a provider must deliver before you can comply as a deployer: the instructions for use (Art. 13.3), the conformity declaration, the risk classification, update notification, and cooperation in a supervisory investigation.

Updated: June 2026

Introduction: the deployer's due diligence right

Art. 26.1 requires deployers to use high-risk AI systems in accordance with the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry →'s instructions. But before you can comply with instructions, you need to receive them. The EU AI Act creates a chain of documentation obligations that flow from provider to deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →, and deployers have a legitimate right to demand that documentation.

This guide provides a complete checklist of what deployers should demand from AI suppliers, with practical advice on how to request, verify, and file this documentation.

The complete supplier documentation request

1. EU declaration of conformity (Art. 47)

Providers of high-risk AI systems must draw up a written EU declaration of conformity that states the system meets all applicable requirements of the EU AI Act. The declaration must include:

  • Provider identity
  • System name, version, and intended purpose
  • Statement of conformity with all applicable requirements
  • Reference to the conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → procedure used
  • Date and signature of the authorised representative

Red flag: A supplier who cannot or will not provide a declaration of conformity may not have achieved compliance.

2. instructions for use (Art. 13)

The instructions for use must be comprehensive and must include: the intended purpose; performance metrics and accuracy; known limitations and foreseeable failure modes; required input data specifications; human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → requirements; and maintenance and monitoring requirements. Obtain these in writing before deployment.

3. technical documentation summary

The full technical documentation (Annex IV) is the provider's internal compliance record. Deployers are not entitled to the full documentation, it contains proprietary information, but should request a summary covering: system architecture overview, training data description, performance validation results, and risk management summary.

4. EU database registration number (Art. 49)

Providers must register high-risk AI systems in the EU database before market placement. Request the registration number and verify it against the public database.

5. post-market monitoring plan

Under Art. 72, providers must have a post-market monitoringpost-market monitoringProvider-side duty to systematically collect and act on experience from systems in use — the product-regulation half of continuous monitoring.Open full entry → plan. Request a summary that describes how the provider monitors system performance over time and what their procedure is for updating the system when performance issues are identified.

6. incident notification procedure

Your supplier contract should include a bilateral incident notification obligation. The provider must notify you of any serious incidentserious incidentAn AI incident causing (or nearly causing) death, serious harm to health, property, fundamental rights or infrastructure — triggering regulatory reporting duties for high-risk systems.Open full entry →, malfunction, or significant performance change that could affect your compliance. Define response time SLAs contractually.

Supplier compliance red flags

  • Cannot provide a declaration of conformity
  • Refuses to provide instructions for use in writing
  • Cannot provide a EU database registration number
  • Responds to documentation requests with generic privacy/confidentiality objections
  • Instructions for use are vague about intended purpose limitations
  • No defined incident notification procedure

Contractual provisions to include

Beyond documentation, your procurement contracts for high-risk AI should include:

  • Representations that the system complies with the EU AI Act
  • Obligations to notify you of system updates that affect compliance
  • Obligations to notify you of serious incidents within a defined timeframe
  • Access rights to updated technical documentation and instructions upon request
  • Indemnity provisions for provider non-compliance that causes deployer liability

Compliance checklist

  1. Have you sent a formal documentation request to every high-risk AI supplier?
  2. Have you received and filed the EU declaration of conformity?
  3. Have you received and reviewed the instructions for use?
  4. Have you verified the EU database registration number?
  5. Do your supplier contracts include the compliance provisions listed above?
  6. Is there a named supplier relationship owner responsible for maintaining documentation?
Legal referencesArt. 26Art. 13

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.