An overview of the European Union’s Model Contractual Clauses for Artificial Intelligence

In 2024, the European Union (EU) formally adopted the Artificial Intelligence Act (AI Act). The AI Act will be fully applicable in 2026, with some provisions currently in force. Flowing from this, in March 2025, the EU Public Buyers Community released updated Model Contractual Clauses for Artificial Intelligence (MCC-AI), including a commentary to guide its use. 

3 Sep 2025 3 min read Corporate & Commercial Alert Article

At a glance

  • In 2024, the European Union (EU) formally adopted the Artificial Intelligence Act (AI Act). The AI Act will be fully applicable in 2026, with some provisions currently in force. Flowing from this, in March 2025, the EU Public Buyers Community released updated Model Contractual Clauses for Artificial Intelligence (MCC-AI), including a commentary to guide its use. 
  • Supply chain management teams should carefully consider the application of the MCC-AI, as it provides a useful foundation for contractual provisions to procure AI solutions.
  • This article breaks down what the MCC-AI offers when procuring AI and the applicability for South Africa.

Supply chain management teams should carefully consider the application of the MCC-AI as it provides a useful foundation for contractual provisions to procure AI solutions. This article breaks down what the MCC-AI offers when procuring AI.

Overview

The MCC-AI sets out the contractual conditions that enable contracting authorities to comply with obligations under the AI Act. The MCC-AI primarily focuses on systems that are classified as “high risk” in the AI Act. These are systems that may pose a high risk to the health and safety or fundamental rights of persons. In instances where a non-high-risk system is used, a lighter and flexible version (light version) of the clauses could be used.

The MCC-AI is intended to be included in contracts as an annexure, and not used as a standalone contract. It focuses on AI-specific obligations drawn from the AI Act, which include transparency, risk management, data governance, human oversight, cybersecurity, etc. The lighter version omits stricter components such as audit rights and conformity assessments.

The table below summarises the key obligations set out in the MCC-AI. These obligations are mapped directly to the AI Act’s requirements:

15083 key obligations[97]

It is important to determine which version of the MCC-AI is required for the specific AI system. For example, if the AI system is intended to be used in in healthcare, and may process health and patient data, this may mandate the use of the high-risk clauses. Therefore, the parties must ensure that the appropriate conformity assessments are conducted, and ongoing risk monitoring measures are implemented. The light version may be used in instances where the processing of data or the AI system does not pose a high risk, for example, incorporating an AI chatbot agent to assist with queries on a website.

Analysis

The MCC-AI is a good starting point to mitigate risk when procuring AI systems. It provides a checklist to cover most of the risks present when considering the impact of AI in a business. However, the MCC-AI alone is not sufficient. For complex technology transactions, parties must consider the overall objective of the contract. Additionally, the AI system will have an impact on intellectual property, liability, warranties and data protection considerations. Therefore, any use of the MCC-AI must essentially be tailored to the specific terms and the actual risk profile of the AI system.

Adapting for South Africa

Organisations are grappling with implementing suitable AI contractual provisions. The MCC-AI will provide South African companies and multinationals with some guidance on how to address AI risk, especially those that supply or procure AI solutions from internationals vendors.

We envisage that the MCC-AI clauses can be customised for operational requirements and adapted for South African-specific legislation, including the Protection of Personal Information Act 4 of 2013 (POPIA).

POPIA will play a prominent role in terms of how to address the processing of personal data and, in particular, automatic processing of personal data. We also envisage considering how South African intellectual property laws will impact a risk-based contractual approach.

Practical recommendations

Any party that intends to use the MCC-AI must consider the following:

  • Have the MCC-AI operate as an annexure to a main agreement.
  • Adjust the terminology to include references to local laws that are applicable.
  • Decide which version of the MCC-AI is more appropriate for the AI system being procured.
  • Negotiate all other aspects of the agreement which will have a bearing on AI risk – for example, data protection, warranties, liabilities and intellectual property.
  • Ensure that the procuring party fully understands the limits and capabilities of the AI system, to ensure that all potential risks are mitigated and provided for in the contract.

Conclusion

While the MCC-AI is a solid starting point for incorporating key AI provisions when contracting for AI systems, further consideration is required to ensure AI accountability, including in terms of South Africa’s specific laws. Contracting parties should adapt them to suit their particular needs, while ensuring that any AI risks are covered.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2025 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.