Model Contractual Clauses for AI Procurement in the EU: Key Takeaways
The European Commission (EC) has released an updated version of the Model Contractual Clauses for AI Procurement (MCC-AI). This updated guidance is crucial for public-sector buyers who navigate AI procurement under the European Union Artificial Intelligence Act (EU AI Act). However, these clauses also serve as a valuable tool for private organizations aiming to meet their legal obligations when procuring or providing AI systems, particularly those classified as high-risk.
Background
The initial version of the MCC-AI was published in September 2023, in anticipation of the EU AI Act. It provided a structured approach to AI procurement. Following the official enactment of the EU AI Act on June 13, 2024, the EC has refined these model clauses to ensure alignment with regulatory requirements. The updated publication now includes:
- A full version for high-risk AI systems.
- A light version for non-high-risk AI systems.
- A commentary explaining how to adapt and implement the clauses.
Importance of MCC-AI for Companies
The MCC-AI provides a framework for companies procuring or providing AI services, establishing a common minimum standard of obligations. These clauses help ensure both parties align on key compliance aspects—such as transparency, risk management, and accountability—in line with the EU AI Act.
Organizations that incorporate MCC-AI clauses tailored to their needs can streamline negotiations, reduce legal uncertainties, and demonstrate regulatory readiness. This proactive approach is particularly beneficial in a rapidly evolving legal landscape, where AI governance requirements are still in development.
Who Issues and Uses the MCC-AI?
The MCC-AI has been issued by the Public Buyers Community Platform, which aims to foster collaboration in public procurement across the EU. This platform serves as a dedicated space for European public procurers and the EC to connect, share insights, and drive innovation in public purchasing.
While the MCC-AI is designed primarily for public-sector organizations procuring AI solutions, private entities can adapt it on a clause-by-clause basis. The full version applies to high-risk AI systems, which are those posing significant risks to health, safety, or fundamental rights, as defined in Chapter III of the EU AI Act. The light version is tailored for non-high-risk AI systems and addresses procurement considerations such as transparency and data governance.
Implementation of MCC-AI
The MCC-AI clauses are intended to be annexed to procurement contracts rather than functioning as standalone agreements. They specifically address issues related to AI systems and the EU AI Act, excluding obligations arising from other applicable legislation, such as intellectual property or payment terms.
Coverage of MCC-AI
The MCC-AI are structured around several key legal and operational obligations, including:
- AI system requirements: Ensuring compliance with fundamental legal and ethical standards.
- Supplier obligations: Defining transparency, risk management, and compliance expectations.
- Data governance: Establishing rights over data sets used in AI development.
- Audit and accountability: Mechanisms for monitoring AI systems.
- Costs and liabilities: Clarifying financial responsibilities for implementation and compliance.
Additionally, the annexes provide templates for describing AI system use cases, defining data governance frameworks, and documenting compliance measures.
Differences Between MCC and SCC
It is essential to differentiate between the European Commission standard contractual clauses (SCCs) and the MCC-AI. The SCCs are legally binding templates designed to ensure that personal data transferred outside the European Economic Area (EEA) complies with the General Data Protection Regulation (GDPR), imposing specific data protection obligations on the involved parties.
| Criteria | Model Contractual Clauses (MCCs) | Standard Contractual Clauses (SCCs) |
|---|---|---|
| Purpose | Provide a contractual framework for industry-specific regulations, such as AI governance | Ensure GDPR compliance for international data transfers |
| Legal basis | Based on industry best practices or regulatory guidance (e.g., EU AI Act) | Required under Article 46 of the GDPR for data transfers outside the EEA |
| Mandatory use | Optional, used as guidance or as an annex to an existing contract | Mandatory for data transfers to third countries without an adequacy decision |
| Regulatory scope | Covers obligations related to the procurement of AI services | Exclusively focuses on personal data protection and GDPR compliance |
| Applicability | Can be used in various industries (e.g., AI contracts, software agreements) | Applies only to cross-border personal data transfers outside the EEA |
| Enforceability | Only binding if included in a contract between parties | Legally binding under the GDPR when used for data transfers |
| Key provisions | Covers AI ethics, liability, transparency, and compliance | Covers data security, third-party obligations, audit rights, and data subject rights |
| Flexibility | Can be customized or supplemented by other contract terms | Must be used as-is, with limited modifications allowed |
| Annexed to contracts? | Yes, typically annexed to broader agreements | Yes, attached to contracts governing data transfers |
Key Takeaways
For organizations providing AI systems, tailoring the MCC-AI to their business enhances credibility and trust with customers, showcasing a commitment to responsible AI practices. For buyers, these clauses offer a baseline level of protection, ensuring that procured AI solutions meet essential ethical and legal standards.
Furthermore, since the MCC-AI can be annexed to existing agreements, they provide flexibility while maintaining consistency across contracts. This approach not only facilitates smoother transactions but also minimizes disputes, as both parties operate under a shared understanding of AI-related obligations from the outset.
