EU AI Act Procurement Requirements for German Enterprises

Short answer

Under the EU AI Act, German enterprises deploying AI systems are usually 'deployers' — and their compliance obligations flow directly into vendor contracts. Before August 2, 2026, companies procuring Annex III high-risk AI should demand conformity documentation, CE marking evidence, human oversight instructions, logging support, and incident escalation clauses from the provider.

• German enterprises are typically AI deployers under the EU AI Act — not providers.
• High-risk AI systems require conformity assessments and CE marking before deployment.
• Vendor contracts must include AI Act clauses covering human oversight and incident reporting.
• For most Annex III high-risk AI systems, deployer obligations bite from August 2, 2026.

Under the EU AI Act, German enterprises that deploy AI systems — as deployers rather than developers — carry specific legal obligations that can only be fulfilled if your vendor contracts contain the right clauses. Many of these obligations fall directly on the company deploying the AI, not the company that built it. This guide tells you exactly what to demand from your AI vendors before August 2, 2026.

Compound Law advises enterprise clients to treat AI procurement as a compliance exercise, not just a commercial negotiation. The contracts you sign today will determine whether your company can evidence compliance once a regulator or business partner starts asking for documentation.

Deployer vs. Provider: Who Is Responsible for What

The EU AI Act draws a clear line between two categories of actors:

Providers develop AI systems and place them on the market. They are responsible for conducting conformity assessments, maintaining technical documentation, applying CE marking (where required), and registering in the EU database for high-risk AI systems.

Deployers put AI systems into service for their own purposes — typically businesses purchasing AI tools, platforms, or APIs from third-party vendors. Deployers do not build the AI system, but they operate it within their business processes.

Most German enterprises are deployers. If your company uses an AI-powered HR screening tool, an AI credit risk model, or a GPAI-based customer service system built by a third party, you are a deployer under the AI Act — and Articles 25–26 apply to you directly.

Why deployer obligations flow upstream to vendor contracts: As a deployer, you cannot fulfill your legal obligations alone. You need information, documentation, and contractual commitments from your AI vendor. Without those, you cannot:

• Verify the system’s conformity assessment
• Implement the vendor’s human oversight instructions
• Escalate AI risks quickly to the provider and the relevant authority where required
• Conduct internal monitoring and log reviews

This is why AI Act procurement is fundamentally a contract law challenge.

What the EU AI Act Requires Deployers to Do by August 2026

The August 2, 2026 deadline is when most Annex III high-risk AI obligations and transparency requirements start applying in practice. Certain product-safety-linked AI obligations under Article 6(1) phase in later, on August 2, 2027. Here is what deployers of high-risk AI systems should have in place:

High-Risk AI System Obligations (Annex III)

High-risk AI systems are those listed in Annex III of the EU AI Act. Categories particularly relevant to German enterprises include:

• Recruitment and HR tools — CV screening, candidate ranking, promotion decisions
• Credit scoring and creditworthiness assessment — automated lending decisions
• Biometric identification — real-time or post-hoc identification systems
• Critical infrastructure management — energy, water, transport, digital infrastructure
• Law enforcement applications — risk assessment tools used in policing or corrections
• Educational access — systems determining access to educational institutions

For high-risk AI in financial services, the obligations are particularly demanding. The same applies to legal services using AI, where professional liability intersects with AI Act compliance.

General-Purpose AI (GPAI) Transparency Requirements

From August 2, 2025, general-purpose AI model providers must publish technical documentation and comply with copyright transparency requirements. As a deployer of GPAI-based systems (such as large language model APIs), your obligations include:

• Maintaining records of the GPAI models you use in customer-facing applications
• Ensuring transparency disclosures to end users where required under Article 50
• Conducting due diligence on the GPAI providers’ compliance posture

Human Oversight Obligations

Article 26(1) requires deployers of high-risk AI systems to implement appropriate human oversight measures as instructed by the provider. Concretely, this means:

• Assigning qualified staff to monitor AI outputs
• Retaining the ability to override, suspend, or discontinue AI system decisions
• Ensuring that no high-stakes decision affecting individuals is fully automated without a meaningful human review step

Risk Escalation and Serious Incident Cooperation

Under Article 26, a deployer that has reason to believe a high-risk AI system creates a risk must inform the provider or distributor and the relevant market-surveillance authority without undue delay, and suspend use of the system. Separately, Article 73 puts the primary serious-incident reporting duty on the provider, but deployers still need the contract to force rapid information-sharing and cooperation.

In practice, that means your procurement package should ensure that the vendor notifies you immediately about serious incidents, near misses, corrective actions, and any challenge to the system’s conformity status. Without those clauses, your legal team may not have enough information to suspend use, escalate appropriately, or document its response.

What to Demand from Your AI Vendor in the Contract

Compound Law advises enterprise clients to treat the following as minimum required terms in any contract involving a high-risk AI system. These are not negotiable positions — they are legal obligations that your vendor must support:

Conformity Assessment Documentation (Annex IV Technical File)

Your contract should give you the right to request and inspect the Annex IV technical file — the documentation package that proves the provider completed a conformity assessment. This file includes the system’s intended purpose, development process, training data description, accuracy metrics, and testing results.

The contract clause should specify: delivery timeline for the technical file on request, update obligations when the system changes materially, and a right to receive updated documentation following any substantial modification.

CE Marking and Declaration of Conformity

For high-risk AI systems, the provider is required to affix CE marking before placing the system on the market. Your contract should confirm:

• That the system carries valid CE marking at the time of delivery
• That the declaration of conformity is available for inspection
• That the provider maintains this marking on an ongoing basis
• Notification obligations if the CE marking is withdrawn or under challenge

Instructions for Use — Including Human Oversight Procedures

Article 13 requires that high-risk AI systems be accompanied by clear instructions for use, including guidance on human oversight implementation. Your contract should:

• Require delivery of complete, up-to-date instructions for use in a language your staff can read
• Obligate the provider to update instructions when the system changes
• Specify that instructions must cover how to implement the human oversight measures required by Article 26(1)

Incident and Serious Incident Reporting Obligations

Your contract must include provisions requiring the vendor to:

• Notify you immediately (within 24 hours where practicable) of any serious incident or near-miss involving the AI system
• Share all information necessary for you to assess whether use must be suspended or escalated to the relevant authority
• Cooperate with any market-surveillance inquiry or corrective action process
• Maintain incident logs and make them available to you on request

Without these clauses, you cannot meet your own incident reporting obligations as a deployer.

Right to Audit and Inspect Technical Documentation

Your contract should include an audit right that allows you (or your appointed legal counsel or technical advisor) to inspect:

• The technical documentation at any point during the contract term
• Compliance records and test reports
• Data governance documentation relevant to the system

This audit right is not only prudent — in many cases it is necessary to demonstrate your own compliance posture to the relevant authority, customer, or internal control function.

Data Governance Obligations from the Vendor Side

For high-risk AI systems, the EU AI Act imposes strict data governance requirements on providers. Your contract should pass through these obligations, requiring the vendor to confirm:

• Training datasets met the quality criteria in Article 10
• Bias testing was conducted and documented
• Data is not sourced from prohibited categories under the GDPR or AI Act

This aligns with your GDPR vendor assessment checklist, which addresses similar requirements under the GDPR lens.

Training Data Provenance

For high-risk systems, Article 10 requires that training, validation, and test datasets satisfy specific quality criteria. Your contract should include a representation from the vendor that training data:

• Is subject to appropriate data governance practices
• Was examined for possible biases before and during training
• Does not include personal data collected in violation of applicable law

Procurement Checklist for High-Risk AI Systems

Use this checklist when evaluating any AI vendor contract involving a potentially high-risk AI system:

• Classification confirmed: Is the AI system classified as high-risk under Annex III? (If uncertain, seek legal advice before signing)
• Conformity assessment completed: Has the provider confirmed completion of a conformity assessment and provided the Annex IV technical file?
• CE marking valid: Does the system carry valid CE marking and is the declaration of conformity available?
• Instructions for use received: Are complete, German-language-accessible instructions for use — including human oversight procedures — included in the contract deliverables?
• Incident escalation clause included: Does the contract require the vendor to notify you promptly of serious incidents and cooperate with any relevant authority?
• Audit right confirmed: Does the contract give you the right to inspect technical documentation?
• DPA aligned: Is the GDPR Data Processing Agreement aligned with the technical documentation on data processing scope?
• Data governance confirmed: Has the vendor represented that training data meets Article 10 requirements?
• Human oversight procedures documented: Are oversight measures specified in the contract and in the instructions for use?

Model Contract Clauses: What German Law Requires

The European Commission has published EU model contractual clauses for AI procurement, developed in consultation with the European Innovation Partnership on AI. These provide a starting-point framework, particularly for public sector procurement, and are referenced by the eipa.eu guidance at the intersection of EU AI Act and public procurement rules.

For private-sector German enterprises, those model clauses must be adapted to comply with:

BGB and AGB requirements: Standard terms (Allgemeine Geschäftsbedingungen / AGBs) in German contracts are subject to the BGB content control rules. AI Act compliance clauses that are imposed as one-sided standard terms may face challenge if they create a significant imbalance. Compound Law advises negotiating AI Act clauses as individually negotiated terms (Individualvereinbarungen) where possible.

Liability caps: German law permits contractual limitation of liability, but caps that would prevent a deployer from meeting its regulatory obligations are unlikely to be enforceable. Your contract should specify that liability caps do not apply to the vendor’s obligations to provide accurate technical documentation or to notify you of serious incidents and material compliance defects.

Interaction with GDPR DPA obligations: The EU AI Act and GDPR obligations overlap significantly for high-risk AI systems that process personal data. A compliant procurement package for such systems requires both a GDPR DPA (covering data processing, sub-processors, data subject rights, and transfers) and a separate AI Act addendum (covering conformity, oversight, and incidents). The two instruments are not substitutes — both are legally required.

August 2026 Timeline: What German Enterprises Must Have in Place

August 2, 2026 is the main deadline for most Annex III deployer obligations. Here is what should be in place for high-risk AI systems:

Before August 2, 2026 — for live or planned Annex III systems:

1. Conduct an AI system inventory: identify all AI systems in operation and classify each against Annex III
2. For each high-risk system, request the Annex IV technical file from the vendor
3. Audit existing contracts for AI Act gaps and initiate renegotiation
4. Implement human oversight procedures for each high-risk system
5. Establish an internal incident monitoring and reporting process

For systems procured after August 2, 2026: All new AI vendor contracts should include compliant AI Act clauses from the outset. Systems lacking the required conformity documentation and provider support should not be deployed.

What happens if you procured a high-risk system before the deadline? Article 111 matters here. For many high-risk AI systems already placed on the market or put into service before August 2, 2026, the new regime applies only once the system is subject to a significant change in design after that date. That does not mean private deployers can ignore legacy contracts: renewals, expanded functionality, new integrations, changed intended purpose, or vendor-side model changes can all reopen the compliance analysis.

Transition arrangements for existing contracts: Where renegotiation is not immediately possible, deployers should document their classification analysis, record why Article 111 may apply, and implement interim oversight and escalation controls. That documentation will not replace compliance, but it can materially improve the company’s defensibility.

Frequently Asked Questions

Does the EU AI Act apply to all AI tools I use at my company?

No. The EU AI Act applies differently depending on how AI is classified. Prohibited AI (banned entirely), high-risk AI (Annex III — full obligations), GPAI (transparency and documentation requirements), and limited-risk AI (disclosure obligations only) each carry different rules. Many standard software tools that include basic AI features — such as autocomplete or spam filtering — fall outside the high-risk classification entirely and require only limited disclosure compliance.

Do I need to re-negotiate existing AI vendor contracts?

Often yes, but not automatically in every case. Where a high-risk system is already in service before August 2, 2026, Article 111 can preserve part of the legacy position unless the system is significantly changed. Even so, most enterprises should start renegotiation now because extensions, scope creep, and vendor updates can remove that comfort quickly. For systems that are not high-risk, contract review is still prudent to confirm GPAI and transparency obligations are addressed.

What is a conformity assessment and can I ask my vendor for one?

A conformity assessment is the documented process by which an AI provider verifies their system meets EU AI Act standards. You have the right to request the Annex IV technical file that results from this assessment. If a vendor refuses to provide this documentation for a high-risk system, that refusal is a significant red flag — and potentially your own compliance risk as a deployer.

What penalties apply if my company fails to comply as a deployer?

The AI Act provides for fines of up to €15 million or 3% of global annual turnover, whichever is higher, for many non-compliance cases. For prohibited AI violations, fines rise to €35 million or 7%. Beyond administrative fines, deployer liability under German civil law (BGB) may arise if an AI system causes harm and the deployer cannot demonstrate adequate oversight.

Enforcement in Germany: The national enforcement setup continues to develop. The Bundesnetzagentur is publicly preparing for a central role in Germany’s AI Act implementation, but enterprises should monitor the final allocation of market-surveillance responsibilities and sector-specific competences.

---

This guide is general information only and does not constitute legal advice for your specific situation. EU AI Act compliance depends on the classification of your specific AI systems and the contractual arrangements in place. Compound Law advises German enterprises on AI Act procurement strategy, contract review, and compliance readiness — contact us to discuss your situation.