AI in your EU supply chain — supplier audits and EU AI Act importer/distributor obligations
If your AI is built on third-party components or models, the EU AI Act makes you accountable for them. A practical guide to supplier audits and the new responsibilities along the AI value chain (Articles 23–25).
Few AI systems are built fully in-house. You might licence a foundation model, embed a third-party vision API or import a finished product from a non-EU vendor. The EU AI Act explicitly addresses this — and pushes accountability both down and up the value chain.
Who counts as importer and distributor
An importer (Article 3) is a person established in the Union that places on the market an AI system bearing the name or trademark of a person established outside the Union. A distributor is anyone else in the supply chain — other than provider or importer — that makes a system available on the EU market.
Importer obligations (Article 23)
- Verify that the provider carried out the conformity assessment and that technical documentation and instructions are in place.
- Verify the CE marking and the EU declaration of conformity.
- Indicate your name, registered trade name and contact address on the system, on its packaging or in accompanying documentation.
- Keep a copy of the EU declaration of conformity for ten years; keep certificates issued by notified bodies available to authorities.
- Cooperate with market-surveillance authorities, and take corrective measures or withdraw the system if you suspect non-compliance.
Distributor obligations (Article 24)
- Before making available, verify the CE marking, the EU declaration of conformity, instructions for use and that the provider and importer fulfilled their duties.
- Make sure storage and transport conditions do not jeopardise compliance.
- If you suspect a risk, inform the provider or importer and take corrective measures.
Responsibilities along the AI value chain (Article 25)
Article 25 introduces a duty to allocate responsibilities along the value chain by written agreement — between providers of high-risk systems, providers of components and downstream operators integrating AI into their products. Crucially: if a downstream actor substantially modifies a high-risk AI system, or places it on the market under their own name or trademark, they may become the provider of that modified system, with the full provider duty set (and, for non-EU actors, an Authorised Representative).
What a useful AI supplier audit covers
- Technical documentation completeness (Article 11, Annex IV) and whether updates are tracked.
- Risk management system (Article 9): how the supplier identifies, evaluates and mitigates risks across the AI life cycle.
- Data governance (Article 10): provenance, quality, representativeness and bias control of training, validation and test data.
- Logging and traceability (Article 12) — events you can reconstruct after an incident.
- Human-oversight measures available to the operator (Article 14).
- Transparency information you can hand to your own deployers (Article 13).
- For non-EU providers of high-risk AI: existence and contact details of the Authorised Representative (Article 22).
- Information security and AI governance evidence: ISO/IEC 27001 for the foundation, ISO/IEC 42001 for AI specifically — or equivalent demonstrable evidence.
Second-party audits as a working control
A second-party audit — you (or a representative auditor) auditing your supplier — is the most useful tool to make Articles 23–25 real. It is not a certification; it is your own evidence that you exercised due diligence. A clear audit plan, on-site or remote review, and a written report with findings and corrective measures protect you in market-surveillance interactions and in customer audits.
Article 25 turned „my supplier is responsible“ into a documentation duty. If you cannot prove what you checked, you did not check it.
How to start
- List every AI component and supplier feeding into your products or operations — including model APIs and embedded libraries.
- Classify each component by AI Act risk class and by your own criticality.
- Build a baseline supplier-audit checklist mapped to Articles 9–15, 22 and 25.
- Run risk-based audits — high-risk components yearly, lower-risk on a longer cadence; trigger ad-hoc audits after material model changes.
- Fold the supplier-audit evidence into your ISO 42001 management system, so the rest of your governance benefits from it.
Note on scope: this article covers AI compliance and audit aspects only. Procurement and contract law (warranty, liability, indemnity, intellectual-property clauses) need legal counsel — supplier audits sit alongside contract review, not instead of it.
Frequently asked questions
Am I liable if my AI supplier is non-compliant?+
Yes. Articles 23 and 24 put due-diligence and corrective-action duties directly on you as importer or distributor. Article 25 adds value-chain responsibility allocation. „I trusted my supplier“ is not a defence — what counts is the evidence that you verified and acted.
Do my suppliers need to be ISO 42001 certified?+
Not as a legal requirement. But in practice, requiring ISO/IEC 42001 (or ISO/IEC 27001 for information security) is the cleanest way to standardise supplier evidence — many enterprises now write it into procurement criteria.
What if I substantially modify a third-party AI system?+
Article 25 may make you the provider of the modified system, with the full set of provider obligations — including, potentially, an Authorised Representative if you are established outside the EU.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor (PECB)
Last updated: 28 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act — honestly and without a sales pitch.