Procurement was built for static IT. AI governance demands more
Central administrations, regional governments, agencies, and public-sector buyers. Public institutions are technically deployers under the EU AI Act, but operate under constitutional and democratic obligations no private deployer carries. The standard of evidence is correspondingly higher.
How AI is changing the public sector
The dominant approach in public-sector AI procurement has been to treat AI as another category of IT spend. Tender, evaluate, award, deploy. Risk assessment, when performed, lives inside the procurement file and rarely outlives the award decision.
This approach was acceptable when public-sector technology automated clearly bounded tasks. When the technology participates in decisions that affect citizens' rights, access to services, or due process, the governance standard changes entirely.
The EU AI Act introduces obligations specifically tailored to public-sector AI deployment. High-risk systems require Fundamental Rights Impact Assessments before deployment. Public bodies must register their high-risk AI in the EU database. Procurement language has to evolve to incorporate AI Act compliance from vendors. These obligations are live, and traditional IT governance instruments alone are insufficient to address them.
What risks does this create
The risks are structural, and they carry a dimension private deployers do not face: constitutional accountability to citizens.
Decisions affecting rights, made or supported by AI, at scale
Benefit eligibility systems, tax risk scoring, judicial support tools, social services triage, urban traffic management. When AI participates in decisions that affect citizens' access to public services or due process, the applicable governance standard is democratic accountability. That has direct implications for what evidence is required and who can provide it.
Fundamental Rights Impact Assessment obligations not yet operationalized
Under the EU AI Act, public-sector deployers of high-risk AI must perform a FRIA. It requires technical understanding of the system, engagement with affected populations, and structured documentation. Most institutions have not yet done this for systems already in production, and the gap between legal obligation and operational reality is widening.
Procurement language that lags behind AI Act obligations
Asking vendors for "responsible AI" or "GDPR compliance" in tender documents is insufficient. Specifications now need to reference international standards, conformity assessment evidence, and post-deployment monitoring obligations. Procurement offices that have not updated their language are awarding contracts that will not survive regulatory scrutiny.
Independent assurance as a condition of democratic legitimacy
Internal self-attestation does not hold under the level of public scrutiny that public-sector AI attracts. When an oversight body, a parliamentary committee, or a constitutional court asks how the institution verified that the AI system operated as described, "we reviewed the vendor's policy document" is not a defensible answer.
The question that has changed
The question has moved from whether procurement procedures were followed, to whether the institution can demonstrate, to citizens, oversight bodies, and constitutional courts, that the AI deployed in public service operates under controls proportional to the stakes involved.
How these risks can be mitigated
The mitigation path runs through governance instruments that are proportional to the constitutional obligations public institutions carry.
FRIA as an operational process
Fundamental Rights Impact Assessment has to be conducted before deployment of high-risk AI. That requires inventory, technical analysis of each system, structured engagement with affected communities, and documented mitigation measures. External support is almost always required to do this at the standard oversight bodies expect.
Procurement specifications that hold vendors to the standard
Updating tender language to require conformity assessment evidence, international standards compliance, and post-deployment monitoring obligations shifts accountability to the vendor where it belongs and creates the audit trail that public institutions need.
Certification as the evidence standard
ISO/IEC 42001 certification demonstrates that AI deployment is governed under an internationally recognized management standard. For public institutions, that carries weight when AI governance is contested before oversight bodies, courts, or public opinion.
For most public institutions, the certification process surfaces AI deployments that were invisible to governance functions.
How we help public institutions
EU AI Act Public Sector Assessment
Inventory of your AI systems, classification by risk tier, identification of high-risk and prohibited use cases, and FRIA scoping. The deliverable is a documented position you can defend before oversight bodies.
ISO/IEC 42001 Certification for Public Bodies
ANAB-accredited certification scaled to public institutions. Demonstrates that AI deployment is governed under an internationally recognized management standard.
Procurement Specification Support
Independent technical input into tender documents and specifications. We help your procurement teams write requirements that hold vendors accountable to the standards regulators will apply, and that survive legal challenge.
Vendor Conformity Verification
Independent assessment of vendors awarded public contracts. Verifies that the AI systems delivered match the specifications committed to in the tender.
Zertia Academy — Public Sector Track
Training for IT directors, data protection officers, procurement leads, and policy teams. Builds the institutional capacity needed to procure, deploy, and oversee AI in line with public-interest obligations.
What regulators are asking and what certification answers
| Regulatory obligation | What it requires | How Zertia addresses it |
|---|---|---|
| EU AI Act — Art. 27 (Fundamental Rights Impact Assessment) | Public bodies deploying high-risk AI must conduct a FRIA before deployment. Requires identification of affected persons, assessment of impacts on fundamental rights, and documented mitigation measures. The obligation sits with the deploying institution and cannot be delegated to vendors. | FRIA scoping and delivery as a standalone service or integrated with ISO/IEC 42001 assessment. Structured documentation designed to satisfy oversight bodies, ombudsmen, and administrative courts. |
| EU AI Act — Art. 49 (Registration of high-risk AI by public bodies) | Public bodies deploying high-risk AI systems must register them in the EU database before deployment. Registration requires technical documentation and conformity assessment evidence that most public institutions are not yet prepared to provide. | We prepare the file, not just the gap report. |
| EU AI Act — Art. 26 (Deployer obligations) | Document AI systems, implement risk management, maintain human oversight, and keep logs. Public bodies as deployers carry all Art. 26 obligations regardless of whether the AI was built internally or procured. Procurement contracts do not transfer these obligations to vendors. | ISO/IEC 42001 certification covers all Art. 26 deployer obligations. Audit scope explicitly includes procured AI systems and vendor governance arrangements. |
| GDPR — Art. 35 (DPIA) + national administrative law | Processing personal data in public AI systems requires DPIA. Public institutions also face national administrative law requirements on algorithmic decision-making that vary by member state and add obligations beyond GDPR. | DPIA services integrated with AI Act assessment. We assess national administrative law requirements relevant to the institution's jurisdiction as part of the engagement scope. |
From inquiry to certification
If you're earlier in the process
Get the Public Sector AI Roadmap
FreeA structured assessment for public administrations. Covers AI inventory, AI Act classification, FRIA scoping, and procurement readiness. Built for institutional realities, including budget cycles and oversight requirements.
Download the roadmapReadiness and Assessment Engagement
Paid · Framework-friendlyDiagnostic engagement scoped to fit framework agreements and standard procurement instruments. Documented findings, remediation plan, and assessment timeline.
Book a readiness engagementIf you're ready for certification
ISO/IEC 42001 Certification or EU AI Act Conformity Assessment
ANAB-accreditedThree-year certification cycle or framework-based assessment, depending on institutional context. Fixed fees, ANAB-accredited.
Talk to us about your engagementA model that adapts to your institution
How we work with you depends on your institutional structure. A national agency operates on different terms than a regional administration. Three engagement models adapted to public-sector realities.
See how we engage →-
Startup
Early-stage AI. Light roadmap, certification when you scale.
-
Scaleup
Readiness audit and certification timed to your growth.
-
Enterprise
Full certification with recurring governance and ongoing support.
Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001
Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.
ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.
For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.
Your fast track to compliance starts here
Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.
