By Alex Wall
This article is intended to be a ‘toolbox’ for legal procurement functions (and vendors) to align on the key issues in AI systems contracting. The article:
- explains why the Model Contractual Clauses for AI (MCC-AI) are relevant to private-sector contracting and provides detailed resources,
- contains a table comparing the high-risk and light versions of the MCC-AI, and
- contains a table comparing the MCC-AI to generally-held AI governance principles.
This article also contains links to locally-hosted and bookmarked versions of MCC-AI light, MCC-AI high-risk, and related commentary.
Why should enterprise legal departments care about these MCC-AI clauses?
While designed for public procurement, due to their comprehensive nature, the EU MCC-AI are rapidly becoming a reliable source of best practice standards for private sector AI contracting. They may be influencing your procurement function, and they may be guiding your customers’ procurement functions.
- Emerging Private Sector Standard: While designed for public procurement, due to their comprehensive nature, the EU MCC-AI are rapidly becoming a reliable source of best practice standards for private sector AI contracting. As noted by DLA Piper (1), “private sector AI customers may find them of use” and can “incorporate these clauses into their contractual arrangements to align with emerging EU regulatory best practices.”
- Risk Management Blueprint: The MCC-AI provide a battle-tested contractual framework that addresses AI-specific risks in a world where, according to the Society for Computers & Law (2), “the impact of AI on contracts is not straightforward, particularly at this early relatively early stage in AI adoption.”
- Extraterritorial Compliance Tool: With the EU AI Act’s global reach affecting any company whose AI systems impact EU markets, these clauses offer what DLA Piper (1) describes as “a valuable operational support to address the issue of contractual governance” for multinational businesses navigating complex regulatory landscapes.
- Supply Chain Due Diligence: For corporations managing vendor relationships, the clauses establish clear supplier obligations that VBB law firm (3) notes “specifically applies to public organisations but also serves as a useful tool for private organisations when procuring AI systems,” helping legal departments implement effective AI governance across their supply chain.
- Litigation Risk Mitigation: Implementing these model clauses demonstrates proactive adoption of recognized standards, potentially reducing liability exposure in a domain where, as Taylor Wessing (4) highlights, specialized organizations like the Society for Computers & Law are developing complementary “AI Act contractual clauses… with the aim of providing high-level guidance around the impact of the EU AI Act on contracts.”
- “The Clauses are not legally binding in and of themselves. They are a voluntary tool, not an official EU legislative document.” (9)
How to use this resource map
The EU AI Act does not explicitly require that organizations use the Model Contractual Clauses for AI (MCC-AI) in their procurement processes, nor does it mandate that contractual clauses be included in the procurement process that specifically address AI.
The purpose of contracts is to practically limit the actual risks and costs of a project or system.
It is always necessary to understand the use case of a system before contracting. Such clauses cannot be a one-size-fits-all solution. In many cases, even the “light” version of the MCC-AI may be overkill.
For example, if a system is generating marketing content for a marketing department that will oversee and bear ultimate responsibility for the content, the risk relates to the effects of what the system will autonomously produce. On the other hand, if the system will gather personal information and construct behavioral profiles, then the consequences would recommend provisions to address such risks. Specifically, Article 3: Data and Data Governance of both the MCC-AI-Light and MCC-AI-High-Risk versions of the MCC-AI are designed to mitigate privacy risks.
You can use the AI Governance Principles Mapping table below to find the relevant clauses by principle.
If you want to compare approaches between light and high-risk versions of the MCC-AI you can use the Article high-risk/light comparison chart below.
Resource Map
Background on the EU’s Model Contractual Clauses for AI in public-sector procurement (MCC-AI)
The European Union’s Model Contractual Clauses for AI (MCC-AI) are an initiative to standardize and regulate artificial intelligence procurement in the public sector. Developed by the Public Buyers Community in anticipation of the EU AI Act’s full implementation, these clauses provide public organizations with essential contractual frameworks to ensure compliance, transparency, and responsible AI deployment.
The MCC-AI were developed within the Community of Practice on Public Procurement of AI, supported by the European Commission. These clauses “follow largely the requirements and obligations for high-risk AI Systems included in the Chapter III of the Artificial Intelligence Act” (Commentary).
Purposes
The clauses serve a dual purpose:
(a) ensuring public organizations can comply with their AI Act obligations while
(b) providing contractual mechanisms to mitigate risks associated with AI system deployment.
The MCC-AI are “intended to apply until the AI Act is fully applicable,” allowing contracting authorities to anticipate AI Act requirements by incorporating future rules into current contractual relationships (Commentary, Section 2).
A Means to Comply with the AI Act Requirements for High-Risk AI Systems
While the AI Act itself makes compliance with its requirements mandatory for high-risk AI systems, the specific use of the MCC-AI clauses is the European Commission’s recommended path for public bodies to meet these legal obligations. Public organizations can technically draft their own contractual language, but using the MCC-AI-High-Risk version ensures alignment with all regulatory requirements.
High-risk AI systems are those that “may pose a high risk to the health and safety or fundamental rights of persons” (Commentary, Section 2).
Non-High-Risk AI Systems with Residual Risks
The MCC-AI-Light version is recommended “in situations where an AI system does not qualify as high-risk as referred to in the AI Act but where its use could still pose risks to the health and safety or fundamental rights of persons” (Commentary, Section 3.2). Unlike the high-risk clauses, these provisions are entirely voluntary for public sector procurement, representing best practices rather than legal obligations.
Private Sector Applications
While the MCC-AI clauses were primarily developed for public sector procurement, they are increasingly being adopted by private entities as industry standards. According to Trowers & Hamlins (8), “Although originally tailored for public procurement, the MCC-AI can also be adopted by private sector entities, with the necessary adaptations.” This voluntary adoption helps companies demonstrate compliance with emerging regulatory frameworks and establish standardized approaches to AI governance.
Article-by-Article Clause Comparison: MCC-AI High-Risk vs Light
| Article Name | Subject Matter | Light Implementation | High-Risk Implementation |
| 1. Definitions | Core terminology and scope | • AI System defined by reference to Annex A (flexible scope)
• MCC-AI-Light for “non-high-risk artificial intelligence” • Simplified Substantial Modification definition (Light, Art. 1) |
• AI System follows AI Act definition with Annex A specification
• MCC-AI-High-Risk for “High-Risk AI by public organisations” • Detailed Substantial Modification tied to conformity assessment (High-Risk, Art. 1) |
| 2. Risk Management System | Core risk identification and mitigation framework | • Identical 12-step risk management framework
• Testing requirements and documentation • Continuous monitoring throughout agreement term • No end-of-term handover provisions (Light, Art. 2) |
• Same comprehensive framework as Light
• Additional optional end-of-term handover: “If the Public Organisation’s use…continues beyond the term of the Agreement, at the end of the term…the Supplier shall provide…information necessary to maintain the risk management system by itself” (High-Risk, Art. 2.12) |
| 3. Data and Data Governance | Training data quality and management | • Standard data governance requirements
• Ensures data sets are “relevant, sufficiently representative and…free of errors” • Geographic and contextual considerations (Light, Art. 3) |
• Identical data governance framework
• Additional caveat: “Article 3 is only relevant for AI Systems which make use of techniques involving the training of models with data“ • Same data quality requirements (High-Risk, Art. 3) |
| 4. Technical Documentation | System documentation and instructions | • Documentation includes technical specifications and instructions for use
• References Annex C (technical documentation) and Annex D (instructions) • Update requirements for substantial modifications (Light, Art. 4) |
• Identical documentation requirements
• Same Annex C and D references • Optional language specification: “<Optional> The technical documentation and instructions for use must be drawn up in English” (High-Risk, Art. 4.5) |
| 5. Record-keeping | Audit trail and logging requirements | • Automatic logging of AI System operations
• Stored for appropriate period relative to intended purpose • Public Organisation access rights (Light, Art. 5) |
• Identical logging and record-keeping framework
• Same access and retention requirements • No structural differences (High-Risk, Art. 5) |
| 6. Transparency | Information disclosure and system clarity | • Clear information about AI System characteristics and limitations
• References Annex E for transparency measures • Basic disclosure requirements (Light, Art. 6) |
• Enhanced transparency requirements
• Detailed performance metrics disclosure • Same Annex E reference but with additional context expectations (High-Risk, Art. 6) |
| 7. Human Oversight | Human supervision and control mechanisms | • Human oversight measures enabling “effective oversight”
• References Annex F for implementation details • Public Organisation understanding of AI System limitations (Light, Art. 7) |
• Same human oversight framework
• Identical Annex F reference • No structural differences in implementation (High-Risk, Art. 7) |
| 8. Accuracy, Robustness and Cybersecurity | Technical performance and security standards | • Appropriate levels of accuracy, robustness, safety and cybersecurity
• References Annex G (accuracy metrics) and Annex H (security measures) • Performance consistency requirements (Light, Art. 8) |
• Identical technical requirements
• Same Annex G and H references • Additional reference: “without prejudice to the requirements stemming from Article 15 of the AI Act” (High-Risk, Art. 8.4) |
| 9. Compliance/Quality Management | Ongoing compliance monitoring | • Article 9: Compliance – Basic compliance monitoring
• Supplier ensures AI System compliance throughout agreement • Corrective action requirements (Light, Art. 9) |
• Article 9: Compliance with Section B – Same basic framework
• Article 10: Quality Management System – Extensive quality management with 12 specific components including “strategy for regulatory compliance” and “accountability framework” (High-Risk, Art. 10.2) |
| 10/11. Conformity Assessment | Compliance verification procedures | • Not present – No separate conformity assessment requirement
• Compliance integrated into general monitoring |
• Article 11: Conformity Assessment – Mandatory pre-delivery conformity assessment
• Three-step procedure: quality system verification, technical documentation examination, design-development consistency check • New assessment required for substantial modifications (High-Risk, Art. 11) |
| 10/12. Fundamental Rights Assessment | Impact assessment on fundamental rights | • Article 10: Fundamental Rights Impact Assessment – Mandatory cooperation
• “Supplier shall cooperate” in Public Organisation’s assessment (Light, Art. 10) |
• Article 12: Fundamental Rights Impact Assessment – Optional provision
• “<Optional> On first request…Supplier shall cooperate” • Same cooperation framework but marked optional (High-Risk, Art. 12) |
| 11/13. Corrective Actions | Non-compliance remediation | • Integrated into Article 9 – Corrective actions within compliance framework
• Immediate corrective action requirements (Light, Art. 9.3) |
• Article 13: Corrective Actions – Dedicated article
• “immediately take the necessary corrective actions” • Notification requirements to Public Organisation (High-Risk, Art. 13) |
| 11/14. Individual Decision-Making Explanation | Transparency for affected individuals | • Article 11: Obligation to Explain – Mandatory provision
• Clear and meaningful explanation requirements • Technical information provision including optional source code access (Light, Art. 11.3) |
• Article 14: Explanation of Individual Decision-Making – Optional provision
• “<Optional>” throughout entire article • Comprehensive technical disclosure including “source code of the AI System, technical specifications…Data Sets” (High-Risk, Art. 14.3) |
| 12-15. Data Rights Management | Intellectual property and data usage rights | • Section C: Rights to Use Data Sets (Articles 12-15)
• Public Organisation Data Sets: Full rights retention (Light, Art. 12) • Supplier/Third-Party Data Sets: Non-exclusive usage rights (Light, Art. 13) • Data handover and indemnification provisions (Light, Art. 14-15) |
• Section D: Rights to Use Data Sets (Articles 15-18)
• Expanded framework with additional article (18: Indemnifications) • Identical rights allocation for Public Organisation Data Sets (High-Risk, Art. 15) • Enhanced supplier/third-party data provisions (High-Risk, Art. 16-17) • Detailed bilateral indemnification structure (High-Risk, Art. 18) |
| AI Register and Audit | Transparency registers and compliance auditing | • Not present – No dedicated AI register or audit section
• Compliance monitoring integrated into general framework |
• Section E: AI Register and Audit (Articles 19-21)
• Article 19: AI Register – Optional public transparency register • Article 20: Compliance and Audit – Comprehensive audit rights “at any time during the term” • Article 21: Costs – Fee allocation for MCC-AI compliance (High-Risk, Art. 19-21) |
Key Structural Differences:
- Light: 15 articles across 4 sections (A-C plus annexes) and makes fundamental rights assessment mandatory, while High-Risk makes it optional
- High-Risk: 21 articles across 6 sections (A-F plus annexes), adds dedicated sections for conformity assessment and audit/register provision
The following table maps AI governance principles derived from the US OMB Memorandum M-25-21 to specific provisions within both the Light and High-Risk versions of the EU Model Contractual Clauses for AI:
AI Governance Principles Mapping
| Principle | Brief Explanation | Source Authority | Light Clauses | High Risk Clauses |
| Transparency | People should be told about the AI with clear and sufficient information to make decisions about its application, including appropriate notices that explain the AI’s purpose, functionality, and potential limitations in plain language. | EU AI Act, NIST AI RMF, GDPR | Article 6: Transparency – Basic disclosure requirements with Annex E measures | Article 6: Transparency – Enhanced transparency requirements with detailed performance metrics |
| Accountability | A human control structure should answer for the actions of an AI, for example, an AI governance committee empowered to oversee uses of AI in an organization. | EU AI Act, NIST AI RMF, HUDERIA, GDPR | Article 9: Compliance – Basic accountability through compliance monitoring | Article 10: Quality Management System – Comprehensive accountability framework with 12 management components
Article 20: Compliance and Audit – Enhanced audit rights |
| Human-Centricity | The AI should be designed to serve, improve and enhance the lives of humans and society, not destroy or replace it. | EU AI Act, NIST AI RMF, GDPR | Article 7: Human Oversight – Ensures human oversight measures with Annex F implementation | Article 7: Human Oversight – Same framework as Light with identical Annex F requirements |
| Fairness and Bias Mitigation | AI should treat all groups of society fairly in the context of the AI’s purposes so that irrelevant immutable characteristics about humans do not unfairly skew AI outputs. | EU AI Act, NIST AI RMF, HUDERIA, GDPR | Article 10: Fundamental Rights Impact Assessment – Mandatory cooperation in fundamental rights assessment | Article 12: Fundamental Rights Impact Assessment – Optional fundamental rights assessment
Article 2: Risk Management – Bias mitigation through comprehensive risk framework |
| Data Minimization and Privacy | The AI should use no more personal or confidential data than necessary to accomplish its purpose. For example, one can: mask or pseudonymize personal data…, avoid identifiable personal data in training data…, ensure all principles of privacy are implemented. | EU AI Act, GDPR | Article 3: Data and Data Governance – Data quality requirements including geographic and contextual considerations | Article 3: Data and Data Governance – Identical data governance framework with additional caveat for training-based systems |
| Reliability and Robustness | The AI should be designed to handle edge cases and unexpected data and provide consistent quality and reliability. For example, an AI creating images should not be trained on data unrepresentative of the real world. | NIST AI RMF, HUDERIA | Article 8: Accuracy, Robustness and Cybersecurity – Technical performance standards with Annex G metrics and Annex H security measures | Article 8: Accuracy, Robustness and Cybersecurity – Identical technical requirements plus explicit reference to AI Act Article 15 |
| Explainability and Interpretability | It should be possible to describe with sufficient detail how an AI arrived at an output. Sufficient detail means that it is possible to measure the output versus the explanation… to arrive at a conclusion as to whether the AI succeeded, and why or why not. | NIST AI RMF, HUDERIA, GDPR | Article 11: Obligation to Explain – Mandatory explanation requirements including optional source code access | Article 14: Explanation of Individual Decision-Making – Optional but comprehensive technical disclosure including source code, specifications, and datasets |
| Continuous Monitoring and Oversight | An AI should be subject to continuous monitoring and oversight to avoid incidents affecting adherence to the other principles. This might include an AI-specific or integrated incident response plan, process, and stakeholders. | NIST AI RMF, HUDERIA | Article 5: Record-keeping – Automatic logging and monitoring
Article 2: Risk Management System – Continuous monitoring throughout agreement |
Article 5: Record-keeping – Same logging framework
Article 11: Conformity Assessment – Pre-delivery and ongoing assessment procedures Article 20: Compliance and Audit – Comprehensive audit framework |
| Security and Resilience | An AI should be designed to be secure and pose no harm to humans, and be hardened against various forms of attack… intended to mislead or confuse the AI into performing unsafe actions. | NIST AI RMF, EU AI Act | Article 8: Accuracy, Robustness and Cybersecurity – Security and safety requirements through Annex H measures | Article 8: Accuracy, Robustness and Cybersecurity – Same security framework with additional AI Act Article 15 reference |
| Societal and Environmental Well-being | An AI should be designed to minimize harm to the environment or society. For example, AI should be designed to use no more energy than necessary… and avoid excessive processes… | EU AI Act, HUDERIA | Article 2: Risk Management System – Risk identification includes societal considerations | Article 2: Risk Management System – Same risk framework with optional end-of-term handover provisions |
| Risk Management Framework | An AI should be subject to a risk management framework, so that risks can be evaluated consistently and methodically. | NIST AI RMF, GDPR | Article 2: Risk Management System – Comprehensive 12-step risk management framework with testing and documentation | Article 2: Risk Management System – Same 12-step framework plus optional handover provisions
Article 10: Quality Management System – Enhanced risk management through quality system |
| Ethical Use of AI | An AI should be designed to avoid unethical uses of the AI that violate the aforementioned principles. | HUDERIA, EU AI Act, GDPR | Article 10: Fundamental Rights Impact Assessment – Mandatory ethical assessment through fundamental rights review | Article 12: Fundamental Rights Impact Assessment – Optional fundamental rights assessment
Article 13: Corrective Actions – Dedicated remediation framework |
This article is based on the Model Contractual Clauses for AI documentation published by the European Commission’s Public Buyers Community, including the Commentary (February 2025), MCC-AI-High-Risk, and MCC-AI-Light versions.
References
(1) Lusardi, G. (2025, April 30). Model Contractual Clauses for AI Procurement: How updated EU clauses help manage compliance risk. Innovation Law Insights. DLA Piper. Retrieved May 23, 2025, from https://www.dlapiper.com/en-gb/insights/publications/innovation-law-insights/2025/innovation-law-insights-30-april-2025
(2) Hilborne, N. (2023, October 26). Specialist lawyers publish free AI contract clauses. Legal Futures. Retrieved May 23, 2025, from https://www.legalfutures.co.uk/latest-news/specialist-lawyers-publish-free-ai-contract-clauses
(3) D’hulst, T., & Fraeyman, G-J. (2025, April 15). European Commission Publishes Updated Model Contractual Clauses for AI Procurement. VBB Insights. Van Bael & Bellis. Retrieved May 23, 2025, from https://www.vbb.com/insights/eu-commission-publishes-updated-model-contractual-clauses-for-ai-procurement
(4) Heywood, D. (2024, September 26). AI contracting – what do you need to know? Taylor Wessing Insights. Taylor Wessing. Retrieved May 23, 2025, from https://www.taylorwessing.com/en/insights-and-events/insights/2024/passle/ai-contracting-what-do-you-need-to-know
(5) European Commission. (2025, March 5). Updated EU AI model contractual clauses. Public Buyers Community. Retrieved May 23, 2025, from https://public-buyers-community.ec.europa.eu/communities/procurement-ai/resources/updated-eu-ai-model-contractual-clauses
(6) Tanna, M. (Ed.) (2024, October 13). SCL EU AI Act Contractual Clauses. Society for Computers & Law AI Group. Retrieved May 23, 2025, from https://www.scl.org/ai-group
(7) European Commission. (2023, September). Model Contractual Clauses for AI Procurement. Retrieved May 23, 2025, from https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-model-contractual-clauses-ai-procurement_en
(8) Trowers & Hamlins. (2025, March 15). The EU AI Model Contractual Clauses: A comprehensive overview for UK legal practitioners. Retrieved May 23, 2025, from https://www.trowers.com/insights/2025/march/the-eu-ai-model-contractual-clauses-a-comprehensive-overview-for-uk-legal-practitioners
(9) Burges Salmon. (2025, March 8). Public procurement of AI: EU AI Act model clauses. Retrieved May 23, 2025, from https://www.burges-salmon.com/articles/102is27/public-procurement-of-ai-eu-ai-act-model-clauses
About the Author
You can read about Alex Wall here.