Procurement workflow surface

EU AI Act — vendor disclosure form

This is a sample disclosure form a procurement team can adapt for vendor RFPs and ITTs evaluating systems against EU AI Act. The provision-specific questions below were derived from the catalog's coverage cells; before issuing, a qualified procurement lawyer should review the adapted version against your jurisdiction's contract law. This form is NOT legal advice (see charter §7.4).

Export:use your browser's Print → Save as PDF to produce a printable copy. Native .docx / .pdf export ships on the roadmap (see /wiki/roadmap); for now, browser print-to-PDF is the supported flow.

1. Vendor identification

Vendor legal name

Jurisdiction of incorporation

Primary contact (name, role)

Primary contact (email, phone)

RFP / ITT reference number

Response submission date

2. AI system identification

System name

Version / build identifier

Underlying model(s) + provider(s)

Intended use(s) within this engagement

Jurisdiction(s) of deployment

Other AI-governance instruments the system claims compliance with

3. Provision-specific questions

Foundation Models / GPAI. Does the offered system meet the threshold for a general-purpose / foundation model under EU AI Act (Arts. 51-55 (general-purpose AI + systemic risk))? If yes, identify the specific obligations you will satisfy and the evidence you will provide.
(Cite: Arts. 51-55 (general-purpose AI + systemic risk))
Biometric Identification. Does the offered system perform biometric identification within scope of EU AI Act (Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules)? If yes, declare which sub-class applies (real-time / post-hoc / categorisation) and the legal basis under which it is offered for deployment.
(Cite: Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules)
Deepfakes / Synthetic Content. Does the offered system generate or substantially modify audio / video / image / text in ways requiring disclosure or machine-readable provenance under EU AI Act (Art. 50(4) (disclosure obligation for deep fakes))? Describe the disclosure + provenance mechanisms implemented and their robustness against removal.
(Cite: Art. 50(4) (disclosure obligation for deep fakes))
AI in Employment. Will the offered system be used in employment-decision contexts within scope of EU AI Act (Annex III §4 (high-risk: employment management))? If yes, identify the specific employment decisions (hiring / monitoring / termination / promotion) and the assessment evidence you will provide.
(Cite: Annex III §4 (high-risk: employment management))
AI in Healthcare. Will the offered system be used in clinical decision-support, diagnostic, or medical-device contexts within scope of EU AI Act (Annex III §5(a) (high-risk: essential services) + MDR overlap)? Identify regulatory clearances (e.g., MDR / FDA / MHRA) held and any open conformity-assessment items.
(Cite: Annex III §5(a) (high-risk: essential services) + MDR overlap)
AI in Criminal Justice. Will the offered system be used in law-enforcement, predictive-policing, risk-assessment, or sentencing-support contexts within scope of EU AI Act (Annex III §6 (high-risk: law enforcement))? Provide jurisdictional authorisation evidence + impact-assessment outputs.
(Cite: Annex III §6 (high-risk: law enforcement))
AI in Education. Will the offered system be used in automated grading, proctoring, or student-data analytics within scope of EU AI Act (Annex III §3 (high-risk: educational access))? Identify the educational stages covered and the human-oversight model.
(Cite: Annex III §3 (high-risk: educational access))
Compute-Threshold Reporting. Does the offered system meet the compute / training-cost reporting thresholds named in EU AI Act (Art. 52 + Annex XIII (10²⁵ FLOP presumption))? If yes, attach the most recent submitted report (redacted as needed) or confirm submission status.
(Cite: Art. 52 + Annex XIII (10²⁵ FLOP presumption))
Transparency Obligations. Provide the documentation required under the transparency obligations of EU AI Act (Arts. 13, 50 (transparency obligations)) — including (as applicable) model card, system card, training-data summary, evaluation results, and known limitations.
(Cite: Arts. 13, 50 (transparency obligations))
Individual Redress. Describe the end-user redress + complaint channel offered for the system, including documented appeal path and response-time commitment, consistent with EU AI Act (Art. 85 (right to lodge complaints)).
(Cite: Art. 85 (right to lodge complaints))
Open-Weight Frontier Release. Are the model weights powering the offered system released under an open-weight licence? If yes, identify the licence + any restrictions under EU AI Act (Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models)).
(Cite: Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models))
Synthetic Content Provenance. Does the offered system generate or substantially modify audio / video / image / text in ways requiring disclosure or machine-readable provenance under EU AI Act (Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms))? Describe the disclosure + provenance mechanisms implemented and their robustness against removal.
(Cite: Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms))

4. Documentation enclosures expected

Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.

Transparency documentation (per-instrument schema)
End-user redress + complaint-channel procedure
Copies of submitted regulatory reports / registrations
Vendor company registration + insurance certificates
Sub-processor / supply-chain list (including model upstream)

Variances (enclosures not attached + reason)

5. Vendor attestation

The undersigned, on behalf of the vendor, attests that the disclosures above are true and complete to the best of their knowledge at the date signed, and undertakes to notify the buyer in writing within 30 days of any material change to those disclosures.

Signatory name

Signatory role / title

Signature

Date

This is a sample form derived from the catalog at /wiki/eu-ai-act. Adapt before issuing. Not legal advice; not jurisdiction-specific. See charter §7.4.

EU AI Act — vendor disclosure form

3. Provision-specific questions

Foundation Models / GPAI. Does the offered system meet the threshold for a general-purpose / foundation model under EU AI Act (Arts. 51-55 (general-purpose AI + systemic risk))? If yes, identify the specific obligations you will satisfy and the evidence you will provide.

(Cite: Arts. 51-55 (general-purpose AI + systemic risk))

Biometric Identification. Does the offered system perform biometric identification within scope of EU AI Act (Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules)? If yes, declare which sub-class applies (real-time / post-hoc / categorisation) and the legal basis under which it is offered for deployment.

(Cite: Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules)

Deepfakes / Synthetic Content. Does the offered system generate or substantially modify audio / video / image / text in ways requiring disclosure or machine-readable provenance under EU AI Act (Art. 50(4) (disclosure obligation for deep fakes))? Describe the disclosure + provenance mechanisms implemented and their robustness against removal.

(Cite: Art. 50(4) (disclosure obligation for deep fakes))

AI in Employment. Will the offered system be used in employment-decision contexts within scope of EU AI Act (Annex III §4 (high-risk: employment management))? If yes, identify the specific employment decisions (hiring / monitoring / termination / promotion) and the assessment evidence you will provide.

(Cite: Annex III §4 (high-risk: employment management))

AI in Healthcare. Will the offered system be used in clinical decision-support, diagnostic, or medical-device contexts within scope of EU AI Act (Annex III §5(a) (high-risk: essential services) + MDR overlap)? Identify regulatory clearances (e.g., MDR / FDA / MHRA) held and any open conformity-assessment items.

(Cite: Annex III §5(a) (high-risk: essential services) + MDR overlap)

AI in Criminal Justice. Will the offered system be used in law-enforcement, predictive-policing, risk-assessment, or sentencing-support contexts within scope of EU AI Act (Annex III §6 (high-risk: law enforcement))? Provide jurisdictional authorisation evidence + impact-assessment outputs.

(Cite: Annex III §6 (high-risk: law enforcement))

AI in Education. Will the offered system be used in automated grading, proctoring, or student-data analytics within scope of EU AI Act (Annex III §3 (high-risk: educational access))? Identify the educational stages covered and the human-oversight model.

(Cite: Annex III §3 (high-risk: educational access))

Compute-Threshold Reporting. Does the offered system meet the compute / training-cost reporting thresholds named in EU AI Act (Art. 52 + Annex XIII (10²⁵ FLOP presumption))? If yes, attach the most recent submitted report (redacted as needed) or confirm submission status.

(Cite: Art. 52 + Annex XIII (10²⁵ FLOP presumption))

Transparency Obligations. Provide the documentation required under the transparency obligations of EU AI Act (Arts. 13, 50 (transparency obligations)) — including (as applicable) model card, system card, training-data summary, evaluation results, and known limitations.

(Cite: Arts. 13, 50 (transparency obligations))

Individual Redress. Describe the end-user redress + complaint channel offered for the system, including documented appeal path and response-time commitment, consistent with EU AI Act (Art. 85 (right to lodge complaints)).

(Cite: Art. 85 (right to lodge complaints))

Open-Weight Frontier Release. Are the model weights powering the offered system released under an open-weight licence? If yes, identify the licence + any restrictions under EU AI Act (Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models)).

(Cite: Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models))

Synthetic Content Provenance. Does the offered system generate or substantially modify audio / video / image / text in ways requiring disclosure or machine-readable provenance under EU AI Act (Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms))? Describe the disclosure + provenance mechanisms implemented and their robustness against removal.

(Cite: Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms))

4. Documentation enclosures expected

Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.

Transparency documentation (per-instrument schema)

End-user redress + complaint-channel procedure

Copies of submitted regulatory reports / registrations

Vendor company registration + insurance certificates

Sub-processor / supply-chain list (including model upstream)