Third Party & Supply Chain

The organisation shall establish clear accountability for AI systems when working with third parties, distributors, importers, or suppliers. This includes documenting responsibilities when AI systems are modified or repurposed, ensuring proper handover of obligations between parties, and maintaining evidence of agreed responsibilities. The organisation must obtain necessary information and technical access from third-party suppliers to ensure regulatory compliance, while respecting confidentiality and intellectual property rights.

The organisation shall implement comprehensive processes to identify, assess, manage, and monitor risks associated with third-party AI suppliers and service providers throughout the engagement lifecycle. This includes evaluating supplier capabilities during selection, establishing security and privacy requirements in supplier agreements, maintaining contingency plans for critical third-party dependencies, and implementing continuous monitoring of supplier performance and compliance. The organisation shall regularly assess supplier adherence to established requirements, including security standards, privacy requirements, and service level agreements. Performance monitoring must include collection and evaluation of feedback, documentation of monitoring results, and implementation of appropriate actions when issues are identified. Regular reviews of supplier risk assessments and performance metrics shall inform decisions about continuing or modifying supplier relationships.