The “market” for AI contracting terms continues to evolve, and whilst there is no standardised approach (as much will depend on the use cases, technical features and commercial terms), a number of attempts have been made to put forward contracting models. One of the latest being from the EU’s Community of Practice on Public Procurement of AI, which published an updated version of its non-binding EU AI Model Contractual Clauses (“MCC-AI”) on March 5, 2025. The MCC-AI are template contractual clauses intended to be used by public organizations that procure AI systems developed by external suppliers.  An initial draft had been published in September 2023.  This latest version has been updated to align with the EU AI Act, which entered into force on August 1, 2024 but whose terms apply gradually in a staggered manner.  Two templates are available: one for public procurement of “high-risk” AI systems, and another for non-high-risk AI systems. A commentary, which provides guidance on how to use the MCC-AI, is also available.

In the EU, Communities of Practice are comprised of stakeholders who gather to learn and share best practice on specific topics – in this case, public procurement of AI – as they deal with them regularly.  Templates and guidance published by the Community of Practice on Public Procurement of AI are neither binding nor officially endorsed by the European Commission, but the commentary to the MCC-AI state that the European Commission “supported” the Community of Practice on Public Procurement of AI.    

The MCC-AI consists of two templates:

  • The MCC-AI-High-Risk template is intended for the procurement of AI systems classified as “high-risk” under the AI Act.  It is based on the requirements and obligations for high-risk AI systems set out in Chapter III of the AI Act.
  • The MCC-AI-Light template is intended for the procurement of AI systems that are not classified as high-risk, but may still pose risks to health, safety, or fundamental rights.  It can also be used for the procurement of other algorithmic systems that do not fall within the definition of AI systems under the AI Act but may pose similar risks.  Like the High-Risk template, MCC-AI-Light is based on the requirements in Chapter III of the AI Act.

The commentary to the MCC-AI recommends selecting and applying provisions from the template as appropriate to the specific situation, and so assumes that parties understand the use case under which their AI falls.  Although the MCC-AI were developed for use by public organizations, the commentary suggests that some clauses may also serve as a useful reference for private companies entering into contracts with external suppliers for AI systems.

Finally, the Community of Practice on Public Procurement of AI encourages public authorities that wish to use MCC-AI to report their use to the Public Sector Tech Watch.  Over 900 examples of the use of AI in the public sector have already been reported on this resource.

*          *          *

The Covington team regularly advises on structuring commercial contracts in compliance with the EU AI Act.  This is an ever-evolving area, and we will continue to monitor developments in this area.  We are happy to answer any questions you may have on this topic.

(This article was written with assistance from Ryoko Matsumoto, a Global Visiting Lawyer in our Brussels office.)

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Joshua Gray Joshua Gray

Joshua Gray is a technology and data-focused lawyer with a distinctly international practice combining commercial and regulatory expertise. Joshua excels in assisting clients for deals with no precedent where technology and data are at the heart of the project.

Joshua’s practice includes structuring…

Joshua Gray is a technology and data-focused lawyer with a distinctly international practice combining commercial and regulatory expertise. Joshua excels in assisting clients for deals with no precedent where technology and data are at the heart of the project.

Joshua’s practice includes structuring and negotiating bespoke technology projects, privacy and GDPR, innovative collaborations involving the use of new (and often data-driven) technologies, and other business critical commercial transactions. Joshua provides “product counselling” to clients looking to launch new digital products and services and he routinely supports multi-jurisdictional projects covering areas such as e-commerce, consumer law, media licensing and telecoms.

Joshua otherwise advises on the full spectrum of technology transactions, including IT services agreements, outsourcing, software development and licensing, cloud computing and infrastructure, M&A and joint ventures.

Joshua has deep industry knowledge and experience in the technology, life sciences, digital health, media, telecoms and travel sectors. This experience has been bolstered through client secondments to Illumina Inc, Barclays Bank and du, a leading telecoms operator in the UAE.

Read more about Joshua Gray
Show more Show less
Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Read more about Sam Jungyun ChoiSam Jungyun's Linkedin Profile
Show more Show less