An AI clause regulates rights and obligations regarding the use of artificial intelligence within a commercial relationship. Since the EU AI Act came into force, entrepreneurs have had to deal with it—as suppliers, developers, or users. In our practice, we advise clients on contracts for AI tools (chatbots, generative models, decision-making systems). Good AI clauses regulate responsibility, liability, data, and EU compliance. Awkward wording actually creates new risks.
What is the legal problem?
AI systems introduce new risks: unpredictable output, bias, hallucination, data loss, and regulatory requirements. Who is responsible if an AI system causes damage? Who trains on which data? Who has rights to the output? The EU AI Act imposes strict requirements on high-risk AI and general-purpose AI. Without clear contractual agreements, a stalemate arises regarding liability and compliance.
What does the law say?
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 with phased implementation. Ban on prohibited AI since 2 February 2025. General-purpose AI obligations since 2 August 2025. High-risk AI obligations from 2 August 2026. Fines up to 35 million euros or 7 percent of global turnover (Article 99). The AI Liability Directive (proposal COM/2022/496) eases the burden of proof for damage claims.
GDPR (Regulation 2016/679) continues to apply to the processing of personal data. Product liability is governed by the new Directive (EU) 2024/2853, which also explicitly covers software and AI.
What risks do companies face?
Fines under the EU AI Act run up to 7 percent of global turnover. Uncertainty regarding IP rights on output leads to conflicts and licensing costs. Misuse of confidential data in training can result in GDPR fines. Liability for faulty output can fall to you via Product Liability Directive 2024/2853. Without contractual delimitation, parties bear risks they cannot foresee.
Practical example from our practice
We advised a Dutch company that deployed an AI vendor for automated credit assessments — a high-risk application under Annex III of Regulation 2024/1689. The old contract did not regulate role assignment, data ownership, or liability for bias. In the event of complaints and fines, the parties blamed each other. During the renegotiation, we built in: a clear division of roles (vendor as provider, client as deployer), exclusion of training use on client data, and indemnification for AI Act compliance, logging, and monitoring. Risk made manageable.
What can you do?
Determine who is the provider and who is the deployer under Article 3 of the EU AI Act. Regulate data input, data usage for training, and ownership of output. Build restrictions on usage (no high-risk without agreement). Add obligations regarding logging, monitoring, and transparency (Article 12 of the AI Act). Agree on liability and indemnification. Align with GDPR, sector rules, and export controls. See also our article on Data Ownership in International Cooperation.