Sealing The Deal: Contractual Strategies When investing in IT and AI Solutions

In the fast paced and highly competitive Fintech industry, the timely procurement and deployment of AI solutions can unlock substantial advantages. At the same time, investing in business-critical AI involves legal and operational commitments, alongside potentially contractual and technical risks. This necessitates a cross-functional approach involving technology, security, legal, and procurement knowledge to ensure contractual precision and adaptability with the aim of guaranteeing a sustainable AI solution throughout its lifecycle. This article provides insights and guidance on procuring critical IT infrastructure, systems, or services, focusing on various AI solutions, and how to handle associated legal and operational risks across the whole lifecycle.

PROCUREMENT OF IT COMPRISING AI SOLUTIONS

Procuring IT solutions is a continuous process that begins well before supplier engagement. A typical procurement process when investing in critical IT infrastructure, systems, or services generally involves the following steps:

• Requirement analysis;
• Requirement setting (functional and non-functional);
• Request for Proposal (“RFP”) and bid evaluation;
• Contract drafting, negotiating and signing.

Once contracted, the IT solution may be implemented and used within the company over a long period of time. Given the extended duration from the initial requirement analysis to the decommissioning of the solution, it is important that substantial work is conducted early in the process.

The requirement analysis aims to determine, inter alia, the IT type (hardware, software, data, services), preferred delivery model, necessary resources, applicable regulatory/contractual requirements, internal resource allocation, and various risk evaluations, including weighing the IT’s business criticality, sector-specific compliance (e.g., financial), external regulatory obligations (e.g., AI Act, GDPR), and the business’s current and anticipated future legal risk profile. The goal is to ensure that the IT solution is suitable and flexible to accommodate evolving business structures, as well as technical, legal, and regulatory changes.

BRIEF OVERVIEW OF AI ACT-RELATED ASPECTS

The AI Act[1] introduces a risk-based framework impacting all companies’ developing, exporting, importing, or deploying AI. The regulation includes prohibitions for certain AI, transparency duties, and widespread obligations for specific AI categories. Key implementation milestones are staggered, with some prohibitions applying since February 2025 and August 2025, and the bulk of the framework taking effect from August 2026.

Procuring an AI solution is essentially no different from purchasing any other IT solution, but it is important to understand that the AI Act imposes different requirements depending on your company’s role within the regulatory framework and the category of AI in question. In terms of contracts, it is therefore important to define the roles of the parties, the purpose of the AI solution, data input/output (including personal data and IP-protected material), and the necessary controls for ongoing compliance. The AI Act also interacts with existing rules (e.g., GDPR and intellectual property legislation) as well as sector-specific regulations and policies, creating a complex network of compliance requirements.

AI CONSIDERATIONS DURING THE PROCUREMENT AND THROUGH THE IT LIFECYCLE

AI-related compliance is an evolving process requiring seamless integration between a company’s internal departments and key stakeholders. Embedding and establishing internal compliance structures should begin already in the requirement analysis phase and be an ongoing process up until the decommissioning of the solution, with the aim to mitigate and handle overall AI related risks, both internal and external towards data subjects and contracting parties.

It is our general experience that the following considerations and analysis should be conducted during the respective phases of the procurement process to ensure a structured compliance process over time:

• Requirement analysis: Early in the procurement, a company should identify the AI solution type, its intended purpose, and its prospective regulatory role under the AI Act. This should include a thorough preliminary risk assessment, considering potential impacts on rights, safety, and data privacy, and necessary controls for continuous compliance.
• Requirement setting (including RFP bid evaluation): The functional and non-functional requirements of the IT/AI solution should translate preliminary findings into concrete supplier obligations and/or contractual principles. These may encompass security standards, precise data-use parameters, and regulatory compliance, which requirements of course may be included and form part of the RFP to foster transparency, ensure a fair bid evaluation, and facilitate selecting suppliers that meets your IT/AI-related criteria.
• Contract drafting, negotiating and signing: The contract should clearly and effectively translate regulatory obligations, especially for AI solutions, into clear and enforceable commitments for the contractual parties. Key provisions to be included in the contract should cover, inter alia, data ownership (including customer and training data), permissible data use (including intellectual property rights and personal data protection), and supplier restrictions (e.g., prohibiting cross-tenant training). Intellectual property rights for software, models, and other outputs should be clearly described to avoid any ambiguities, alongside customary warranties and remedies for infringement. The contract should also include, in addition to customary provisions normally included in commercial and business critical IT contracts, liability frameworks considering consequences for breaches of the AI Act, data misuse, and unauthorized training of the AI.
• Implementation and production phase: During the implementation and production phase, various measures should be implemented and conducted for regulatory compliance, including rolling out user training and instructions, ensuring ongoing education and policy updates, and monitoring routines and assessments. Part of this work may also include, due to the further development of the AI solution or due to changes in the company’s use thereof, reassessing and evaluating the role of the company and the category of AI under the AI Act.

BEST PRACTICE – MUST-KNOWS AND KEY TAKE AWAYS WHEN INVESTING IN IT AND AI

In summary, investing in business-critical IT/AI may involve significant legal and operational commitments, requiring the engagement of multidisciplinary teams from the organization. The complexity of IT contracts and long duration of the IT lifecycles necessitate an adaptable solution and an underlying contractual framework that is suitable both for the current and the future business. Our market experience identifies an increasement of IT contract disputes and renegotiations, driven by evolving regulations, scope ambiguities, change management issues, pricing, and contract management shortcomings. Common root causes include insufficient requirement analysis, under-resourced project governance, and documentation gaps. To ensure a successful, timely project that addresses relevant sector needs and risks over time, we recommend considering the following when investing in material IT solutions:

• Project based procurement: Our experience is that material IT/AI procurements should be handled as structured projects with defined governance and steering already from the requirement analysis and up until the decommissioning. This also involves establishing leadership accountability for supplier management and regulatory engagement (e.g. cybersecurity, data protection, and AI governance).
• Project management: Engaging relevant stakeholders early in the project, including competences within legal, cybersecurity, technical, and general compliance is important to align system capabilities within your company’s overall business and regulatory objectives. To ensure this, substantive long-term planning and assessments of market, technological, and regulatory developments are required during procurement as well during the IT lifecycle.
• Identifying and defining the contractual and regulatory commitments: Identifying the regulatory commitments and setting out the division of the parties’ responsibilities in a transparent manner is in our view material for successful cooperation. Moreover, the contract should include, inter alia, mechanisms handling legal and technical evolution, including structured change control processes, collaboration duties, and transparent pricing adjustments.

SUMMARY

The use of IT solutions, especially solutions comprising AI, in the finance industry offers a compelling blend of opportunities. Financial institutions that successfully integrate this technology can reap significant rewards in terms of efficiency, customer satisfaction, and competitive advantage. However, one must also be cautious in addressing the risks and regulatory considerations that come with it. By following a structured procurement process and addressing relevant risks at an early stage, the finance industry can navigate the complexities of procuring and deploying AI solutions and savour its opportunities with minimal risks.

[1] Regulation (EU) 2024/1689.