The European Commission (EC) has released an updated version of the Model Contractual Clauses for AI Procurement (MCC-AI), providing further guidance for public-sector buyers navigating AI procurement under the European Union Artificial Intelligence Act (EU AI Act). However, these clauses also serve as a practical tool to help any private organisation meet their legal obligations when providing or procuring AI systems, particularly high-risk AI solutions.
Background
The first version of the MCC-AI was published in September 2023 in anticipation of the EU AI Act, offering a structured approach to AI procurement. With the EU AI Act officially enacted on 13 June 2024, the EC has now refined these model clauses to ensure greater alignment with regulatory requirements. The new publication includes:
- A full version for high-risk AI systems.
- A light version for non-high-risk AI systems.
- A commentary explaining how to adapt and implement the clauses.
Why should companies get acquainted with the MCC-AI?
The MCC-AI provides a valuable framework for companies procuring or providing AI services by establishing a common, minimum standard of obligations. These clauses help ensure that both parties align on key compliance aspects – such as transparency, risk management and accountability – in line with the EU AI Act.
Organisations incorporating MCC-AI clauses tailored to their needs, contracts and businesses can streamline negotiations, reduce legal uncertainties and demonstrate regulatory readiness.
This is particularly beneficial in an evolving legal landscape where AI governance requirements are still developing, as it helps companies proactively address potential risks and responsibilities.
Who has issued the MCC-AI?
The MCC-AI have been issued by the Public Buyers Community Platform, designed to foster collaboration in public procurement across the EU. It serves as a dedicated space where European public procurers and the EC can connect, share insights and drive innovation in public purchasing. The clauses are to be considered as a working document in progress and do not reflect an official position of the EC.
Who should use the MCC-AI?
The MCC-AI are designed for public-sector organisations procuring AI solutions, but they can be selectively adapted by private entities on a clause-by-clause basis.
- The full version applies to high-risk AI systems as defined in Chapter III of the EU AI Act – AI systems that pose significant risks to health, safety or fundamental rights.
- The light version is tailored for non-high-risk AI systems, but still addresses key procurement considerations, such as transparency, risk management and data governance.
Even in cases where the AI system poses no clear risks, the MCC-AI commentary suggests that contracting authorities include contractual safeguards around:
- Risk management frameworks
- Data governance and usage rights
- Technical documentation and audit mechanisms
- AI registers for accountability
How should the MCC-AI be executed?
The clauses are designed to be annexed to procurement contracts rather than functioning as stand-alone agreements. The MCC-AI includes only provisions specific to AI systems and issues covered by the EU AI Act. It does not address obligations or requirements arising from other applicable legislation. For instance, it does not cover intellectual property, acceptance, payment, delivery deadlines, applicable law or liability.
What do the MCC-AI cover?
The MCC-AI are structured around key legal and operational obligations, including:
- AI system requirements: Ensuring compliance with fundamental legal and ethical standards.
- Supplier obligations: Defining transparency, risk management and compliance expectations.
- Data governance: Establishing rights over data sets used in AI development.
- Audit and accountability: Setting up mechanisms for AI system monitoring.
- Costs and liabilities: Clarifying financial responsibilities for implementation and compliance.
Additionally, the annexes provide templates for describing AI system use cases, defining data governance frameworks and documenting compliance measures.
What are the differences between the European Commission standard contractual clauses and the MCC-AI?
The EU standard contractual clauses (SCCs) are legally binding contract templates issued by the EC to ensure that personal data transferred outside the European Economic Area (EEA) complies with the General Data Protection Regulation (GDPR). They impose specific data protection obligations on the parties involved.
The table below outlines the key differences between model contractual clauses (MCCs) and SCCs for data transfers. Although they serve different purposes, they may be included in the same agreement:
Key takeaways
For organisations providing AI systems, tailoring the MCC-AI to their business enhances credibility and trust with customers by showing a commitment to responsible AI practices.
For buyers, these clauses offer a baseline level of protection, ensuring that the procured AI solutions meet essential ethical and legal standards. Additionally, since the MCC-AI can be annexed to existing agreements, they provide flexibility while maintaining consistency across contracts. This not only facilitates smoother transactions but also minimizes disputes, as both parties operate under a shared understanding of AI-related obligations from the outset.
[View source.]
