Skip to content
easyAI
Products▼
  • AI Foundation Audit
  • AI ROI Calculator
  • GDPR Accountability Snapshot
Insights
  • Products
    • AI Foundation Audit
  • Free Tools
    • AI ROI Calculator
    • GDPR Accountability Snapshot
  • Insights
  1. Home
  2. Insights
  3. How Do You Answer an EU AI Act Vendor Questionnaire?

How Do You Answer an EU AI Act Vendor Questionnaire?

A customer sent you an EU AI Act vendor questionnaire. Identify whether you are a provider or deployer, map each question to a document, and attach the evidence.

How Do You Answer an EU AI Act Vendor Questionnaire?
Methodology by Daniela Piskackova — Co-founder & AI Audit Lead·Published July 13, 2026

A customer has sent you an EU AI Act vendor questionnaire, and you need to answer it. The form is really asking one thing: can you evidence how your company governs AI? Answer it in four moves — identify your honest role (provider or deployer), map each question to a document you can attach, send that evidence, and for anything you have not built yet, state the plan rather than a false yes.

Quick Answer. An EU AI Act vendor questionnaire is a customer's supply-chain due-diligence check. Answer it by stating your role under Article 3 — provider or deployer — then mapping each question to a document (register, Article 50 notices, AI-use policy, Article 4 records) and attaching that pack. For any gap, state your plan, not a false yes.

Last updated: 13 July 2026 · Verified against Regulation (EU) 2024/1689 as amended by the Digital Omnibus (adopted and signed; awaiting Official Journal publication).

Summary

Answer an EU AI Act vendor questionnaire — reply with evidence, not improvised prose
│
├─ Why it landed on your desk — supply-chain due diligence
│   ├─ Your customer is a deployer (or is answering its own customers) under the Act
│   └─ The Act pushes accountability down the chain, so vendors must evidence AI governance
│
├─ Answer your role first, then map each question to a document
│   ├─ Provider or deployer? (Art. 3) — most respondents are deployers of third-party AI
│   ├─ Register · Art. 50 notices · AI-use policy · Art. 4 records each answer one question
│   └─ The documentation pack IS the attachment — you reply with evidence, not prose
│
└─ Honesty rules — the pack is evidence, not a compliance badge
    ├─ Not legal advice, not an audit, not a certification or a conformity assessment
    └─ Got a gap? State the plan and a target date — never a false "yes"

Why did a customer send me an EU AI Act questionnaire?

If a business customer has added AI questions to a supplier or vendor questionnaire, it is almost always because they are on the hook. Your customer is a deployer of AI — a company using AI systems under its own authority — or is itself answering the same questions further up the chain. The EU AI Act deliberately pushes accountability along the supply chain: a deployer that cannot see inside the tools it buys manages that risk by asking its vendors to evidence how they govern AI [4].

That is the shift worth understanding. Procurement teams used to ask about security and data protection; now AI governance has joined the list. You will see these most from larger enterprise buyers, regulated-sector customers and public-sector procurement — the organisations whose own compliance teams have already started asking the question internally. The questionnaire is not a trap — it is a request for evidence, and the vendor who can produce it quickly looks like the lower-risk supplier. For the full picture of the obligations these questions map back to, our complete EU AI Act documentation guide sets out the register, notices and policy a well-run response draws on.

What do these questionnaires ask?

No two questionnaires are identical, but they converge on a short set of questions, because they are all reaching for the same underlying duties in the Act. Expect some combination of:

  • Are you a provider or a deployer of AI? — the role question (Article 3), which decides which duties are even yours [1].
  • Do any of your AI systems fall into a high-risk category? — a screen against the Act's high-risk uses (Annex III), whose obligations were rescheduled to 2 December 2027 by the Digital Omnibus. (Verified on 13 July 2026.)
  • Do you meet the Article 50 transparency duties? — telling people when they deal with AI and marking AI-generated content, which apply from 2 August 2026 [3].
  • Do your staff have AI literacy? — the Article 4 duty, in force since 2 February 2025 [2].
  • Do you have an internal AI use policy, and a register of your AI systems?
  • What data does your AI use, and how do you handle oversight and incidents? — the operational-governance and GDPR-overlap questions.

Every one of these is really asking "show me the document". Which is good news: a question you can answer with an attachment is far quicker to close than one you have to compose an essay for.

Are you the provider or the deployer? (answer this first)

Get this one right before you touch the rest, because it decides which duties you owe. The Act draws a sharp line in Article 3: a provider develops an AI system — or has one developed — and places it on the market or puts it into service under its own name or trademark; a deployer uses an AI system under its own authority in the course of its activities [1].

For most companies answering a questionnaire, the honest answer is deployer. You bought a chatbot, a copy-writing tool or a document-processing model from a vendor and you use it; you did not build it. You become a provider only if you build the AI yourself, put your own name on someone else's system, or modify it substantially enough to make it your own. Answer as what you actually are — overstating yourself as a provider invites duties you do not owe, and understating a genuine provider role is exactly the kind of gap a buyer will probe.

If you are unsure whether the Act reaches you at all — for example because you sit outside the EU — that is the prior question: see whether you're even in scope, and your role, which walks the role test in detail.

How to answer the questionnaire, step by step

Once you know your role, answering the questionnaire is a short, repeatable pipeline rather than a blank-page essay:

How to answer a vendor EU AI Act questionnaireA left-to-right pipeline for replying to an EU AI Act vendor questionnaire. First read what each question is really asking. Then fix your honest role, provider or deployer, under Article 3. Then map each question to the document that answers it. Then check: do you have that document, or a gap? If you have it, attach the documentation pack. If there is a gap, state the plan and a target date, never a false yes, then attach the pack. Either way you finish by replying with evidence, not improvised prose.

Have it

Gap

Customer sends an
EU AI Act questionnaire

Read what each
question is really asking

Fix your honest role:
provider or deployer (Art. 3)

Map each question to the
document that answers it

Do you have that
document, or a gap?

Attach the
documentation pack

State the plan and a
date, never a false yes

Reply with evidence,
not improvised prose

Answering a vendor AI Act questionnaire as a pipeline — map each question to a document, and for any gap state the plan, not a false yes.

In words, the pipeline runs like this:

  • Read what each question is really asking. Behind the wording is a duty in the Act and a document that evidences it — answer the duty, not just the sentence.
  • Fix your honest role. Provider or deployer under Article 3; state it once, up front, so every later answer is consistent [1].
  • Map each question to a document. Match the register, the transparency notices, the policy and the training records to the questions they answer — the table below does this for you.
  • Attach the pack, or state the plan. Where you hold the document, attach it. Where you have a gap, write the honest plan and a target date — never a false yes.

The point of drawing it as a pipeline is that the hard part is not the writing; it is having the documents ready to attach. That is what turns a two-week scramble into a same-day reply.

Which documents actually answer the questionnaire?

Here is the mapping that does the work. Each common question points to one document you attach, so the reply becomes "see attached" rather than a freshly written paragraph.

Common questionnaire questionWhat it is really askingWhich document answers it
Are you a provider or a deployer?Which AI Act duties are yours (Article 3)A one-line role determination, stated up front
Which AI systems do you run?Whether you have visibility of your own AIYour AI systems register / inventory
Do you label or disclose AI content and chatbots?Article 50 transparencyYour transparency notices and disclosure wording
Do your staff get AI training?Article 4 AI literacyYour AI-literacy programme and training records
Do you have an AI policy?A governing rule set for staff use of AIYour internal AI use policy
How do you handle data, oversight and incidents?Operational governance and the GDPR overlapPolicy sections on data, human oversight and incident handling

Two of these map straight onto duties covered elsewhere in this cluster: the disclosure row is the Article 50 transparency notices, and the training row is the Article 4 AI-literacy programme. The policy row is the internal AI use policy — the single document that also carries your data, oversight and incident answers.

Want the pack ready to attach? Free checkers tell you whether the Act concerns you; the free EU AI Act Documentation tool generates exactly this pack — the register, transparency notices, AI-use policy, AI-literacy programme and training-record templates — as an editable set you can attach to the questionnaire: https://aiprioritymap.com/en/tools/eu-ai-act

What if you have a gap — how do you answer honestly?

The honest question everyone reaches eventually: what do you write when the true answer is "not yet"? You write exactly that — with a plan. A vendor questionnaire is a maturity check, not a pass/fail exam, and a documented trajectory reads far better to a procurement team than a confident "yes" that unravels the first time anyone asks for the evidence behind it.

So for any gap, give three things: the control you do have, the gap you are closing, and the plan and target date to close it. A worked answer might read: "We maintain an AI systems register and disclose our customer-facing chatbot as AI. We do not yet run a formal AI-literacy programme; we are rolling one out and will have completed baseline training and started keeping records by the end of the next quarter." That is honest, specific, and evidences the direction of travel — which is exactly what the buyer is checking for. Faking a "yes" is the one move that turns a governance question into a trust problem — and, if the overstatement ends up in a contract, a commercial exposure. It is worth remembering that the Act itself carries real teeth for misrepresentation and non-compliance; the fines for getting it wrong sit in tiers reaching into the tens of millions.

One more honesty rule, this time about the tooling. A documentation pack is an evidence base, not a verdict. It is not legal advice, not an audit, not a certification, and not a conformity assessment, and generating it does not make you compliant by itself — it gives you the documents to attach and flags the gaps you still need to review. Treat it as the thing that lets you answer the questionnaire with evidence; treat the "are we actually compliant?" judgement as a separate, human one.

When a customer sends an EU AI Act vendor questionnaire, they are running supply-chain due diligence: prove how you govern AI. Answer it in four moves — state your honest role under Article 3 (usually deployer), map each question to a document, attach that pack, and for any gap state the plan rather than a false yes. The documents that answer the questions are an AI systems register, Article 50 transparency notices, an internal AI use policy and Article 4 AI-literacy records. Replying with evidence beats improvising prose — and the honest gap-plan beats an overclaim every time.

Generate the documentation pack you attach — free, in ~20 minutes: https://aiprioritymap.com/en/tools/eu-ai-act

Related insights

  • EU AI Act Compliance: The Documentation Guide — the full set of obligations the questionnaire's questions map back to.
  • Who Does the EU AI Act Apply To? — the role and scope test behind the first questionnaire answer.
  • EU AI Act Fines and Penalties — why a false "yes" is a risk worth avoiding.

Last updated: July 2026. Version 1.0.

Frequently Asked Questions

Why did a customer send me an EU AI Act questionnaire?+
Because your customer is a deployer of AI — or is itself answering its own customers — and the Act pushes accountability along the supply chain. Due diligence means they ask vendors to evidence how they govern AI, not just claim it. The questionnaire is that evidence request.
Am I a provider or a deployer under the EU AI Act?+
Under Article 3, you are a deployer if you use a third-party AI system under your own authority, and a provider if you build, badge or substantially modify one. Most companies answering a questionnaire are deployers of tools they bought. Get this right first — it frames every other answer.
What documents answer an EU AI Act vendor questionnaire?+
An AI systems register, transparency notices (Article 50), an internal AI use policy, and AI-literacy training records (Article 4), plus a short note on the data your AI uses. Each maps to a common question, so you attach evidence rather than write prose from scratch.
Do I have to be in the EU to receive one?+
No. The Act is extraterritorial and buyers run global supply-chain checks, so a UK, US or Swiss vendor can be asked. Whether the Act itself applies to you depends on your role and whether your AI's output is used in the EU — a separate question from answering a customer's form.
What if I have a gap — can I still answer honestly?+
Yes, and you should. Never mark a false "yes". State the honest position: the control you have, the gap, your plan and a target date. Buyers expect a maturity trajectory, not perfection, and a documented plan reads far better than an overclaim that later unravels.
Does the documentation tool make me compliant?+
No. It generates a documentation pack — register, notices, policy, literacy programme and training-record templates — as your evidence base and flags gaps to review. It is not legal advice, an audit, a certification or a conformity assessment, and it does not make you compliant by itself.

Sources

  1. 1.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 3 (definitions, including 'provider' and 'deployer'), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024↗
  2. 2.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 4 (AI literacy), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024↗
  3. 3.Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 50 (transparency obligations for providers and deployers), CELEX 32024R1689 — European Parliament and Council of the European Union · 2024↗
  4. 4.AI Act Service Desk — obligations, guidance and support along the AI value chain under the EU AI Act — European Commission — AI Act Service Desk · 2026↗

Want this run on your business?

AI Foundation Audit — a structured assessment of your AI footprint: integration risks, governance gaps, ROI opportunities. Delivered as a comprehensive report you can act on.

Start your audit →

You receive your Executive Report and Implementation Brief — tailored to your business and delivered immediately.

AI by the math. No deck, no meetings. No call. Just click.

PRODUCTS
  • AI Foundation Audit
  • All products
COMPANY
  • About
  • Contact
  • info [at] easy-audit [dot] ai
LEGAL
  • Terms of Service
  • Privacy Policy
  • AI Transparency
  • Cookie Policy
  • Complaints

© 2026 easyAI · All rights reserved. · easyAI is operated by DDN Consulting s.r.o., based in the EU.

Inspired by ISO/IEC 42001 + NIST AI RMF + EU AI Act principles. easyAI is not a certification body. Our methodology is inspired by ISO 42001 and NIST AI RMF principles; we do not provide formal certification or conformity audits.

easyAI