AI Supply Chain Obligations Standard

Document Type: Standard Standard ID: STD-AI-017 Standard Title: AI Supply Chain Obligations Standard Version: 1.0 Effective Date: 2026-08-02 Next Review Date: 2027-08-02 Review Frequency: Annually or upon regulatory change Parent Policy: POL-AI-001 - Artificial Intelligence Policy Owner: AI Act Program Manager Approved By: AI Governance Committee Chair Status: Draft Classification: Internal Use Only

---

TABLE OF CONTENTS

1. Document History
2. Objective
3. Scope and Applicability
4. Control Standard
5. Supporting Procedures
6. Compliance
7. Roles and Responsibilities
8. Exceptions
9. Enforcement
10. Key Performance Indicators (KPIs)
11. Training Requirements
12. Definitions
13. Link with AI Act and ISO42001

---

DOCUMENT HISTORY

Version	Date	Author	Changes	Approval Date	Approved By
0.1	2026-07-01	AI Act Program Manager	Initial draft	-	-
0.2	2026-07-15	AI Act Program Manager	Added Art. 23, 24, 25 detail	-	-
0.3	2026-07-25	AI Act Program Manager	Incorporated stakeholder feedback	-	-
1.0	2026-08-02	AI Act Program Manager	Final version approved - GRC restructured	2026-08-01	Jane Doe, AI Governance Committee Chair

---

OBJECTIVE

This standard defines requirements for importers, distributors, and other actors in the AI supply chain under EU AI Act Articles 23, 24, and 25. It ensures that all participants in the value chain verify compliance before placing high-risk AI systems on the EU market or making them available, manage non-conforming systems, maintain proper storage and documentation, and correctly handle responsibility transfers.

Primary Goals:

• Ensure importers verify all compliance requirements before market placement
• Ensure distributors verify all compliance documentation before distribution
• Establish procedures for managing non-conforming AI systems
• Define storage, transport, and documentation retention requirements
• Manage value chain responsibility transfers when actors assume provider roles

---

SCOPE AND APPLICABILITY

2.1 Mandatory Applicability

This standard is mandatory for:

• Importers of high-risk AI systems into the EU market
• Distributors of high-risk AI systems within the EU market
• Any third party that places its name or trademark on a high-risk AI system
• Any party making substantial modifications to a high-risk AI system
• Any party changing the intended purpose of an AI system already placed on the market

2.2 Recommended Applicability

This standard is recommended for:

• Providers working with importers and distributors
• Authorised representatives coordinating supply chain compliance
• Product compliance teams overseeing EU market access
• Procurement and vendor management teams sourcing AI systems

2.3 Supply Chain Obligations Covered

• Importer pre-market verification (Article 23)
• Distributor pre-distribution checks (Article 24)
• Non-conformity management and market withdrawal (Articles 23(2), 24(2))
• Storage, transport, and 10-year documentation retention (Articles 23(4)-(5), 24(3))
• Value chain responsibility transfers (Article 25)

2.4 Out of Scope

• Provider obligations (covered by STD-AI-001 through STD-AI-013)
• Deployer obligations (covered by STD-AI-015, STD-AI-016)
• General-purpose AI model obligations (covered by STD-AI-015)
• Prohibited AI practices (covered by STD-AI-001)

---

CONTROL STANDARD

Control SC-001: Importer Pre-Market Verification

Control ID: SC-001 Control Name: Importer Pre-Market Verification Control Type: Preventive Control Frequency: Per import, before market placement Risk Level: High

Control Objective

Verify conformity assessment, technical documentation, CE marking, EU declaration of conformity, and authorised representative appointment before placing any high-risk AI system on the EU market, as required by Article 23(1).

Control Requirements

CR-001.1: Pre-Market Verification Checklist

Establish and apply a comprehensive verification checklist for all imported high-risk AI systems before market placement.

Verification Requirements per Article 23(1):

Verification Item	Article Reference	Verification Method	Pass Criteria
Conformity Assessment	Art. 23(1)(a)	Review conformity assessment documentation	Assessment completed by provider per Art. 43
Technical Documentation	Art. 23(1)(b)	Verify documentation package availability	Complete technical documentation available per Annex IV
Instructions for Use	Art. 23(1)(c)	Review instructions package	Instructions comply with Art. 13 requirements
CE Marking	Art. 23(1)(d)	Physical/digital inspection	CE marking affixed per Art. 48
EU Declaration of Conformity	Art. 23(1)(e)	Review declaration document	Declaration complies with Art. 47
Authorised Representative	Art. 23(1)(f)	Verify appointment documentation	Provider has appointed authorised representative per Art. 22

CR-001.2: Importer Identification Requirements

Per Article 23(3), importers must indicate on the high-risk AI system or its packaging or accompanying documentation:

• Importer name
• Registered trade name or registered trademark
• Address at which the importer can be contacted

Mandatory Actions:

• Establish verification checklist for all imported AI systems
• Verify conformity assessment completed by provider
• Verify technical documentation available and complete
• Confirm CE marking affixed to AI system
• Verify EU declaration of conformity available
• Verify authorised representative appointed by provider
• Affix importer identification to AI system or documentation
• Document verification results for each imported system

Evidence Required:

• Verification checklists (completed per system)
• Conformity assessment document copies
• Technical documentation confirmation records
• CE marking verification records
• EU declaration of conformity copies
• Authorised representative appointment records
• Importer identification affixation records
• Verification result reports

Audit Verification:

• Verify verification checklist exists and is applied to all imports
• Confirm all six Article 23(1) requirements verified per system
• Check importer identification affixed per Article 23(3)
• Validate verification results documented and retained

---

Control SC-002: Distributor Pre-Distribution Checks

Control ID: SC-002 Control Name: Distributor Pre-Distribution Checks Control Type: Preventive Control Frequency: Per distribution, before making available on market Risk Level: High

Control Objective

Verify CE marking, EU declaration of conformity, instructions for use, and upstream actor compliance before making any high-risk AI system available on the market, as required by Article 24(1).

Control Requirements

CR-002.1: Pre-Distribution Compliance Checklist

Establish and apply a comprehensive compliance checklist before making any high-risk AI system available on the market.

Distribution Verification Requirements per Article 24(1):

Verification Item	Article Reference	Verification Method	Pass Criteria
CE Marking	Art. 24(1)(a)	Physical/digital inspection	CE marking affixed per Art. 48
EU Declaration of Conformity	Art. 24(1)(b)	Review declaration document	Declaration available and compliant with Art. 47
Instructions for Use	Art. 24(1)(c)	Review instructions package	Instructions accompany AI system per Art. 13
Provider Compliance	Art. 24(1)(d)	Review provider documentation	Provider has fulfilled obligations under Art. 16
Importer Compliance	Art. 24(1)(e)	Review importer documentation	Importer has fulfilled obligations under Art. 23
Importer Identification	Art. 24(1)(f)	Verify importer details on system/packaging	Importer name, trade name, and contact address present

CR-002.2: Upstream Compliance Verification

Distributors must verify that both the provider and importer (where applicable) have fulfilled their respective obligations before distribution.

Upstream Verification Matrix:

Upstream Actor	Verification Required	Documentation to Review	Action on Failure
Provider	Art. 16 obligations met	Conformity assessment, technical documentation, CE marking	Do not distribute; notify provider
Importer	Art. 23 obligations met	Import verification records, importer identification	Do not distribute; notify importer

Mandatory Actions:

• Establish distribution compliance checklist
• Verify CE marking affixed to AI system
• Verify EU declaration of conformity available
• Verify instructions for use accompany AI system
• Confirm provider compliance with obligations
• Confirm importer compliance with obligations
• Document check results for each distributed system

Evidence Required:

• Distribution compliance checklists (completed per system)
• CE marking verification records
• EU declaration of conformity copies
• Instructions for use confirmation records
• Provider compliance verification records
• Importer compliance verification records
• Distribution check result reports

Audit Verification:

• Verify distribution checklist exists and is applied to all distributions
• Confirm all Article 24(1) requirements verified per system
• Check upstream compliance verification performed
• Validate check results documented and retained

---

Control SC-003: Non-Conformity Management

Control ID: SC-003 Control Name: Non-Conformity Management Control Type: Detective/Corrective Control Frequency: Continuous monitoring, per non-conformity event Risk Level: Critical

Control Objective

Manage non-conforming AI systems by halting market placement or distribution until conformity is achieved, and notify providers and market surveillance authorities when a risk is present, as required by Articles 23(2) and 24(2).

Control Requirements

CR-003.1: Non-Conformity Detection

Establish procedures to detect non-conformities in AI systems before and after market placement or distribution.

Non-Conformity Detection Points:

Detection Point	Actor	Trigger	Action
Pre-market verification	Importer	Verification checklist failure	Do not place on market (Art. 23(2))
Pre-distribution check	Distributor	Distribution checklist failure	Do not make available (Art. 24(2))
Post-market monitoring	Importer/Distributor	Complaint, incident, or audit finding	Initiate non-conformity process
Authority notification	Importer/Distributor	Market surveillance authority contact	Respond and cooperate

CR-003.2: Non-Conformity Response Process

When a non-conformity is identified, follow the structured response process:

Step	Action	Responsible	Timeline	Documentation
1. Identify	Detect and record non-conformity	Importer/Distributor	Immediately	Non-conformity report
2. Halt	Stop market placement or distribution	Importer/Distributor	Immediately	Halt notice
3. Assess	Evaluate risk to health, safety, fundamental rights	Importer/Distributor	Within 24 hours	Risk assessment
4. Notify Provider	Inform provider of non-conformity	Importer/Distributor	Within 24 hours	Provider notification
5. Notify Authorities	If risk present, notify market surveillance authorities	Importer/Distributor	Without delay	Authority notification
6. Corrective Action	Implement corrective actions or withdraw/recall	Importer/Distributor + Provider	Per action plan	Corrective action records
7. Verify	Confirm conformity restored	Importer/Distributor	Before resuming	Verification records
8. Close	Close non-conformity and document lessons	Importer/Distributor	Upon resolution	Closure documentation

CR-003.3: Authority Notification Requirements

Per Articles 23(2) and 24(2), when an AI system presents a risk, importers and distributors must notify:

• Market surveillance authorities of the Member States in which the system was made available
• The provider or importer (as applicable)
• Details of the non-conformity and any corrective actions taken

Mandatory Actions:

• Establish non-conformity detection procedures
• Halt placement on market or distribution of non-conforming AI systems
• Notify provider of non-conformity and corrective actions needed
• Notify market surveillance authorities when AI system presents a risk
• Implement corrective actions to bring system into conformity
• Maintain non-conformity register with status tracking
• Document all notifications and corrective actions taken

Evidence Required:

• Non-conformity detection procedure documentation
• Non-conformity reports and registers
• Market placement or distribution halt notices
• Provider notification records
• Market surveillance authority notification records
• Corrective action records and closure documentation
• Non-conformity resolution records

Audit Verification:

• Verify non-conformity detection procedures established
• Confirm halt procedures applied for non-conforming systems
• Check authority notifications issued when risk present
• Validate corrective actions implemented and verified
• Review non-conformity register for completeness

---

Control SC-004: Storage, Transport, and Documentation Retention

Control ID: SC-004 Control Name: Storage, Transport, and Documentation Retention Control Type: Preventive Control Frequency: Continuous, annual review Risk Level: Medium

Control Objective

Ensure storage and transport conditions preserve AI system compliance, and retain all required documentation for a minimum of 10 years after the AI system has been placed on the market, as required by Articles 23(4)-(5) and 24(3).

Control Requirements

CR-004.1: Storage and Transport Conditions

Per Article 23(4), while an imported high-risk AI system is under the responsibility of the importer, storage and transport conditions must not jeopardise compliance with the requirements set out in Chapter III, Section 2.

Storage and Transport Requirements:

Requirement	Description	Controls	Monitoring
Physical Storage	Secure, climate-controlled storage for physical AI system components	Access control, environmental monitoring	Continuous
Digital Storage	Secure storage for software-based AI systems and documentation	Access control, backup, encryption	Continuous
Transport Conditions	Conditions during transport that preserve system integrity	Packaging standards, handling procedures	Per shipment
Chain of Custody	Documented transfer of responsibility during storage/transport	Handover documentation, tracking	Per transfer
Environmental Controls	Temperature, humidity, and other environmental factors	Environmental monitoring systems	Continuous

CR-004.2: Documentation Retention

Per Articles 23(5) and 24(3), importers and distributors must keep documentation available for a period of 10 years after the AI system has been placed on the market or put into service.

Documentation Retention Schedule:

Document Type	Retention Period	Format	Storage	Access
EU Declaration of Conformity	10 years from market placement	Original or certified copy	Secure document management system	Competent authorities on request
CE Certificates	10 years from market placement	Original or certified copy	Secure document management system	Competent authorities on request
Instructions for Use	10 years from market placement	Original or certified copy	Secure document management system	Competent authorities on request
Technical Documentation	10 years from market placement	Copy as provided by provider	Secure document management system	Competent authorities on request
Verification/Check Records	10 years from market placement	Original records	Secure document management system	Internal audit, competent authorities
Non-Conformity Records	10 years from market placement	Original records	Secure document management system	Internal audit, competent authorities
Correspondence with Providers	10 years from market placement	Original records	Secure document management system	Internal audit, competent authorities

Mandatory Actions:

• Define storage conditions that preserve AI system compliance
• Define transport conditions that preserve AI system compliance
• Implement environmental controls for storage facilities
• Retain CE certificates for 10 years after system placed on market
• Retain instructions for use for 10 years after system placed on market
• Retain EU declarations of conformity for 10 years
• Implement document management system for retention tracking
• Conduct periodic reviews of storage and documentation compliance

Evidence Required:

• Storage and transport procedures
• Environmental monitoring records
• Storage facility compliance records
• Document retention schedule
• Document management system records
• 10-year retention verification records
• Periodic review reports

Audit Verification:

• Verify storage and transport procedures established
• Confirm environmental controls in place and monitored
• Check documentation retained per retention schedule
• Validate document management system operational
• Review periodic compliance reviews conducted

---

Control SC-005: Value Chain Responsibility Transfer

Control ID: SC-005 Control Name: Value Chain Responsibility Transfer Control Type: Preventive Control Frequency: Per event, continuous monitoring Risk Level: High

Control Objective

Manage scenarios where a distributor, importer, deployer, or other third party becomes the provider by placing their name or trademark on an AI system, making substantial modifications, or changing the intended purpose, as defined in Article 25.

Control Requirements

CR-005.1: Responsibility Transfer Triggers

Per Article 25(1), any distributor, importer, deployer, or other third party shall be considered a provider of a high-risk AI system and shall be subject to the obligations of the provider under Article 16 where they:

Responsibility Transfer Trigger Matrix:

Trigger	Article Reference	Description	Example
Name/Trademark Placement	Art. 25(1)(a)	Put their name or trademark on a high-risk AI system already placed on the market or put into service	Rebranding an AI system under own brand
Substantial Modification	Art. 25(1)(b)	Make a substantial modification to a high-risk AI system already placed on the market or put into service	Significant changes to algorithms, training data, or intended function
Intended Purpose Change	Art. 25(1)(c)	Modify the intended purpose of an AI system, including a general-purpose AI system, which has not been classified as high-risk, in a way that makes it high-risk	Repurposing a general AI tool for a high-risk use case listed in Annex III

CR-005.2: Substantial Modification Assessment

When a potential modification is identified, assess whether it constitutes a substantial modification triggering provider obligations.

Substantial Modification Assessment Criteria:

Assessment Factor	Indicators of Substantial Modification	Indicators of Non-Substantial Modification
Algorithm Changes	Retraining with significantly different data; fundamental architecture changes	Bug fixes; minor parameter tuning
Intended Purpose	New use case; different target population; new risk category	Same use case with improved performance
Performance Impact	Significant changes to accuracy, robustness, or safety metrics	Minor performance improvements within spec
Risk Profile	Changes to risk classification; new risks introduced	Risk profile unchanged
Compliance Impact	Original conformity assessment no longer valid	Original conformity assessment still valid

CR-005.3: Provider Obligation Assumption

When a responsibility transfer is triggered, the new provider must:

Obligation	Article Reference	Action Required	Timeline
Notify Original Provider	Art. 25(2)	Inform original provider of assumption of provider role	Before market placement
Conformity Assessment	Art. 43	Conduct new conformity assessment	Before market placement
Technical Documentation	Art. 11, Annex IV	Update or create technical documentation	Before market placement
Quality Management	Art. 17	Establish quality management system	Before market placement
CE Marking	Art. 48	Affix CE marking under own responsibility	Before market placement
EU Declaration	Art. 47	Issue new EU declaration of conformity	Before market placement
Registration	Art. 49	Register in EU database	Before market placement
Post-Market Monitoring	Art. 72	Establish post-market monitoring system	Before market placement

Mandatory Actions:

• Monitor for responsibility transfer trigger events
• Assess whether modifications constitute substantial modifications
• Document any name or trademark changes applied to AI systems
• Identify changes to intended purpose of AI systems
• Assume full provider obligations when responsibility transfer is triggered
• Notify original provider when responsibility transfer occurs
• Establish procedures for transitioning to provider obligations

Evidence Required:

• Responsibility transfer trigger monitoring records
• Modification assessment documentation
• Name or trademark change records
• Intended purpose change documentation
• Provider obligation compliance records post-transfer
• Original provider notification records
• Responsibility transfer procedure documentation

Audit Verification:

• Verify trigger monitoring procedures established
• Confirm modification assessments conducted when applicable
• Check provider obligations assumed when transfer triggered
• Validate original provider notified of transfer
• Review completeness of post-transfer compliance documentation

---

SUPPORTING PROCEDURES

This standard is implemented through the following detailed procedures:

Procedure PROC-AI-SUPPLY-001: Importer Verification Procedure

Purpose: Define step-by-step process for importer pre-market verification Owner: AI Act Program Manager Implements: Control SC-001

Procedure Steps:

1. Receive AI system import request
2. Apply pre-market verification checklist (SC-001)
3. Verify all Article 23(1) requirements
4. Affix importer identification per Article 23(3)
5. Document verification results
6. Approve or reject market placement

Outputs:

• Completed verification checklists
• Verification result reports
• Market placement approval/rejection records

---

Procedure PROC-AI-SUPPLY-002: Distributor Compliance Procedure

Purpose: Define step-by-step process for distributor pre-distribution checks Owner: AI Act Program Manager Implements: Control SC-002

Procedure Steps:

1. Receive AI system distribution request
2. Apply pre-distribution compliance checklist (SC-002)
3. Verify all Article 24(1) requirements
4. Verify upstream actor compliance
5. Document check results
6. Approve or reject distribution

Outputs:

• Completed distribution checklists
• Upstream compliance verification records
• Distribution approval/rejection records

---

Procedure PROC-AI-SUPPLY-003: Non-Conformity Management Procedure

Purpose: Define process for managing non-conforming AI systems Owner: AI Act Program Manager Implements: Control SC-003

Procedure Steps:

1. Detect and record non-conformity
2. Halt market placement or distribution immediately
3. Assess risk to health, safety, and fundamental rights
4. Notify provider of non-conformity
5. Notify market surveillance authorities if risk present
6. Implement corrective actions
7. Verify conformity restored
8. Close non-conformity and document lessons learned

Outputs:

• Non-conformity reports
• Halt notices
• Authority notification records
• Corrective action records
• Closure documentation

---

Procedure PROC-AI-SUPPLY-004: Storage, Transport, and Retention Procedure

Purpose: Define process for storage, transport, and documentation retention Owner: AI Act Program Manager Implements: Control SC-004

Procedure Steps:

1. Define storage and transport conditions per system type
2. Implement environmental controls
3. Record all documentation in document management system
4. Apply 10-year retention schedule
5. Conduct periodic compliance reviews
6. Provide documentation to authorities on request

Outputs:

• Storage and transport procedures
• Environmental monitoring records
• Document retention records
• Compliance review reports

---

Procedure PROC-AI-SUPPLY-005: Responsibility Transfer Procedure

Purpose: Define process for managing value chain responsibility transfers Owner: AI Act Program Manager Implements: Control SC-005

Procedure Steps:

1. Monitor for responsibility transfer trigger events
2. Assess whether trigger criteria are met
3. Conduct substantial modification assessment if applicable
4. Notify original provider of responsibility transfer
5. Assume full provider obligations under Article 16
6. Conduct conformity assessment and obtain CE marking
7. Register in EU database
8. Establish post-market monitoring

Outputs:

• Trigger assessment records
• Modification assessment documentation
• Provider notification records
• Post-transfer compliance records

---

COMPLIANCE

5.1 Compliance Monitoring

Monitoring Approach: Continuous automated monitoring supplemented by monthly manual reviews and quarterly comprehensive audits.

Compliance Metrics:

Metric	Target	Measurement Method	Frequency	Owner
Pre-Market Verification Rate	100%	% of imported systems verified before placement	Quarterly	AI Act Program Manager
Distribution Compliance Rate	100%	% of distributed systems with verified documentation	Quarterly	AI Act Program Manager
Non-Conformity Response Time	< 24 hours	Time from detection to halt and notification	Per event	AI Act Program Manager
Documentation Retention Compliance	100%	% of required documentation retained for 10 years	Annually	AI Act Program Manager
Responsibility Transfer Detection Rate	100%	% of transfer triggers identified and acted upon	Quarterly	AI Act Program Manager

Monitoring Tools:

• Supply Chain Compliance Management System
• Document Management System
• Non-Conformity Register
• Monthly compliance reports
• Quarterly AI Governance Committee reviews

---

5.2 Internal Audit Requirements

Audit Frequency: Annually (minimum)

Audit Scope:

• Importer verification completeness and accuracy
• Distributor check completeness and accuracy
• Non-conformity management effectiveness
• Storage, transport, and documentation retention compliance
• Responsibility transfer identification and management
• Controls effectiveness (SC-001 through SC-005)

Audit Activities:

• Review 100% of import verification records
• Review 100% of distribution check records
• Sample 100% of non-conformity records
• Test documentation retention system
• Review responsibility transfer assessments
• Interview supply chain personnel

Audit Outputs:

• Annual AI Supply Chain Obligations Audit Report
• Findings and recommendations
• Corrective action plans for deficiencies

---

5.3 External Audit / Regulatory Inspection

Preparation:

• Maintain audit-ready supply chain documentation at all times
• Designate AI Act Program Manager and Legal as regulatory liaisons
• Prepare standard response procedures for authority requests

Provide to Auditors/Regulators:

• Import verification records
• Distribution check records
• Non-conformity reports and corrective actions
• Storage and transport procedures
• 10-year documentation retention records
• Responsibility transfer documentation
• Internal audit reports
• Evidence of controls execution

Authority Request Response:

• Acknowledge request within 1 business day
• Provide requested documentation within 5 business days
• Coordinate through Legal and AI Act Program Manager
• Document all interactions with authorities

---

ROLES AND RESPONSIBILITIES

6.1 RACI Matrix

Activity	AI Act Program Manager	Supply Chain Manager	Legal	Quality Manager	AI Governance Committee
Importer Pre-Market Verification	A	R	C	C	I
Distributor Pre-Distribution Checks	A	R	C	C	I
Non-Conformity Management	A	R	R	C	I
Storage/Transport Management	A	R	I	C	I
Documentation Retention	A	R	C	C	I
Responsibility Transfer Management	A	R	R	C	R
Authority Notifications	R	C	R	I	I
Internal Audit	C	C	C	R	A

RACI Legend:

• R = Responsible (does the work)
• A = Accountable (ultimately answerable)
• C = Consulted (provides input)
• I = Informed (kept up-to-date)

---

6.2 Role Descriptions

AI Act Program Manager

• Primary Responsibility: Owns supply chain obligations framework, ensures compliance with Articles 23, 24, and 25
• Key Activities:
  • Establishes supply chain compliance framework
  • Oversees importer and distributor compliance
  • Manages authority notifications
  • Reports to AI Governance Committee
• Required Competencies: EU AI Act expertise, supply chain management, regulatory compliance

Supply Chain Manager

• Primary Responsibility: Executes supply chain compliance activities
• Key Activities:
  • Conducts pre-market verifications (importers)
  • Conducts pre-distribution checks (distributors)
  • Manages storage and transport conditions
  • Maintains documentation retention system
• Required Competencies: Supply chain operations, compliance verification, documentation management

Legal

• Primary Responsibility: Provides legal guidance on supply chain obligations and responsibility transfers
• Key Activities:
  • Advises on responsibility transfer triggers
  • Reviews authority notifications
  • Supports non-conformity management
  • Ensures regulatory compliance
• Required Competencies: EU AI Act legal requirements, product liability, regulatory law

Quality Manager

• Primary Responsibility: Ensures quality standards across supply chain activities
• Key Activities:
  • Conducts internal audits
  • Reviews verification and check procedures
  • Monitors non-conformity management
  • Validates corrective actions
• Required Competencies: Quality management, auditing, conformity assessment

AI Governance Committee

• Primary Responsibility: Provides oversight and governance of supply chain obligations
• Key Activities:
  • Reviews quarterly compliance reports
  • Approves responsibility transfer decisions
  • Oversees internal audit results
  • Escalates critical issues to executive management
• Required Competencies: AI governance, risk management, strategic oversight

---

EXCEPTIONS

7.1 Exception Philosophy

Supply chain compliance under Articles 23, 24, and 25 is a critical regulatory requirement. Exceptions are granted restrictively and only where compensating controls adequately mitigate risks. Non-compliance may result in penalties of up to EUR 15 million or 3% of global annual turnover.

---

7.2 Allowed Exceptions

The following exceptions may be granted with proper justification and approval:

Exception Type	Justification Required	Maximum Duration	Approval Authority	Compensating Controls
Extended Verification Timeline	Complex system requiring additional verification time	15 business days	AI Act Program Manager	System not placed on market until verification complete; interim monitoring
Alternative Documentation Format	Provider documentation in non-standard format	Permanent	AI Act Program Manager	Document equivalence assessment; format conversion where possible
Delegated Verification	Third-party conducts verification on behalf of importer/distributor	Permanent	AI Governance Committee	Third-party qualification verified; oversight maintained; results reviewed

---

7.3 Prohibited Exceptions

The following exceptions cannot be granted under any circumstances:

• Skipping pre-market verification - Mandatory per Article 23(1), no exceptions
• Skipping pre-distribution checks - Mandatory per Article 24(1), no exceptions
• Placing non-conforming systems on market - Prohibited per Articles 23(2) and 24(2)
• Failing to notify authorities of risk - Mandatory per Articles 23(2) and 24(2)
• Reducing documentation retention below 10 years - Mandatory per Articles 23(5) and 24(3)
• Ignoring responsibility transfer triggers - Mandatory per Article 25

---

7.4 Exception Request Process

Step 1: Submit Exception Request

• Complete Exception Request Form (FORM-AI-EXCEPTION-001)
• Include business justification
• Propose compensating controls
• Specify duration requested
• Attach risk assessment

Step 2: Risk Assessment

• AI Act Program Manager assesses risk of granting exception
• Evaluates adequacy of compensating controls
• Documents residual risk
• Assesses regulatory exposure

Step 3: Approval

• Route to appropriate approval authority based on exception type
• AI Act Program Manager approval: Minor exceptions (extended timelines)
• AI Act Program Manager + AI Governance Committee: Significant exceptions (delegated activities)
• AI Governance Committee: Critical exceptions

Step 4: Documentation and Monitoring

• Document exception in Exception Register
• Assign exception owner
• Set review date
• Monitor compensating controls
• Report exceptions quarterly to AI Governance Committee

Step 5: Exception Review and Closure

• Review exception at specified review date
• Assess if exception still needed
• Close exception when normal process restored
• Document lessons learned

---

ENFORCEMENT

8.1 Non-Compliance Consequences

Violation	Severity	Consequence	Remediation Required
Placing non-conforming system on market	Critical	Immediate market withdrawal; regulatory notification	Full conformity verification before re-placement
Distributing without pre-distribution checks	Critical	Immediate distribution halt; investigation	Complete all checks; corrective action plan
Failure to notify authorities of risk	Critical	Immediate escalation to Legal and executive management	Retrospective notification; root cause analysis
Missing pre-market verification	High	Market placement suspended until verified	Complete verification within 5 business days
Documentation retention failure	High	Immediate remediation; gap assessment	Recover or reconstruct documentation; system review
Missing responsibility transfer assessment	High	Immediate assessment required	Complete assessment; assume obligations if triggered
Storage/transport non-compliance	Medium	Corrective action required	Update procedures; re-verify system compliance

---

8.2 Escalation Procedures

Level 1: AI Act Program Manager

• Minor procedural deviations
• Documentation gaps < 5 items
• Action: Written warning, corrective action required within 10 business days

Level 2: AI Act Program Manager + AI Governance Committee

• Repeated violations
• Missed verifications or checks
• Action: Formal review, corrective action plan, management notification

Level 3: AI Governance Committee

• Critical compliance failures
• Non-conforming systems placed on market or distributed
• Action: Immediate halt, investigation, disciplinary action

Level 4: Executive Management + Legal

• Potential regulatory enforcement action
• Authority notification or inspection
• Significant legal liability (up to EUR 15 million or 3% of global turnover)
• Action: Executive crisis management, legal strategy, regulatory engagement

---

8.3 Immediate Escalation Triggers

Escalate immediately to AI Governance Committee + Legal if:

• Non-conforming high-risk AI system placed on EU market or distributed
• Market surveillance authority initiates investigation
• Risk to health, safety, or fundamental rights identified in supply chain
• Responsibility transfer trigger identified but not acted upon
• Regulatory inquiry or inspection related to supply chain obligations

---

8.4 Regulatory Penalties

Non-compliance with importer and distributor obligations under Articles 23 and 24 may result in administrative fines of up to EUR 15,000,000 or, if the offender is an undertaking, up to 3% of its total worldwide annual turnover for the preceding financial year, whichever is higher (Article 99(4)).

---

KEY PERFORMANCE INDICATORS (KPIs)

9.1 Supply Chain KPIs

KPI ID	KPI Name	Definition	Target	Measurement Method	Frequency	Owner	Reporting To
KPI-SC-001	Pre-Market Verification Rate	% of imported AI systems verified before market placement	100%	(# verified / # imported) x 100	Quarterly	AI Act Program Manager	AI Governance Committee
KPI-SC-002	Distribution Compliance Rate	% of distributed AI systems with verified compliance documentation	100%	(# compliant / # distributed) x 100	Quarterly	AI Act Program Manager	AI Governance Committee
KPI-SC-003	Documentation Retention Compliance	% of required documentation retained for 10-year period	100%	(# compliant / # required) x 100	Annually	AI Act Program Manager	AI Governance Committee
KPI-SC-004	Non-Conformity Response Time	Average time from detection to halt and notification	< 24 hours	Average response time	Per event	AI Act Program Manager	Management
KPI-SC-005	Responsibility Transfer Detection Rate	% of transfer triggers identified and acted upon	100%	(# detected / # total triggers) x 100	Quarterly	AI Act Program Manager	AI Governance Committee

---

9.2 KPI Dashboards and Reporting

Real-Time Dashboard (AI Act Program Manager access)

• Current import verification status
• Current distribution check status
• Open non-conformities
• Documentation retention status
• Responsibility transfer events

Monthly Management Report

• KPI-SC-001, KPI-SC-002, KPI-SC-004
• Trend analysis (vs. previous month)
• Issues and risks
• Planned actions

Quarterly AI Governance Committee Report

• All KPIs
• Supply chain compliance assessment
• Non-conformity management review
• Internal audit findings (if conducted)
• Exception register review

Annual Executive Report

• Full-year KPI performance
• Supply chain compliance maturity assessment
• Strategic recommendations
• Regulatory outlook

---

9.3 KPI Thresholds and Alerts

KPI	Green (Good)	Yellow (Warning)	Red (Critical)	Alert Action
Pre-Market Verification Rate	100%	95-99%	< 95%	Red: Immediate escalation to AI Governance Committee Chair
Distribution Compliance Rate	100%	95-99%	< 95%	Red: Immediate escalation to AI Governance Committee Chair
Documentation Retention Compliance	100%	95-99%	< 95%	Yellow: Remediation plan; Red: Escalate to AI Governance Committee
Non-Conformity Response Time	< 24 hours	24-48 hours	> 48 hours	Red: Immediate escalation to AI Governance Committee
Responsibility Transfer Detection Rate	100%	90-99%	< 90%	Red: Immediate investigation and escalation

---

TRAINING REQUIREMENTS

10.1 Training Program Overview

All personnel involved in AI supply chain activities must complete role-specific training to ensure competency in import verification, distribution checks, non-conformity management, documentation retention, and responsibility transfer assessment.

---

10.2 Role-Based Training Requirements

Role	Training Course	Duration	Content	Frequency	Assessment Required
AI Act Program Manager	Supply Chain Compliance Expert Training	16 hours	EU AI Act Articles 23, 24, 25; Supply chain obligations; Authority relations	Initial + annually	Yes - Written exam (>=90%)
Supply Chain Manager	Supply Chain Verification Training	12 hours	Verification procedures; Distribution checks; Documentation retention; Non-conformity management	Initial + annually	Yes - Practical exercise + Written exam (>=85%)
Legal	Supply Chain Legal Training	8 hours	Articles 23, 24, 25 legal requirements; Responsibility transfers; Penalty framework	Initial + annually	Yes - Written exam (>=90%)
Quality Manager	Supply Chain Audit Training	8 hours	Audit procedures; Verification standards; Non-conformity assessment	Initial + annually	Yes - Practical exercise
Warehouse/Logistics Staff	Storage and Transport Training	4 hours	Storage conditions; Transport requirements; Environmental controls	Initial + annually	Yes - Knowledge check (>=80%)

---

10.3 Training Content by Topic

Importer Obligations (Article 23)

• Pre-market verification requirements
• Conformity assessment verification
• CE marking and documentation checks
• Importer identification requirements
• Non-conformity response procedures

Distributor Obligations (Article 24)

• Pre-distribution check requirements
• Upstream compliance verification
• Distribution documentation requirements
• Non-conformity response procedures

Responsibility Transfers (Article 25)

• Transfer trigger identification
• Substantial modification assessment
• Provider obligation assumption process
• Notification requirements

Documentation and Retention

• 10-year retention requirements
• Document management systems
• Authority request response procedures

---

10.4 Training Delivery Methods

Initial Training:

• Instructor-led classroom or virtual training
• Includes interactive exercises and case studies
• Hands-on practice with verification checklists
• Group discussions of supply chain compliance scenarios

Annual Refresher:

• E-learning modules for core content review
• Live update sessions for regulatory changes
• Case study reviews of recent supply chain activities
• Knowledge assessment

On-the-Job Training:

• Mentoring for new supply chain staff
• Supervised verification for first 5 import/distribution events
• Job shadowing during non-conformity management

Just-in-Time Training:

• Quick reference guides for verification checklists
• Video tutorials on specific procedures
• Help desk support from experienced compliance staff

---

10.5 Training Effectiveness Measurement

Assessment Methods:

• Written exams for knowledge retention
• Practical exercises for verification skill application
• On-the-job observations for competency validation
• Feedback surveys for training quality

Competency Validation:

• Supply Chain Manager: Must demonstrate ability to complete 3 verifications independently with 100% accuracy before unsupervised work
• All supply chain staff: Must pass knowledge assessments with minimum required scores

Training Metrics:

Metric	Target	Frequency
Training completion rate	100%	Quarterly
Assessment pass rate (first attempt)	>= 90%	Per training
Training effectiveness score (survey)	>= 4.0/5.0	Per training
Time to competency (Supply Chain Manager)	< 30 days	Per person

---

10.6 Training Records

Records Maintained:

• Training attendance records
• Assessment scores
• Competency validations
• Refresher training completion
• Individual training transcripts

Retention: 10 years (to align with EU AI Act documentation retention)

Access: AI Act Program Manager, HR, Internal Audit, Competent Authorities (upon request)

---

DEFINITIONS

Term	Definition	Source
Importer	Any natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country	EU AI Act Article 3(6)
Distributor	Any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market	EU AI Act Article 3(7)
Provider	A natural or legal person that develops or has an AI system developed and places it on the market or puts it into service under its own name or trademark	EU AI Act Article 3(3)
Placing on the Market	The first making available of an AI system on the Union market	EU AI Act Article 3(9)
Making Available on the Market	Any supply of an AI system for distribution or use on the Union market in the course of a commercial activity	EU AI Act Article 3(10)
Substantial Modification	A change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 is affected or the intended purpose for which the AI system has been assessed is modified	EU AI Act Article 3(23)
Authorised Representative	Any natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system to, respectively, carry out and perform the obligations and procedures established by this Regulation on behalf of that provider	EU AI Act Article 3(5)
Conformity Assessment	The process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilled	EU AI Act Article 3(20)
CE Marking	A marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation providing for its affixing	EU AI Act Article 3(24)
EU Declaration of Conformity	A declaration by the provider that the AI system is in conformity with the requirements set out in Chapter III, Section 2	EU AI Act Article 47
Market Surveillance Authority	The national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020	EU AI Act Article 3(26)

---

LINK WITH AI ACT AND ISO42001

12.1 EU AI Act Regulatory Mapping

This standard implements the following EU AI Act requirements:

EU AI Act Provision	Article	Requirement Summary	Implemented By (Controls)
Importer Obligations	Article 23(1)	Verify conformity assessment, documentation, CE marking, declaration, authorised representative before market placement	SC-001
Importer Non-Conformity	Article 23(2)	Do not place non-conforming system on market; notify provider and authorities	SC-003
Importer Identification	Article 23(3)	Indicate importer name, trade name, address on system or documentation	SC-001
Importer Storage/Transport	Article 23(4)	Ensure storage and transport conditions preserve compliance	SC-004
Importer Documentation Retention	Article 23(5)	Retain documentation for 10 years	SC-004
Distributor Obligations	Article 24(1)	Verify CE marking, declaration, instructions, and upstream compliance before distribution	SC-002
Distributor Non-Conformity	Article 24(2)	Do not distribute non-conforming system; notify provider/importer and authorities	SC-003
Distributor Documentation Retention	Article 24(3)	Retain documentation for 10 years	SC-004
Responsibility Transfer	Article 25(1)	Actors become providers when placing name/trademark, making substantial modifications, or changing intended purpose	SC-005
Transfer Notification	Article 25(2)	Notify original provider when assuming provider obligations	SC-005

---

12.2 ISO/IEC 42001:2023 Alignment

This standard aligns with ISO/IEC 42001:2023 as follows:

ISO 42001 Clause	Requirement	Implementation in This Standard
Clause 8.1: Operational Planning and Control	Plan, implement, and control processes	SC-001, SC-002, SC-004
Clause 8.4: Externally Provided Processes, Products and Services	Control externally provided processes	SC-001, SC-002, SC-005
Clause 10.1: Nonconformity and Corrective Action	Address nonconformities	SC-003
Clause 7.5: Documented Information	Maintain documented information	SC-004

---

12.3 Relationship to Other Standards

This AI supply chain obligations standard integrates with other AI Act standards:

Related Standard	Integration Point	Rationale
STD-AI-001: Classification	Risk classification determines supply chain obligations	Importer/distributor obligations apply to high-risk systems
STD-AI-004: Technical Documentation	Documentation verified during import/distribution	Importers and distributors verify documentation completeness
STD-AI-010: Conformity Assessment	Conformity assessment verified by importers	Importers verify provider has completed conformity assessment
STD-AI-011: Registration	Registration required when assuming provider role	Responsibility transfer triggers registration obligation
STD-AI-012: Post-Market Monitoring	Post-market monitoring required when assuming provider role	Responsibility transfer triggers post-market monitoring obligation
STD-AI-013: Incident Management	Incidents in supply chain trigger notification	Non-conformities may constitute reportable incidents

---

12.4 References and Related Documents

EU AI Act (Regulation (EU) 2024/1689):

• Article 23: Obligations of importers of high-risk AI systems
• Article 24: Obligations of distributors of high-risk AI systems
• Article 25: Responsibilities along the AI value chain
• Article 99(4): Administrative fines for importer/distributor non-compliance

ISO/IEC Standards:

• ISO/IEC 42001:2023: Information technology - Artificial intelligence - Management system

Internal Documents:

• POL-AI-001: Artificial Intelligence Policy (parent policy)
• STD-AI-001: AI System Classification Standard
• STD-AI-004: AI Technical Documentation Standard
• STD-AI-010: AI Conformity Assessment Standard
• STD-AI-011: AI Registration Standard
• STD-AI-012: AI Post-Market Monitoring Standard
• STD-AI-013: AI Incident Management Standard
• PROC-AI-SUPPLY-001 through -005: Supply chain procedures

---

APPROVAL AND AUTHORIZATION

Role	Name	Title	Signature	Date
Prepared By	AI Act Program Manager	AI Act Program Manager	_________________	________
Reviewed By	Sarah Johnson	AI Act Program Manager	_________________	________
Reviewed By	Jane Doe	Chief Strategy & Risk Officer	_________________	________
Approved By	Jane Doe	AI Governance Committee Chair	_________________	________

Effective Date: 2026-08-02 Next Review Date: 2027-08-02 Review Frequency: Annually or upon regulatory change

---

END OF STANDARD STD-AI-017

---

This standard is a living document. Feedback and improvement suggestions should be directed to the AI Act Program Manager.