AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Guide

AI in contracts: the clauses to set when buying and supplying

Adopted 2026-06-21 ยท ≈ 2 min read ยท Dirk Baaijen

There is no separate AI contract law, but the AI Act, product liability and the Data Act together determine what you must set contractually: role allocation, compliance warranties, documentation, liability, data and IP, logging and exit. This guide lays out the core clauses.

Short answer: There is no separate "AI contract law", but the AI Act, product liability and the Data Act together determine what you must set in a contract. The core is role allocation, compliance warranties, documentation, liability, data and intellectual property, logging and exit. Whether you buy or supply AI, these points belong on paper.

Why the contract makes the difference

The AI Act divides duties across roles: the provider carries the heaviest package, the deployer its own set. Article 25 also provides that you become a provider yourself if you put your name on a system or substantially modify it โ€” with all the duties that entails. The contract is where you make those roles, and their consequences, explicit before a regulator or court does it for you.

The core clauses

  1. Role allocation. Set out who is provider and who is deployer, and what happens with changes that could flip the role (Art. 25).
  2. Compliance warranties. Have the supplier warrant that the system complies with the AI Act (classification, conformity assessment, CE marking, and for GPAI the documentation and training-data duties).
  3. Information and documentation. The provider supplies the instructions and documentation the deployer needs to meet Article 26.
  4. Liability and indemnity. Allocate liability deliberately and tie it to product liability; arrange indemnities for third-party claims.
  5. Data and intellectual property. Who may use input data, who owns the output, and how does that relate to Data Act rights over data generated by use?
  6. Transparency and logging. Secure access to logs and relevant information for monitoring, incident investigation and audits.
  7. Updates, changes and retraining. Agree how updates and retraining are made and notified โ€” a substantial change can affect classification or role.
  8. Exit and cooperation. Arrange termination, data portability and cooperation with supervisory requests.

For the buyer and the supplier

The buyer wants warranties, documentation, liability at source and a workable exit. The supplier wants to bound its responsibility โ€” especially against changes or use outside the intended purpose, which can turn the customer into a provider. A good AI contract makes both interests explicit instead of saving them up until there is damage.

What to do

  • Start with the role: provider or deployer โ€” and what a change does to it.
  • Reference the standard: have compliance with the AI Act and relevant standards warranted contractually.
  • Make documentation and logging enforceable โ€” you need them for supervision and for a liability defence.
  • Settle data and output before go-live, not after.

The contract is where AI governance and AI liability meet. Get it right and you shift the risk to the party that can bear it โ€” and know in advance who stands for what.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Art. 25 (provider/deployer roles), 26 (information duty) and 53 (GPAI documentation).
  2. https://eur-lex.europa.eu/eli/dir/2024/2853/oj
    Directive (EU) 2024/2853 (Product Liability): co-determines who bears civil liability for harm from AI.
  3. https://eur-lex.europa.eu/eli/reg/2023/2854/oj
    Regulation (EU) 2023/2854 (Data Act): access to and use of data, with mandatory contract terms.

Share on LinkedIn

Read next

W

The AI Act for procurement: supplier requirements and contract clauses

Whoever procures AI often becomes a deployer under the AI Act and carries their own obligations. A supplier claiming to be "AI Act compliant" is no guarantee. This guide explains what to ask up front and which clauses belong in the contract.

U

Procuring an AI model (GPAI): what duties do you have as a deployer?

The heaviest GPAI duties fall on the provider, not on you. As a deployer your obligations centre on AI literacy (Article 4), transparency (Article 50) and โ€” for high-risk use โ€” the deployer duties in Article 26.

A

Provider or deployer in HR AI: who is what?

In HR AI the builder of the ATS or HR tech is usually the provider and the employer the deployer. But an employer can become a provider itself through own branding or substantial modification (Art. 25). The role determines which duties apply.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.