TREVAM
View Buyer Edition
Reference

EU AI Act RFP Response: Procurement Evidence Map

Map common EU AI Act procurement questions to the evidence, artifacts, review owners, and red flags an AI vendor should prepare before responding to an RFP.

Scope

Buyer-facing evidence map for AI vendors, deployers, and product/compliance teams responding to procurement requests, vendor questionnaires, or enterprise reviews about AI systems under the EU AI Act.

Covers

  • Limited Risk and Minimal Risk AI systems — common in procurement and enterprise vendor-review workflows.
  • Article 50 transparency obligations: chatbot disclosure, AI-generated content marking, biometric and emotion-recognition notice, deepfake labelling.
  • Procurement handover between vendor (provider) and buyer (deployer).
  • Documentation baseline for human/legal/compliance review.

Out of scope

  • High-Risk Annex III conformity assessment.
  • Notified Body preparation.
  • Systemic-risk GPAI provider obligations (Articles 53, 54, 55).
  • Legal advice, certification, warranty drafting.

Source status

This Reference draws on sources at different regulatory maturity levels. When the body of the page references a specific source, the status below applies.

Source Status Notes
EU AI Act (Regulation (EU) 2024/1689) Current Regulation text In force. Article 4 (AI literacy) applies from 2 February 2025. Article 50 (transparency) applies from 2 August 2026.
Commission draft guidelines on Article 50 transparency obligations Draft guidance Published 8 May 2026. Public consultation open until 3 June 2026. Final adopted guidance should be monitored when published. Treat as draft, not final.
Code of Practice on marking and labelling of AI-generated content Draft guidance Voluntary instrument supporting Article 50 obligations. Status: draft.
Digital Omnibus on AI Provisional political agreement 7 May 2026 provisional agreement between Council and Parliament. Not enacted. Formal adoption, legal-linguistic revision, and publication pending.
EU Public Buyers Community Model Contractual Clauses for AI (MCC-AI) External contractual reference Not Trevam evidence. Useful procurement-side contractual input for buyer organisations.

Where a source is in draft or provisional status, this page does not present its content as final law. Buyers and deployers should monitor the corresponding final adoption and update their documentation accordingly.

Problem

RFPs and vendor questionnaires do not ask for explanations. They ask for evidence. The distinction matters.

A procurement reviewer is looking for:

  • A document, not a statement.
  • An owner, not an aspiration.
  • A version date, not "ongoing work."
  • A red flag flagged in writing, not a rosy summary.

"We are EU AI Act compliant" is not a safe answer to put in writing. The Act distinguishes provider obligations, deployer obligations, GPAI obligations, prohibited practices (Article 5), high-risk classification (Article 6 + Annex III), and transparency obligations (Article 50). A single blanket assertion of compliance creates exposure on every track it touches.

The map below pairs the procurement questions a buyer is likely to ask under the EU AI Act with what the buyer is actually testing, the evidence to attach, who should own the review, and the red flags that should not be glossed over.

Core evidence mapping

# Procurement question (buyer ask) What the buyer is really testing Evidence to prepare Trevam artifact Review owner Red flag
1 "Is your system an AI system under the EU AI Act?" Whether you have done the Article 3(1) determination and have it written down Short rationale referencing Article 3(1) factors (autonomy, inference, output influence) and the conclusion Intended Purpose Statement Product + Legal/Compliance Conflating "we use AI" with "we are subject to the Act" — or the inverse
2 "What is the intended purpose of the system?" Whether the deployer can rely on a defined operating context, and whether scope creep risks reclassification Written Intended Purpose Statement covering use cases, users, inputs, outputs, exclusions Intended Purpose Statement Product owner + Compliance Vague marketing language; intended purpose copied from product brochure
3 "What role do you take — provider, deployer, importer, distributor?" Whether the Article 25 / Article 26 role analysis has been done and can be defended Role determination memo with reasoning; identification of any substantial modification or rebranding Risk Tier Rationale Memo (role section) Legal/Compliance Claiming "deployer" while branding or modifying a third-party model
4 "What is the system's risk tier?" Whether Article 5 (prohibited), Article 6 + Annex III (high-risk), and Article 50 (transparency) have been screened as separate gates Risk tier rationale documenting each screen + GPAI dependency note Risk Tier Rationale Memo Legal/Compliance Treating "limited risk" as a single tier that exempts everything; missing Article 50 stacking on top of high-risk
5 "Do Article 50 transparency obligations apply?" Whether the four sub-obligations (50(1), 50(2), 50(3), 50(4)) have each been individually assessed Article 50 decision record covering each paragraph: applicability, exemptions, evidence Article 50 Decision Record Legal/Compliance + Product Answering "no" by default; conflating Article 50 with high-risk; skipping per-paragraph analysis
6 "Which models or GPAI dependencies does the system rely on?" Whether upstream model providers, capabilities, and modification status are mapped Model dependency register: provider, model name/version, intended use, modification/fine-tuning status Technical File Outline (dependency section) Engineering + Product "Black box" answers; provider not named; fine-tuning not noted
7 "What is your data governance approach?" Whether training, validation, and operational data have provenance, quality controls, and lawful basis assessment Data Governance Plan covering source register, GDPR lawful basis, retention, quality controls Data Governance Plan Data + Legal/Compliance "Customer data only" without documentation; no source register; no GDPR lawful basis recorded
8 "How do you manage changes to the system?" Whether updates, retraining, or feature changes are tracked so a regulator or buyer can reconstruct the history Change Log with version, date, scope of change, impact on risk tier and Article 50 applicability Change Log Engineering + Product Continuous deployment with no formal log; changes made without re-running risk assessment
9 "What risk management practices apply?" Whether identified risks have documented mitigations, residual risk acceptance, and ongoing monitoring Risk Management Log: risks, mitigation actions, residual status, monitoring cadence Risk Management Log Product + Legal/Compliance Generic AI safety bullets copied from a framework with no system-specific entries
10 "What AI literacy controls do operators and users have?" Whether the Article 4 obligation (effective from February 2025) is operationalised inside the organisation AI Literacy Evidence Log: training delivered, roles covered, dates, materials AI Literacy Evidence Log HR + Compliance Stating "all staff are AI-literate" without dated evidence
11 "How are incidents detected and reported?" Whether the deployer has a route to identify, escalate, and (where required) notify market surveillance authorities Incident routing: detection sources, severity classification, internal escalation, external notification owner Risk Management Log (incident section) Security + Legal/Compliance "We will report if needed" — no defined trigger or owner
12 "What documentation can you provide on request?" Whether the documentation baseline is real, current, and reviewable Document register: artifacts, versions, last-review dates, review owners, redaction protocol Document register / artifact register across relevant kit outputs Compliance Promising "full documentation" without an actual document register

Flagged questions

Some procurement questions invite a one-word answer that should never be given without legal/compliance review. Treat each as a routing prompt.

  • "Are you EU AI Act compliant?" The Act has multiple obligation tracks. A blanket "yes" is exposure. Describe the documentation baseline and the human/legal/compliance review process behind it.
  • "Is your system high-risk?" Requires the Article 5 + Article 6 + Annex III screen in writing. A casual "no" without the screen is a common procurement and review failure mode.
  • "Does Article 50 apply?" Four sub-obligations, each independently assessed. "Yes" or "no" without the per-paragraph breakdown is wrong.
  • "Is your disclosure adequate?" Adequacy is a judgment against the May 2026 Commission draft guidelines (consultation open until 3 June 2026). Treat the guidelines as draft, not final adopted guidance.
  • "Do you provide warranties or indemnities?" Contractual question, not a documentation question. Route to legal. Do not draft warranty language in an RFP response field.
  • "Are your upstream model / GPAI providers compliant?" Third-party compliance status is not yours to assert. Provide the dependency register and the provider documentation links; let the buyer make its own assessment.
  • "Has legal reviewed this?" Answer truthfully and dated. "Last reviewed by [role] on [date]" beats "yes."

Failure modes

For each: bad pattern · why it fails · safer response · evidence required.

  1. 1. "We are EU AI Act compliant."
    Why it fails
    the Act has multiple obligation tracks. A blanket statement is unverifiable and creates exposure under every track.
    Safer response
    "Our documentation baseline covers role determination, risk tier rationale, Article 50 applicability, data governance, and change management. Human/legal/compliance review is on file. Specific evidence available on request."
    Evidence required
    document register with versions, review dates, owners.
  2. 2. "Our system is limited risk, so transparency obligations do not apply."
    Why it fails
    Article 50 transparency obligations apply independently of the high-risk classification. A "limited risk" chatbot still has Article 50(1) disclosure obligations.
    Safer response
    "Article 50 applicability has been assessed per sub-obligation. Decision record is on file."
    Evidence required
    Article 50 Decision Record.
  3. 3. "Our chatbot disclosure is in the Terms of Service."
    Why it fails
    Article 50(1) requires disclosure "at the latest at the time of the first interaction." A disclosure buried only in Terms of Service is unlikely to evidence timely, clear disclosure at first interaction.
    Safer response
    "Chatbot disclosure is presented at the first interaction in a clear and distinguishable manner per Article 50(1) and the May 2026 draft guidelines."
    Evidence required
    UI screenshot, timing record, accessibility check.
  4. 4. "Our model provider handles compliance for the underlying model."
    Why it fails
    deployer obligations are independent and cannot be inherited. The Act places accountability on each party for its specific deployment context.
    Safer response
    "Upstream provider documentation is on file. Our deployer-side obligations have been independently assessed and documented."
    Evidence required
    dependency register + deployer-side rationale.
  5. 5. "AI literacy is covered by general staff training."
    Why it fails
    the Article 4 obligation (effective February 2025) is role-specific. "General training" without role mapping fails the evidence test.
    Safer response
    "AI literacy delivery is logged per role, dated, and reviewed annually."
    Evidence required
    AI Literacy Evidence Log.
  6. 6. "We will provide full documentation on request."
    Why it fails
    "full documentation" is unverifiable. Real buyers want to see the register before signing.
    Safer response
    "Our document register includes [list of artifact categories], with versions and review owners. Excerpts and full versions available under NDA."
    Evidence required
    document register.
  7. 7. "Our risk tier is limited because the system does not affect rights."
    Why it fails
    risk tier determination follows the Act's structural tests (Article 5, Article 6, Annex III), not a subjective rights assessment.
    Safer response
    "Risk tier rationale is documented per Article 5 / Article 6 / Annex III screens, with conclusions and supporting reasoning."
    Evidence required
    Risk Tier Rationale Memo.
  8. 8. "The deepfake exemption applies because our content is creative."
    Why it fails
    the May 2026 Commission draft guidelines clarify that the "evidently artistic/creative/satirical" carve-out excludes content that serves primarily informative or commercial purposes. AI-generated commercial advertising does not benefit from this carve-out.
    Safer response
    "Deepfake-applicability has been assessed against Article 50(4) and the May 2026 draft guidelines on the artistic carve-out scope. Decision is on file."
    Evidence required
    Article 50 Decision Record, deepfake sub-section.
  9. 9. "We do not need an Article 50 disclosure because our chatbot's AI nature is obvious."
    Why it fails
    the May 2026 draft guidelines define "obvious" using an average-consumer standard with multi-factor analysis (target audience, vulnerable groups, AI literacy levels). Asserting "obvious" without the analysis is not safe.
    Safer response
    "Article 50(1) obviousness exemption has been assessed against the May 2026 draft guidelines' multi-factor test. Conclusion documented."
    Evidence required
    Article 50 Decision Record, obviousness analysis sub-section.
  10. 10. "Our incident response is covered by the existing security incident process."
    Why it fails
    AI Act incident reporting triggers and timelines are not the same as the security incident process. Reuse is fine; explicit mapping is required.
    Safer response
    "AI Act incident triggers and timelines are mapped to our existing incident process. Escalation paths and external notification owner are defined."
    Evidence required
    Risk Management Log incident section + escalation routing.
  11. 11. "Our data governance is GDPR-aligned, so the AI Act requirement is covered."
    Why it fails
    GDPR and the AI Act overlap but do not substitute each other. AI Act data governance for high-risk systems and Article 50 transparency add obligations beyond GDPR.
    Safer response
    "GDPR lawful basis, retention, and transfer mechanisms are documented. AI Act-specific data governance (training data quality, source register, bias monitoring) is documented separately."
    Evidence required
    Data Governance Plan with both sections.
  12. 12. "We do not retain a record of changes to the model in production."
    Why it fails
    change tracking is a prerequisite for risk-tier stability and for incident reconstruction. Lack of change records is its own audit finding.
    Safer response
    "Change Log captures version, date, scope, and impact on risk tier and Article 50 applicability."
    Evidence required
    Change Log.

What this is not

This Reference page is not, and should not be cited as:

  • Legal advice or a substitute for counsel.
  • A High-Risk Annex III conformity assessment.
  • A Notified Body submission preparation.
  • A determination of Article 50 applicability for a specific system.
  • A determination of risk tier for a specific system.
  • A warranty or contractual indemnity drafting input.
  • A certification of any provision of the EU AI Act.
  • A claim that any documentation alone makes a system compliant.
  • A substitute for human/legal/compliance review against the specifics of the system, deployment context, and current regulatory state.

The map exists to help vendors and deployers prepare review-ready documentation. Each item is subject to human/legal/compliance review.

How to use the Trevam kit

The EU AI Act Compliance Starter Kit — Buyer Edition v1.6 includes 27 artifacts plus an included AI-assisted completion companion guide. The artifacts most directly used to answer the procurement questions above:

  • Risk Tier Rationale Memo — questions 3 + 4 in the mapping. Article 5 / Article 6 / Annex III gates recorded as separate decisions with supporting reasoning. See the risk-tier screening Reference.
  • Intended Purpose Statement — questions 1 + 2. Use cases, users, inputs, outputs, exclusions written down so role and scope can be defended.
  • Article 50 Decision Record — question 5. Each of Article 50(1), 50(2), 50(3), 50(4) assessed separately with exemptions and evidence. See the Article 50 applicability Reference.
  • Technical File Outline — supporting structure for question 6 (model and GPAI dependencies).
  • Data Governance Plan — question 7. GDPR lawful basis, retention, source register, AI Act-specific data governance.
  • Change Log — question 8.
  • Risk Management Log — questions 9 + 11.
  • AI Literacy Evidence Log — question 10.
  • Article 50 Draft Disclosure Notices — disclosure copy library to support Article 50(1) and 50(4) implementation.

The AI-assisted completion companion is an optional methodological guide for using approved AI workspaces (e.g. enterprise Claude, ChatGPT, Microsoft 365 Copilot-style assistants, or internal assistants) to draft, evidence-check, red-team, and prepare the kit's outputs for human/legal/compliance review. The companion does not decide risk tier, does not determine Article 50 applicability, does not produce legal advice, and does not substitute review.

Last reviewed / update note

Last reviewed: 2026-05-18.

This page is subject to update when one of the following occurs:

  • The European Commission publishes the final adopted Article 50 transparency guidelines (currently in consultation until 3 June 2026; final adopted guidance should be monitored when published).
  • The Digital Omnibus on AI is formally adopted by the Council and Parliament (currently provisional agreement of 7 May 2026; formal adoption pending).
  • The Code of Practice on marking and labelling of AI-generated content reaches a new draft milestone or final adoption.
  • A material update to the EU AI Act Service Desk or AESIA guidance affects one or more of the questions mapped on this page.
  • The Trevam EU AI Act Compliance Starter Kit moves to a new minor or major version that changes the artifact set referenced here.

Substantive updates are recorded in the public Trevam update log.