Understanding the EU AI Act and Its Impact on Procurement 

In this edition of Compliance Corner, we explore the EU AI Act and what it means for organisations navigating the rapidly evolving landscape of artificial intelligence and regulation. Our aim is to break down what’s changing, why it matters, and how businesses, particularly procurement teams, can prepare in practice. 

🔍 What’s happening? 

The EU AI Act is a new European regulation designed to govern how artificial intelligence (AI) systems are developed, deployed, and used across the EU. It officially came into force on 1 August 2024 and represents the first comprehensive legal framework for AI globally. 

At its core, the Act introduces a risk‑based approach, categorising AI systems according to the level of risk they pose to individuals and society. 

📊 What’s different? 

Under the EU AI Act, AI systems are classified into four risk categories: 

• Unacceptable risk – Prohibited uses, such as social scoring and certain types of biometric surveillance  

• High risk – Systems subject to strict requirements, including risk assessments, documentation, human oversight and ongoing monitoring  

• Limited risk – Systems requiring transparency, such as informing users when they are interacting with AI  

• Minimal or no risk – Most everyday AI applications, with limited regulatory obligations  

The Act also introduces specific rules for general-purpose AI models, including large language models. Models that present systemic risk must comply with additional transparency, safety and governance requirements. 

To support implementation and oversight, the EU is establishing dedicated governance bodies, including an AI Office, a Scientific Panel and an AI Board, alongside enforcement by national regulators across EU member states. 

Penalties for non-compliance are significant, with fines of up to 7% of a company’s global annual revenue, depending on the nature and severity of the breach. 

💡 What this could mean for you 

For organisations using or procuring AI‑enabled solutions, the EU AI Act introduces a new level of accountability, governance, and due diligence. 

Procurement functions, in particular, will play a critical role in ensuring compliance across the supply chain. In practice, this may involve: 

• Embedding AI‑specific compliance checks into procurement processes 

• Updating supplier questionnaires and evaluation criteria 

• Requesting clearer documentation and evidence from vendors 

• Reviewing and updating contractual terms and conditions 

• Putting in place ongoing monitoring and compliance controls 

• Upskilling teams to understand AI‑related risks and obligations 

These changes reinforce procurement’s role as a key control point in managing regulatory, reputational, and operational risk. 

📅 What’s next? 

The EU AI Act will be implemented in phases: 

• February 2025 – Prohibitions on unacceptable‑risk AI systems begin to apply 

• August 2025 – Rules for general‑purpose AI models and governance requirements take effect 

• Up to August 2027 – Full compliance deadlines apply for high‑risk AI systems 

With these milestones approaching, organisations should begin preparing now by reviewing their AI use cases, supplier landscape, and internal governance arrangements to ensure they are ready. 

The Open Take 

The EU AI Act signals a clear shift in how organisations must approach AI, moving from innovation‑first to governance‑led adoption. 

For procurement teams, this reinforces a growing responsibility: not just to source solutions, but to ensure those solutions meet evolving regulatory, ethical and operational standards. 

Organisations that embed AI governance into procurement processes early will be better positioned to manage risk, maintain compliance and build more resilient supplier relationships. 

This article forms part of our Compliance Corner series, sharing practical insights on procurement, ESG & energy, sustainability, and regulatory change to support organisations navigating an evolving compliance landscape. 

If you’d like to explore how these developments could impact your organisation, speak to our team.