How Do You Answer an EU AI Act Vendor Questionnaire?
A customer sent you an EU AI Act vendor questionnaire. Identify whether you are a provider or deployer, map each question to a document, and attach the evidence.

A customer has sent you an EU AI Act vendor questionnaire, and you need to answer it. The form is really asking one thing: can you evidence how your company governs AI? Answer it in four moves — identify your honest role (provider or deployer), map each question to a document you can attach, send that evidence, and for anything you have not built yet, state the plan rather than a false yes.
Quick Answer. An EU AI Act vendor questionnaire is a customer's supply-chain due-diligence check. Answer it by stating your role under Article 3 — provider or deployer — then mapping each question to a document (register, Article 50 notices, AI-use policy, Article 4 records) and attaching that pack. For any gap, state your plan, not a false yes.
Last updated: 13 July 2026 · Verified against Regulation (EU) 2024/1689 as amended by the Digital Omnibus (adopted and signed; awaiting Official Journal publication).
Summary
Answer an EU AI Act vendor questionnaire — reply with evidence, not improvised prose │ ├─ Why it landed on your desk — supply-chain due diligence │ ├─ Your customer is a deployer (or is answering its own customers) under the Act │ └─ The Act pushes accountability down the chain, so vendors must evidence AI governance │ ├─ Answer your role first, then map each question to a document │ ├─ Provider or deployer? (Art. 3) — most respondents are deployers of third-party AI │ ├─ Register · Art. 50 notices · AI-use policy · Art. 4 records each answer one question │ └─ The documentation pack IS the attachment — you reply with evidence, not prose │ └─ Honesty rules — the pack is evidence, not a compliance badge ├─ Not legal advice, not an audit, not a certification or a conformity assessment └─ Got a gap? State the plan and a target date — never a false "yes"
Why did a customer send me an EU AI Act questionnaire?
If a business customer has added AI questions to a supplier or vendor questionnaire, it is almost always because they are on the hook. Your customer is a deployer of AI — a company using AI systems under its own authority — or is itself answering the same questions further up the chain. The EU AI Act deliberately pushes accountability along the supply chain: a deployer that cannot see inside the tools it buys manages that risk by asking its vendors to evidence how they govern AI [4].
That is the shift worth understanding. Procurement teams used to ask about security and data protection; now AI governance has joined the list. You will see these most from larger enterprise buyers, regulated-sector customers and public-sector procurement — the organisations whose own compliance teams have already started asking the question internally. The questionnaire is not a trap — it is a request for evidence, and the vendor who can produce it quickly looks like the lower-risk supplier. For the full picture of the obligations these questions map back to, our complete EU AI Act documentation guide sets out the register, notices and policy a well-run response draws on.
What do these questionnaires ask?
No two questionnaires are identical, but they converge on a short set of questions, because they are all reaching for the same underlying duties in the Act. Expect some combination of:
- Are you a provider or a deployer of AI? — the role question (Article 3), which decides which duties are even yours [1].
- Do any of your AI systems fall into a high-risk category? — a screen against the Act's high-risk uses (Annex III), whose obligations were rescheduled to 2 December 2027 by the Digital Omnibus. (Verified on 13 July 2026.)
- Do you meet the Article 50 transparency duties? — telling people when they deal with AI and marking AI-generated content, which apply from 2 August 2026 [3].
- Do your staff have AI literacy? — the Article 4 duty, in force since 2 February 2025 [2].
- Do you have an internal AI use policy, and a register of your AI systems?
- What data does your AI use, and how do you handle oversight and incidents? — the operational-governance and GDPR-overlap questions.
Every one of these is really asking "show me the document". Which is good news: a question you can answer with an attachment is far quicker to close than one you have to compose an essay for.
Are you the provider or the deployer? (answer this first)
Get this one right before you touch the rest, because it decides which duties you owe. The Act draws a sharp line in Article 3: a provider develops an AI system — or has one developed — and places it on the market or puts it into service under its own name or trademark; a deployer uses an AI system under its own authority in the course of its activities [1].
For most companies answering a questionnaire, the honest answer is deployer. You bought a chatbot, a copy-writing tool or a document-processing model from a vendor and you use it; you did not build it. You become a provider only if you build the AI yourself, put your own name on someone else's system, or modify it substantially enough to make it your own. Answer as what you actually are — overstating yourself as a provider invites duties you do not owe, and understating a genuine provider role is exactly the kind of gap a buyer will probe.
If you are unsure whether the Act reaches you at all — for example because you sit outside the EU — that is the prior question: see whether you're even in scope, and your role, which walks the role test in detail.
How to answer the questionnaire, step by step
Once you know your role, answering the questionnaire is a short, repeatable pipeline rather than a blank-page essay:
In words, the pipeline runs like this:
- Read what each question is really asking. Behind the wording is a duty in the Act and a document that evidences it — answer the duty, not just the sentence.
- Fix your honest role. Provider or deployer under Article 3; state it once, up front, so every later answer is consistent [1].
- Map each question to a document. Match the register, the transparency notices, the policy and the training records to the questions they answer — the table below does this for you.
- Attach the pack, or state the plan. Where you hold the document, attach it. Where you have a gap, write the honest plan and a target date — never a false yes.
The point of drawing it as a pipeline is that the hard part is not the writing; it is having the documents ready to attach. That is what turns a two-week scramble into a same-day reply.
Which documents actually answer the questionnaire?
Here is the mapping that does the work. Each common question points to one document you attach, so the reply becomes "see attached" rather than a freshly written paragraph.
| Common questionnaire question | What it is really asking | Which document answers it |
|---|---|---|
| Are you a provider or a deployer? | Which AI Act duties are yours (Article 3) | A one-line role determination, stated up front |
| Which AI systems do you run? | Whether you have visibility of your own AI | Your AI systems register / inventory |
| Do you label or disclose AI content and chatbots? | Article 50 transparency | Your transparency notices and disclosure wording |
| Do your staff get AI training? | Article 4 AI literacy | Your AI-literacy programme and training records |
| Do you have an AI policy? | A governing rule set for staff use of AI | Your internal AI use policy |
| How do you handle data, oversight and incidents? | Operational governance and the GDPR overlap | Policy sections on data, human oversight and incident handling |
Two of these map straight onto duties covered elsewhere in this cluster: the disclosure row is the Article 50 transparency notices, and the training row is the Article 4 AI-literacy programme. The policy row is the internal AI use policy — the single document that also carries your data, oversight and incident answers.
Want the pack ready to attach? Free checkers tell you whether the Act concerns you; the free EU AI Act Documentation tool generates exactly this pack — the register, transparency notices, AI-use policy, AI-literacy programme and training-record templates — as an editable set you can attach to the questionnaire: https://aiprioritymap.com/en/tools/eu-ai-act
What if you have a gap — how do you answer honestly?
The honest question everyone reaches eventually: what do you write when the true answer is "not yet"? You write exactly that — with a plan. A vendor questionnaire is a maturity check, not a pass/fail exam, and a documented trajectory reads far better to a procurement team than a confident "yes" that unravels the first time anyone asks for the evidence behind it.
So for any gap, give three things: the control you do have, the gap you are closing, and the plan and target date to close it. A worked answer might read: "We maintain an AI systems register and disclose our customer-facing chatbot as AI. We do not yet run a formal AI-literacy programme; we are rolling one out and will have completed baseline training and started keeping records by the end of the next quarter." That is honest, specific, and evidences the direction of travel — which is exactly what the buyer is checking for. Faking a "yes" is the one move that turns a governance question into a trust problem — and, if the overstatement ends up in a contract, a commercial exposure. It is worth remembering that the Act itself carries real teeth for misrepresentation and non-compliance; the fines for getting it wrong sit in tiers reaching into the tens of millions.
One more honesty rule, this time about the tooling. A documentation pack is an evidence base, not a verdict. It is not legal advice, not an audit, not a certification, and not a conformity assessment, and generating it does not make you compliant by itself — it gives you the documents to attach and flags the gaps you still need to review. Treat it as the thing that lets you answer the questionnaire with evidence; treat the "are we actually compliant?" judgement as a separate, human one.
Related insights
- EU AI Act Compliance: The Documentation Guide — the full set of obligations the questionnaire's questions map back to.
- Who Does the EU AI Act Apply To? — the role and scope test behind the first questionnaire answer.
- EU AI Act Fines and Penalties — why a false "yes" is a risk worth avoiding.
Last updated: July 2026. Version 1.0.
Frequently Asked Questions
Why did a customer send me an EU AI Act questionnaire?
Am I a provider or a deployer under the EU AI Act?
What documents answer an EU AI Act vendor questionnaire?
Do I have to be in the EU to receive one?
What if I have a gap — can I still answer honestly?
Does the documentation tool make me compliant?
Sources
- 1.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 3 (definitions, including 'provider' and 'deployer'), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024
- 2.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 4 (AI literacy), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024
- 3.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 50 (transparency obligations for providers and deployers), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024
- 4.AI Act Service Desk — obligations, guidance and support along the AI value chain under the EU AI Act — European Commission — AI Act Service Desk · 2026
Want this run on your business?
AI Foundation Audit — a structured assessment of your AI footprint: integration risks, governance gaps, ROI opportunities. Delivered as a comprehensive report you can act on.
You receive your Executive Report and Implementation Brief — tailored to your business and delivered immediately.
