AI vendor questionnaire for EU AI Act due diligence

A strong AI vendor questionnaire clarifies roles, classification, transparency measures, AI literacy support, and documentation availability early in procurement. It turns vague marketing claims into concrete evidence aligned with the EU AI Act’s current obligations for providers and deployers. Use it in RFPs, vendor evaluation, onboarding, and renewals to surface gaps before contracts are signed.[1][2]

This template focuses on operational due diligence: product classification (AI system vs. GPAI model), provider/deployer splits, Article 50 transparency duties (where relevant), AI literacy measures (Article 4), technical documentation and logs, authorised representatives for non-EU providers, subcontractors, model provenance, and known limitations. It includes a ready-to-use question bank, scoring rubric, red-flag guidance, real-world examples, and evidence-request language so procurement teams can act decisively without promising compliance or offering legal advice.

Current law status (May 2026) Article 4 (AI literacy) and prohibitions have applied since 2 February 2025. GPAI model obligations (technical documentation, information to downstream providers, copyright policy, training-content summary, authorised representative requirements) have applied since 2 August 2025. Article 50 transparency obligations for certain AI systems (interactive, generative content marking/labelling, deepfake disclosure) apply from 2 August 2026. High-risk system rules follow shortly thereafter. This questionnaire helps organisations gather evidence for obligations already in force and those imminent. Always consult primary sources such as the consolidated Regulation text and official AI Act Service Desk guidance. No future amendments or Digital Omnibus proposals are reflected here as current law.[1][2]

Legal uncertainty around AI quickly becomes shared risk. When a vendor places an AI system or GPAI model on the EU market, they typically bear provider obligations; your organisation, as deployer, inherits duties around use, oversight, transparency, and AI literacy. Ambiguity on who is the “provider under whose name it is placed on the market” can leave your team exposed to documentation gaps, inadequate marking of AI-generated content, or insufficient staff training.[3]

A targeted questionnaire belongs in three procurement moments:

• Vendor evaluation and RFP: Surface classification and capability claims before shortlisting.
• Onboarding and contracting: Require named owners, evidence artefacts, and flow-down obligations for subcontractors.
• Renewals and monitoring: Re-test whether the vendor’s implementation has matured as Article 50 transparency rules approach full application.

Without structured questions, vendors rarely volunteer limitations, provenance details, or concrete support for your Article 4 AI literacy obligations. Early evidence requests reduce downstream rework, support internal risk assessments, and demonstrate reasonable due diligence to auditors or national market surveillance authorities. This is not certification theatre — it is practical readiness and evidence collection.

See also: Provider versus deployer under the EU AI Act and AI system versus GPAI model: the distinction that changes obligations.

Group questions by topic and always request supporting artefacts (technical documentation, policy excerpts, sample outputs, training materials, or summaries). Ask vendors to name the responsible owner for each area.

Is this an AI system, a GPAI model, or both? Who is the provider under whose name it is placed on the market?

Use the Commission’s guidelines on the AI system definition and GPAI criteria (e.g., significant generality, wide range of tasks, indicative training compute thresholds). Clarify if the vendor develops the model, fine-tunes it significantly, or merely integrates and distributes it.

Which Article 50 duties are relevant to this product and how are they implemented? How do you support deployers with marking, labelling, or user notifications for generative or interactive outputs?

Relevant for chatbots, image generators, deepfake tools, or text-to-content systems. Request details on machine-readable marking (metadata, watermarks, fingerprints), detectability, and any exceptions claimed. Reference the developing Code of Practice on marking and labelling of AI-generated content.[4]

What training, guidance, or materials do you provide to our staff and other persons operating or overseeing the system? How is content tailored to our use case, technical knowledge level, and the risks involved?

This directly supports your Article 4 obligations. Good responses reference skills, knowledge of opportunities/risks, limitations, and human oversight needs. No certificate is required — focus on practical, context-specific materials.[3]

What technical documentation, automatically generated logs, model cards, training-content summaries, or other materials can you share under appropriate confidentiality terms?

For GPAI providers this includes the mandatory summary of training content and technical documentation available to the AI Office or downstream providers. For high-risk contexts, request record-keeping and post-market monitoring artefacts.

If you are established outside the EU, what authorised representative or distribution setup exists in the Union? How do you manage subcontractors or sub-processors, and what visibility do you provide into model provenance and data sources?

Article 54 requires authorised representatives for non-EU GPAI providers. Ask for flow-down of obligations and any copyright policy details.

What are the known limitations, performance characteristics, potential biases, and residual risks of this system or model?

Request evidence-based answers with testing data or evaluation reports rather than generic disclaimers.

Vendor questionnaire matrix

Expand this matrix in your own procurement template with additional rows on subcontractors, incident reporting, and post-market monitoring where relevant to the vendor’s classification.

Score each response independently before vendor discussions. Require evidence within a defined timeframe (e.g., 10 business days). Combine scores into an overall traffic-light view.

Scoring rubric

Document the score, evidence received, and any follow-up questions. Re-score at renewal or after material vendor updates.

Vendors rarely lie outright; they default to marketing language that obscures obligations.

• Marketing copy without artefacts: “Our platform is fully compliant and transparent.” (No technical documentation, no marking details, no literacy materials attached.)
• Role confusion: “We’re both the provider and the deployer — you don’t need to worry about anything.” This blurs the provider/deployer split and leaves your organisation exposed to deployer duties under Article 50 or Article 4 without support. See Provider versus deployer under the EU AI Act.
• “Not AI” evasions: “This is just automation / rules-based software.” Despite using machine learning for classification, generation, or decision support. Contradicts the functional AI system definition in official guidelines.
• Vague deepfake/transparency answers: “Users will know it’s AI” or “We use industry-standard watermarks” without describing machine-readable formats, detectability testing, labelling placement for deepfakes, or how they handle Article 50(4) disclosures for public-interest text. Especially risky for image-generation or chatbot vendors.
• No named owner: Every question answered by “our legal team” with no single point of contact for technical or compliance follow-up.

Example 1: Chatbot vendor Bad: “Our AI chatbot is intuitive and users love it. Transparency is built in.” Good: Names the GPAI model provider, supplies the training-content summary, describes how the interactive system informs users it is not human (unless obvious), shares sample conversation logs, and offers AI literacy modules on prompt engineering risks and output verification.

Example 2: HR screening vendor Bad: “Our tool helps recruiters save time and is bias-free.” Good (or at least amber moving to green): Clarifies whether the system is high-risk under Annex III (recruitment), provides data governance details, shares technical documentation on fairness testing, offers literacy training on human oversight requirements, and names the compliance owner. Red if they deny any AI Act relevance despite profiling or automated decision support.

Example 3: Image-generation vendor for marketing teams Bad: “All outputs are clearly marked and safe for commercial use.” Good: Details implementation of Article 50(2) machine-readable marking and detection mechanisms (metadata + visible EU icon where appropriate), provides evidence of robustness testing, shares limitations (e.g., style biases, inability to generate certain content accurately), supplies literacy materials on disclosure duties for deepfakes or marketing content, and confirms authorised representative if non-EU. Vague answers on labelling placement or exceptions for artistic works are red flags.[4]

• Accepting narrative responses without artefacts or named owners.
• Treating every vendor identically instead of scaling questions to classification (GPAI vs. narrow AI system vs. high-risk).
• Ignoring Article 50 implications for generative tools used in marketing or internal communications.
• Failing to link vendor answers to your own AI literacy programme or transparency disclosures.
• Not revisiting responses at contract renewal after the August 2026 transparency application date.
• Confusing “vendor says they are compliant” with evidence of implementation.

• Integrate the matrix and scoring rubric into your standard RFP and vendor onboarding templates.
• Require evidence upload with every response; set a default 10-day turnaround.
• Assign a cross-functional reviewer (procurement, legal, AI lead) for scoring.
• Map vendor responses to your internal risk register and AI literacy plan.
• Schedule re-assessment triggers: major model updates, contract renewal, or regulatory milestones (e.g., post-August 2026).
• Store artefacts centrally for audit readiness.
• Share anonymised lessons learned internally to improve future questionnaires.
• For promising vendors, request a joint workshop on Article 50 implementation or literacy support.

Next step Use the Evidence Scanner to upload vendor responses and receive an automated gap analysis against current AI Act requirements, or download the full editable AI Vendor Questionnaire template and scoring spreadsheet. Start building your evidence base today at EU AI Act Evidence Scanner.

FAQ

Should this sit inside procurement? Yes — procurement is best placed to embed it in RFPs, scoring, and contracts, with support from legal, compliance, and AI risk owners. It is not purely a legal exercise.

Can small vendors still answer this well? Many can. Good small vendors often provide clearer, more honest answers and concrete artefacts precisely because they have less marketing overhead. Refusal to engage is itself a data point.

What if a vendor refuses to share documentation? Treat it as a red flag. Request redacted or summary versions under NDA. Persistent refusal on technical documentation or training-content summaries (for GPAI) should prompt consideration of alternative suppliers or enhanced contractual protections and monitoring.

How does this link to Article 50 and literacy? Article 50 transparency duties fall on both providers (marking outputs) and deployers (informing users in certain cases). Article 4 requires you to ensure sufficient AI literacy of staff and relevant third parties. Vendor responses supply the raw materials — training content, limitation disclosures, and marking guidance — that let you fulfil those duties effectively. See also Article 50 transparency obligations explained, Chatbots and the EU AI Act and Recruitment AI and the EU AI Act.

Sources (official and primary only)

• Regulation (EU) 2024/1689 (consolidated text) – eur-lex.europa.eu
• AI Act Service Desk timeline and Article 50, Article 54, Article 113 pages – ai-act-service-desk.ec.europa.eu
• Guidelines on obligations for providers of general-purpose AI models and related FAQs – digital-strategy.ec.europa.eu
• AI literacy Q&A and talent/skills page – digital-strategy.ec.europa.eu
• Guidelines on the AI system definition and prohibited practices – digital-strategy.ec.europa.eu
• Code of Practice on marking and labelling of AI-generated content materials – digital-strategy.ec.europa.eu

All legal statements derive from these primary sources. This page is for operational readiness only and does not constitute legal advice.