Vendor Due Diligence for AI Systems: What to Ask

When you deploy AI systems from third-party vendors, you inherit compliance responsibilities. Your vendors need to support—not hinder—your EU AI Act compliance.

The Vendor Compliance Questions

AI System Documentation

1. Can you provide technical documentation of your AI system?
2. What is the intended purpose and scope of use?
3. What are the known limitations of the system?
4. Do you provide instructions for use?

Risk Classification

1. Have you classified your AI system under the EU AI Act?
2. What is the classification result?
3. Can you share your classification reasoning?
4. Do you have prohibited practices screening results?

High-Risk Obligations (if applicable)

1. Is the system registered in the EU database?
2. Do you have a conformity assessment?
3. What quality management system is in place?
4. Can you provide the CE marking documentation?

Data and Privacy

1. What data does the AI system process?
2. Where is data stored and processed?
3. What data retention policies apply?
4. Do you have a DPA that covers AI processing?

Transparency

1. What transparency notices should we provide to users?
2. Are outputs marked as AI-generated (if applicable)?
3. What information should we disclose to affected persons?

Logging and Monitoring

1. What logs does the system generate?
2. How long are logs retained?
3. Can we export logs on demand?
4. What monitoring capabilities are available?

Incident Response

1. What is your incident response process?
2. How will you notify us of issues?
3. What is your SLA for critical issues?
4. How do we report concerns to you?

Ongoing Compliance

1. How do you stay current with EU AI Act requirements?
2. Will you provide compliance updates?
3. What happens if the system needs modification for compliance?

Get the Full Questionnaire

Download our Vendor Due Diligence Questionnaire to use in your procurement process.