What the EU AI Act Means for Public Procurement

The AI Act is a single regulation that switches on in phases rather than all at once. It entered into force on 1 August 2024. The first prohibitions, on uses such as social scoring and untargeted facial-image scraping, plus a duty to ensure staff have basic AI literacy, applied from 2 February 2025. Rules for general-purpose AI models and the governance and penalty framework followed on 2 August 2025.

2 August 2026 is the heavy date. From then, the full set of obligations for high-risk AI systems listed in Annex III applies, and the Commission can enforce the general-purpose AI rules, including fines. A final tranche, covering high-risk AI embedded in already-regulated products such as medical devices and machinery, follows on 2 August 2027. If you are planning AI procurement on the European market, see how the wider rules sit alongside the Commission's own overview of the AI Act and our guide to EU government tenders.

The staggered timeline is deliberate. It gives providers and public buyers time to classify their systems and put controls in place before the strict obligations bite. The table on this page lists each milestone and what it unlocks, drawn from the official implementation timeline maintained by the European Commission.

The key point for procurement teams is that the obligations are tied to the role you play and the risk class of the system, not to whether a contract is public or private. A public authority can be a deployer of a high-risk system bought from a vendor, while the vendor is the provider. Both carry duties, and the contract between them is where those duties get allocated. That is why the contract terms, covered further down, have become the practical centre of AI procurement.

This is also why the date discipline matters. A system that is only being scoped now will likely be procured, delivered, and operating after 2 August 2026, so it has to be specified against the rules that will be live by then, not the lighter regime in place today. Buyers who write a tender to last year's understanding of the Act risk awarding a contract they cannot lawfully run, and suppliers who price against the wrong obligations risk winning work they cannot deliver on margin. Reading the timeline as a procurement planning tool, rather than a compliance afterthought, is the single most useful habit before the deadline.

There are two distinct procurement questions, and confusing them is the most common mistake.

The first is buying AI. When a public body procures an AI system, say a chatbot for citizen services or a model that screens benefit applications, the Act decides whether that system is high-risk and which obligations the buyer inherits as a deployer. This is where most of the new compliance work lands, and it affects the technical specification, the evaluation criteria, and the contract.

The second is using AI inside the procurement process. Buyers increasingly use software to triage suppliers, and suppliers use tools to find and respond to tenders. Here the question is narrower: does the specific use fall into an Annex III category? Usually it does not. Knowing which question you are answering keeps the compliance effort proportionate. For the supplier side of that second question, compare AI tender matching against manual search and read how AI is changing government contracting.

Annex III lists eight areas where an AI system is treated as high-risk: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential public and private services and benefits, law enforcement, migration and border control, and the administration of justice and democratic processes. Public procurement is not on that list. So a tool that scans portals and surfaces relevant notices, or ranks them by fit, is not high-risk simply because a public body is involved.

That does not make AI in procurement a free zone. If a buyer used an automated system to score or reject suppliers in a way that affected their access to an essential service, the analysis would be different, and the general transparency duties still apply where people interact with AI. The honest summary is that discovery and matching tools sit outside the high-risk regime, while automated decision-making that determines who wins or loses needs a careful, case-by-case look. Being precise here matters, because a lot of vendor marketing overstates the obligations.

The most useful procurement artifact to come out of this is not in the Act itself. The European Commission's Community of Practice on Public Procurement of AI publishes Model Contractual Clauses, known as the MCC-AI, in two versions: one for high-risk systems and a lighter set for everything else. They translate the Act's obligations into contract language a buyer can attach to a tender, covering transparency, risk management, data governance, human oversight, and the supplier's duty to help explain AI-driven outcomes.

The clauses are voluntary and meant to be tailored, but they are increasingly showing up in real European tenders as a baseline. For suppliers, that means AI-related contract terms are becoming a normal part of bids, and reading them early is part of qualifying a tender. You can review the latest set through the EU Public Buyers Community on AI procurement. For how clauses like these fit a structured bid, see our guide to responding to a tender.

If you sell into European public bodies, the practical steps are concrete. First, classify what you actually provide. If your product is a general-purpose model or a high-risk system, you carry provider obligations and should have documentation, logging, and a quality management approach ready before 2 August 2026. If it is an ordinary SaaS tool, the burden is far lighter, and saying so plainly is more credible than claiming blanket compliance.

Second, expect AI clauses in tenders and budget time to read them. The MCC-AI terms allocate real responsibilities, including help with explainability and incident reporting. Third, watch for the demand the Act itself is creating. Public bodies across Germany, France, and the Netherlands are tendering AI assurance, conformity assessment, data governance, and AI literacy training, which is a growing line of work for IT consultancies and consulting firms. Catching those notices early is the difference between shaping a requirement and reacting to it.

On the buyer side, the work starts before the tender goes out. Map any AI you already run or plan to buy against Annex III to decide what is high-risk and what is not, then size the obligations accordingly. Build the relevant duties into the specification and the award criteria rather than bolting them on later, and use the MCC-AI as a starting point for the contract so responsibilities are clear from day one.

Keep a human in the loop on decisions that affect people, and make sure staff who operate the system meet the AI literacy duty that has applied since February 2025. None of this removes the existing procurement rules. EU thresholds, transparency, and timetables still govern how the contract is run, so AI obligations sit on top of the usual framework rather than replacing it. For that framework, see our explainer on EU procurement thresholds for 2026 and how the UK and EU procurement regimes compare after Brexit and the Procurement Act 2023.

The AI Act raises the stakes on not missing the right notice. Both the new AI-assurance work and the everyday contracts you already chase are scattered across dozens of national portals and Tenders Electronic Daily, often published in the local language. Watching them by hand is where opportunities slip, and a keyword filter for artificial intelligence will miss a notice written about machine learning or algorithmic decision support.

Jorpex monitors 50+ public procurement sources and matches them to your business with embedding-based semantic AI rather than literal keywords, so a tender about responsible AI still reaches a supplier who described its work as model governance. You set your sectors, regions, contract value, and disqualifier filters, then receive realtime, daily, or weekly digests in Slack, Microsoft Teams, or email, across 17 languages so a French or German notice does not slip past an English keyword. Plans start at 49 dollars per month for Starter and 149 for Pro, with a 14-day free trial. Jorpex finds and ranks opportunities for you to act on. It does not decide who wins, which is exactly why it sits outside the Act's high-risk regime. See what tender monitoring involves, how multilingual alerts work, or compare tender monitoring tools.