PowerQuantEUSend your AI questionnaire

When a public authority, municipality or region procures and puts an AI system into use, the organisation rarely becomes just a buyer. In the meaning of the AI Act (EU AI Act) you most often become a deployer — the party that uses the system under its own responsibility. This is a role with concrete obligations, and the foundation for meeting them is laid already in the procurement process. This guide shows how you, as a contracting authority, set the right requirements and avoid building a breach of the rules into the contract.

The public authority as deployer

The party that develops an AI system or places it on the market under its own name is a provider. The party that uses the system in its own operations is a deployer. In a procurement, your authority normally becomes the deployer of the system you buy in.

This is particularly important because you are a public-law body. For high-risk AI under Annex III, the regulation sets requirements that are specific to the public sector — above all the fundamental rights impact assessment in Article 27 (FRIA), which must be carried out before the system is put into use.

Set AI Act requirements in the procurement

A deployer cannot meet its obligations without documentation from the provider. Therefore, request in the tender documents:

  • The provider's technical documentation.
  • Instructions for use describing the system's purpose, limitations and requirements for human oversight.
  • Evidence of CE marking and the EU declaration of conformity for high-risk AI.
  • Details of logging functions so that you can retain logs under Article 26.

Without this documentation you risk taking over a system that you cannot lawfully deploy.

Fundamental rights impact assessment (Article 27 FRIA)

Under Article 27, public-law bodies must carry out a fundamental rights impact assessment (FRIA) before a high-risk AI system under Annex III is put into use. The assessment must describe, among other things, the processes in which the system is used, the persons affected, the risks of harm and the measures for human oversight. Plan the FRIA already in the timeline — it is a precondition for deployment, not after-the-fact documentation.

The deployer's obligations (Article 26)

As a deployer of high-risk AI, you are responsible under Article 26 for, among other things:

  • Using the system in accordance with the provider's instructions for use.
  • Ensuring human oversight by competent persons.
  • Monitoring operation and reporting serious incidents.
  • Retaining automatically generated logs.
  • Where necessary, informing affected persons that they are subject to the system.

The division of roles between provider and deployer is clarified in Article 25, which also governs when a deployer can be considered a provider. Set requirements in the contract for role clarity (Article 25), logging, human oversight and incident reporting. Essential services, law enforcement, migration and education are areas in Annex III that are especially relevant to the public sector.

Timeline

  • 2 February 2025: Article 4 (AI literacy) and Article 5 (prohibited practices) in force.
  • 2 August 2026: Article 50 (transparency) and the deployer obligations linked to Annex III start to apply.
  • Proposal — 2 December 2027: The Digital Omnibus proposes to postpone the Annex III obligations. The European Parliament approved the proposal on 16 June 2026, but the Council is awaiting publication in the EU Official Journal. The proposal has not yet entered into force and should be treated as just a proposal.

Penalties

Infringements can become very costly (Article 99):

  • Prohibited practices (Article 5): up to EUR 35 million or 7 % of global annual turnover.
  • Infringements of transparency (Article 50) and high-risk requirements: up to EUR 15 million or 3 %.
  • Incorrect information to authorities: up to EUR 7.5 million or 1 %.

Before the procurement

  • Determine your role: be aware that you will likely become the deployer.
  • Classify the system: is it covered by Annex III?
  • Write documentation requirements (technical documentation, instructions for use, CE) into the tender documents.
  • Plan the Article 27 FRIA before deployment.
  • Regulate role clarity (Article 25), logging, oversight and incident reporting in the contract.
  • Coordinate with the NIS2 cybersecurity requirements for essential and important entities.

PowerQuant is delivered as documentation support: Module 1 (AI inventory + Article 4 register) and Module 2 (Supplier documentation package). Prices are indicative.

This page is general information about the AI Act and does not constitute legal advice.