AI High-risk Value Chain: Who is Responsible for What?

Moderator: Rocio de la Cruz, AIGP, CIPP/E, FIP, Director, Global Privacy and AI Public Policy, OpenText

Karolina Gałęzowska, Data Protection Assistant, eu-LISA

Anahita Valakche, Senior Strategist, Office of Responsible AI, Microsoft

Wojciech Wiewiórowski, European Data Protection Supervisor

Article 25 of the EU AI Act will enter into force on 2 Aug. 2026. It puts in place a regulatory compliance regime for providers of high-risk AI systems and expectations for third parties that supply them AI systems, tools, services, components and processes. It is a matter that is stressful to many businesses developing or using AI. In this interactive session, we will discuss the instances in which a company or institution using a vendor AI system becomes a provider of a high-risk system. We will also review essential concepts and terms; expectations related to technical access and other assistance; the impact of opt-out contractual clauses and exceptions granted to open-source suppliers; and how cooperation and placing of responsibilities could be integrated into contractual arrangements.

What you will learn:

• Explore one example of an AI product — from AI model development, to AI system development, to deployment — and the data protection responsibilities along the value chain from GPAI vendor to final deployer, including discussing relevant model clauses being defined in the GPAI Code of Practice, if applicable. 
• A visual checklist to assist companies and institutions in assessing their value chain role and related obligations.