A Customer Asked About the EU AI Act — How to Respond
A B2B prospect asked if you're EU AI Act compliant. Learn how to decode what they're asking, determine your role, and respond honestly by risk tier.
The email arrives mid-deal: "Can you confirm you are EU AI Act compliant?" Sometimes it is a formal questionnaire; sometimes a single sentence from a legal or security contact who has just been briefed by their own compliance team. Either way, you need to respond — and the two worst answers are "yes, fully compliant" and silence.
"Fully compliant" is almost certainly premature. Regulation (EU) 2024/1689 is phased: some obligations are already live, others do not apply until 2 December 2027 or 2 August 2028. Claiming completion before the relevant deadline can come back to haunt you in the same deal. Silence reads as a red flag. The right answer is specific, role-aware, and honest about what is done, what is in progress, and what is not yet due.
What the Customer Is Actually Asking
Most due-diligence questionnaires compress three questions into one.
First, a role question: are you a provider or a deployer? The customer is establishing where you sit in their supply chain so they can fulfil their own Article 26 obligations. "Are you compliant?" often means "do you have the Article 11 technical documentation and Annex IV records I need to review as part of my deployer due diligence?"
Second, a classification question: what risk tier does your system sit in, and have you assessed it against Annex III? If it is high-risk, they want evidence of progress. If not, they want an explanation.
Third — often implicit — can you demonstrate any of this, or are you working from a guess? A documented answer with evidence attached beats a polished claim with nothing behind it.
First, Determine Your Role
You are a provider under Article 16 if you develop an AI system and ship it under your own name or trademark. If your product includes an AI feature — a recommendation engine, a scoring model, a chatbot — and you deliver it to customers, you are the provider. Obligations include technical documentation (Article 11, Annex IV), a quality management system (Article 17), human-oversight design (Article 14), and where the system is high-risk, a conformity assessment under Article 43 before launch.
You are a deployer under Article 26 if you use a third-party AI system internally in a professional capacity — integrated into your own workflow but not shipped to customers. Deployer obligations are lighter: follow the provider's instructions, maintain human oversight, retain logs for at least six months, and in certain cases run a Fundamental Rights Impact Assessment under Article 27.
Customers asking a due-diligence question are usually asking about your provider status. If your product contains an AI feature you built, you are a provider. Answer as one.
Watch the role-shift trap in Article 25. If you have taken a third-party model, put your name on it, substantially modified it, or changed its intended purpose, the Act treats you as the provider of the resulting system — the full Article 16 stack applies regardless of where the model originated.
Then Classify the System
Classification starts at Article 6, which sends you to Annex III if your system is used in one of eight defined areas: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services (including creditworthiness scoring and health or life insurance risk), law enforcement, migration and border control, and the administration of justice. If your system has no functional connection to any of these, it is almost certainly not high-risk.
Even within Annex III, Article 6(3) provides a filter: the system is not high-risk if it poses no significant risk of harm — for instance, because it performs a narrow procedural task, improves a previously completed human activity without influencing a decision, or does preparatory work. Only one condition needs to be satisfied. The catch: any system that profiles natural persons is always high-risk regardless of the filter, and a provider claiming the exemption must document the assessment and register the system under Article 49.
Most B2B SaaS features land in the minimal-risk tier. That is not a weakness in your answer. A well-explained minimal-risk determination is more credible than a vague "compliant" claim.
If your system involves a customer-facing chatbot, synthetic-content generation, or deepfakes, a lighter disclosure obligation applies under Article 50 — limited-risk transparency — from 2 August 2026.
How to Answer Honestly by Scenario
Scenario A — your system is minimal-risk. Explain the Article 6 analysis: you assessed the system against Annex III and it does not fall within any of the eight high-risk areas. No mandatory substantive obligations apply under the Act (beyond Article 4 AI literacy, which has been in force since 2 February 2025, and Article 50 transparency if the system is customer-facing). You comply with those obligations. You are willing to share the classification rationale in writing.
Scenario B — your system is limited-risk. State that the system falls within the Article 50 transparency tier — for example, it is a chatbot or generates content visible to end users. Describe the disclosures you have built: the user-facing notification that they are interacting with an AI system, the labelling of AI-generated content. Article 50 applies from 2 August 2026; if you are ahead of that date, say so and describe your readiness.
Scenario C — your system is high-risk. Under the Digital Omnibus agreed in May 2026, the deadline for stand-alone Annex III systems is 2 December 2027; for AI embedded in Annex I products it is 2 August 2028. State your Annex III classification, the applicable deadline, and your current status against the key obligations: Article 9 risk management, Article 11 / Annex IV technical documentation, Article 43 conformity assessment. Do not claim completion of obligations that have not yet come into force. A specific status update — "Article 9 in place; Annex IV documentation 60% complete; conformity assessment scheduled Q2 2027" — is far more credible than a blanket "compliant."
What Not to Say
Three formulations create problems that outlive the deal.
Do not claim your system is "certified." There is no general AI Act certification scheme for most systems. The Act has a conformity assessment process (Article 43), which for most Annex III systems is an internal self-assessment under Annex VI — not a third-party certificate. The word "certified" implies something that does not exist.
Do not claim "fully compliant" before the relevant obligations are due. For high-risk systems, the 2 December 2027 deadline has not passed; the honest statement is that you are on track, not that you have arrived. Customers with their own compliance programs know the deadlines.
Do not conflate GDPR, SOC 2, or ISO/IEC 42001 with EU AI Act compliance. They overlap usefully — GDPR supports Article 10 data governance; ISO/IEC 42001 supports the Article 17 QMS and Article 9 evidence — but none substitutes for the Act's requirements. Saying "we are SOC 2 certified" answers a different question. If your system is in Annex III, the customer will likely find out, and omitting it erodes trust faster than candour.
A Reusable Response Structure
A structured vendor response is easier to defend than prose assembled under deadline pressure. Six elements, in order, cover what a procuring customer needs:
Role — provider under Article 16 (you develop and ship the AI feature) or deployer under Article 26 (you use a third-party AI internally), with a brief explanation of why.
Classification — the risk tier (minimal, limited, or high), the article and annex that support it, and the reasoning. For minimal-risk, summarise the Annex III assessment. For limited-risk, identify the Article 50 trigger. For high-risk, name the Annex III point (for example, "Annex III, point 4(a) — recruitment and candidate screening").
Applicable obligations — the specific requirements that follow from your role and tier, and the timelines that govern them.
Current status — what is implemented, what is in progress, and when you expect to complete the remaining items. Be specific: Article 9 risk management, Article 11 documentation, Article 43 conformity assessment, Article 17 QMS.
Evidence available on request — your Annex IV technical documentation pack, Article 47 EU Declaration of Conformity, Article 27 FRIA report where applicable, and your AI system register entry.
Point of contact — the person or function responsible for AI compliance questions, so the customer knows this is a maintained position, not a one-off reply.
A response built on those six elements is repeatable across deals and defensible if challenged.
Turn the Questionnaire Into a Trust Asset
The first time a customer asks about the EU AI Act, assembling a response takes time. The second time, it should take minutes. A standing AI Act fact sheet — role determination, classification record, obligation status, available evidence — shortens procurement cycles and differentiates you from vendors who reply with a paragraph of reassuring generalities.
If you cannot answer the questionnaire cleanly today, that is useful information: it tells you where your compliance program has gaps. The 2 December 2027 deadline is real, and a well-documented AI compliance position is increasingly a procurement requirement in the enterprise segment.
How Confir Helps
Confir's classification engine uses deterministic, rule-based logic — not an LLM — to step through the Article 6 and Annex III assessment, derive your role (provider, deployer, importer, or distributor), and produce a classification record you can hand to customers. The same workflow generates the Annex IV technical documentation pack, the Article 47 EU Declaration of Conformity, and a vendor-facing compliance summary. For high-risk systems, the Article 27 FRIA module produces the Fundamental Rights Impact Assessment that public-sector and financial-services customers need from you.
Every finding traces to the rule that produced it — explainable, reproducible, audit-defensible. €600 per year, self-serve, no consultants. confir.eu.
Frequently Asked Questions
Does the EU AI Act require me to answer customer compliance questions?
Not in those exact terms, but Article 13 requires providers of high-risk AI systems to supply information that enables deployers to fulfil their Article 26 obligations. A B2B customer doing deployer due diligence is exercising a right the Act effectively creates. Declining to engage puts you at a commercial disadvantage and, in high-risk scenarios, may leave the customer unable to satisfy their own obligations.
We use OpenAI's API to build our product — are we a provider or a deployer?
If you build a system on a third-party model and ship it under your own name, you are the provider of that system under Article 16 — the provider definition turns on placing a system on the market under your own name, not on whether you trained the underlying model. The GPAI obligations (Article 53) stay with OpenAI. Article 25 governs the rest of the value chain: it can pull a deployer or distributor into provider status if they rebrand or substantially modify a high-risk system. Your classification then depends on what your system does — run the Article 6 / Annex III assessment against your use case, not against the model's general capabilities.
What is the deadline for high-risk AI compliance?
Under the Digital Omnibus agreed in May 2026, stand-alone high-risk AI systems listed in Annex III must comply by 2 December 2027. High-risk AI systems embedded in products covered by EU product safety law (Annex I) must comply by 2 August 2028. The original 2 August 2026 deadline has been deferred. Article 50 limited-risk transparency obligations and the general application of the Act remain on 2 August 2026.
Our product has no AI features — does the EU AI Act apply to us?
Not as a provider. If you use third-party AI tools internally, you are a deployer under Article 26 — lighter obligations: follow instructions, ensure human oversight, retain logs, and in certain cases run a FRIA under Article 27. If none of that applies, the Act bears minimally on your operations, though Article 4 AI literacy has applied since 2 February 2025 to any organisation that uses AI.
Can ISO/IEC 42001 certification substitute for EU AI Act conformity?
No. ISO/IEC 42001 is voluntary and supports your Article 17 QMS and Article 9 risk management evidence, contributing to the technical file. It is not a substitute for the Article 43 conformity assessment — the Act's own process for demonstrating compliance before a high-risk system goes to market. If you hold it, tell customers; it is a credible signal. But be clear it sits alongside, not in place of, the Act's requirements.
What penalty do we face if we give incorrect information about our AI Act status?
Supplying incorrect or misleading information to a national market-surveillance authority or a notified body carries up to €7,500,000 or 1% of worldwide turnover under Article 99 (the lower of the two for smaller companies under Article 99(6)). Misrepresentations to customers are primarily a contractual matter, but an overclaim that reaches a regulator through a customer complaint is an Article 99 exposure.
What is the difference between Article 26 and Article 27?
Article 26 covers all deployer duties: follow the provider's instructions, maintain human oversight, monitor performance, retain logs, and flag incidents. Article 27 is narrower — the Fundamental Rights Impact Assessment — and applies to public-sector deployers and to private deployers using Annex III systems for creditworthiness scoring (point 5(b)) or life and health insurance risk assessment (point 5(c)). If your customer is a public authority or a financial-services firm in one of those categories, they may need your Annex IV documentation to complete their Article 27 FRIA.
Related guides
- Provider vs deployer: which role applies to your company?
- Provider obligations under Article 16: the full stack
- Deployer obligations under Article 26: what you must do
- Is my AI system high-risk? Article 6 and Annex III explained
- EU AI Act for SaaS companies: provider or deployer?
- Article 50: transparency rules for limited-risk AI
- Vendor assessment: evaluating your AI suppliers' compliance
- AI vendor questionnaire template
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →