Chris Kemp summarises the issues around new Model Contract Terms and Standard Contractual Clauses emerging from the shadow of the recent EU digital regulation.
Introduction – the new MCTs and SCCs
By now the ‘top level’ requirements of the new wave of EU tech and digital regulation are fairly well known: the AI Act’s risk-based approach, the key contract provisions at DORA Art. 30, the NIS 2 reporting requirements, for example. What we think will bubble to the surface over the course of the rest of 2025 are the new Model Contract Terms (“MCT”) and Standard Contractual Clauses (“SCC”) nestled in the secondary legislation made under these rules: the delegated regulations and the implementing technical and regulatory standards.
These new MCTs and SCCs will not be mandatory. In some cases they are more like templates to show SME buyers of IT services what good could look like in a market where IT contracts are often one-sided documents favouring the large tech vendor. And because they won’t be mandatory, a big question for the new MCTs and SCCs is: will anyone actually pay any attention?
Examples – MCTs and SCCs in the AI Act, NIS 2, DORA and the Data Act
To give a bit more context, we will briefly walk through three examples. This is not an exhaustive list: there are lots of requirements in the rules that will either directly or indirectly affect what will need to be included in IT contracts. These are examples which have caught our interest recently.
Example 1: MCTs for high-risk AI system providers & their suppliers (AI Act, Art. 25(4))
By Art. 25(4) of the AI Act, the recently established European AI Office is encouraged to “develop and recommend voluntary model terms for contracts between providers of high-risk AI systems and third parties that supply tools, services, component or processes…”. The MCTs should “take into account possible contractual requirements in specific sectors or business cases.”
It is unclear what the status of these MCTs is, but it is foreseeable the requirement that they consider “specific sectors” and “business cases” will add to their complexity and the length of time it takes the AI Office to prepare them. When they are published, they will form part of a growing corpus of European AI model contract terms. For another example, see the March 2025 Updated EU AI model contractual clauses.[1]
Example 2: focus on supply chains (NIS 2 and DORA)
When organisations buy in IT they cede a certain amount of knowledge and control to third parties: SaaS vendors, managed service providers, IT consultants, etc. This creates supply chain vulnerabilities which NIS 2 and DORA, in particular, seek to remedy at the contract level.
As with the AI Act, many of the requirements are tucked under the primary legislation. For NIS 2, specific contract requirements can be found in the NIS 2 Implementing Regulation, para. 5.1.4 of the Annex to which requires that “relevant entities shall ensure that their contracts with… suppliers and service providers specify, where appropriate through service level agreements” contract terms like cybersecurity requirements, staff training, staff background checks, incident notification requirements and audit provisions.
For DORA, which applies in the financial services sector to in scope “Financial Entities”, the Regulatory Technical Standards on subcontracting will, when finalised, impose contract requirements where ICT services supporting critical or important functions are subcontracted.[2]
Example 3: cloud computing SCCs (Data Act, Art. 41)
The Data Act requires the European Commission to develop and recommend by 12 September 2025:
- non-binding MCTs on data access and use, including terms on reasonable compensation and the protection of trade secrets, and
- non-binding SCCs for cloud computing contracts to assist parties in drafting and negotiating contracts with fair, reasonable and non-discriminatory contractual rights and obligations.
The cloud computing SCCs are currently under development by a European Commission Expert Group on B2B data sharing and cloud computing contracts.[3] The SCCs will address important aspects of cloud contracts like information security and business continuity, liability and termination. The approach taken in drafts released in late 2024 suggests that the final cloud computing SCCs are likely to depart significantly from current market norms for cloud contracting.
Conclusion: prepare, but will anyone pay any attention?
The point of this article is to draw the reader’s attention to the lesser known MCTs and SCCs squirreled away at the layer of the secondary legislation in the new EU tech and digital rules.
This is worth doing because: (1) the MCTs and SCCs go directly to content requirements for IT contracts and (2) a number of them are likely to be finalised this year.
The MCTs and SCCs will give buyers of IT services new tools and models to negotiate better terms with their vendors. Vendors will need to think carefully about what, if anything, in these new forms of contract they are prepared to accept. Either way, we expect these new documents will start cropping up in IT contract negotiations in the course of 2025.
In almost all cases, these new MCTs and SCCs are not mandatory: contract parties can choose to incorporate them into their agreements or not. So the question remains: will anyone pay any attention?
Chris Kemp, Partner at Kemp IT Law LLP
[1] See European Commission: Updated EU AI model contractual clauses, dated 5 March 2025 <https://tinyurl.com/3nvnssb5>.
[2] See EBA, EIOPA and ESMA: Final report on Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554, dated 26 July 2024 <https://tinyurl.com/yecuvkwj>.
[3] See European Commission webpage for the Expert Group on B2B data sharing and cloud computing contracts (E03840) here <https://tinyurl.com/bddb9vz9>.
