Microsoft SSPA Section K: The AI Requirements for Suppliers
If your company supplies Microsoft and uses AI in what you provide, a specific set of requirements now applies to you. Microsoft added Section K, covering AI Systems, to its Supplier Data Protection Requirements, and it sits inside the Supplier Security and Privacy Assurance program that gates the ability to do business with Microsoft. This guide explains what Section K asks, when an ISO 42001 certificate is optional versus mandatory, and how to get ready.
SSPA, the DPR, and Section K
The Supplier Security and Privacy Assurance program, or SSPA, is Microsoft's supplier risk process. It requires suppliers to implement Microsoft's Data Protection Requirements, or DPR, and then validate that they have done so, at onboarding and every year after. Section K, introduced in DPR version 10 and effective from late September 2024, is the part focused on AI Systems. The current DPR is version 12, March 2026, where Section K covers requirements 51 to 63 of 63 total.
Who it applies to
SSPA covers suppliers, worldwide, who process personal data, Microsoft confidential data, or use AI Systems in the course of what they provide to Microsoft. Compliance is not optional if you want the work: a supplier must reach Green status in Microsoft's portal to be eligible, and a Red status is a hard block on new engagements. Your data processing profile determines exactly which requirements apply to you.
When ISO 42001 is optional, and when it is required
This is the part suppliers most need to get right. For general AI services, Microsoft accepts an ISO/IEC 42001 certification in place of an independent assessment against Section K. In other words, ISO 42001 is one route to validating the AI requirements, and it is optional in the sense that an independent assessment is the alternative.
Version 12 removed the earlier Sensitive Use gate. Every supplier providing AI Systems to Microsoft now provides independent assurance for Section K, with both routes open. What remains non-negotiable is requirement 52: no AI System you design, develop, place on the market, put into service, or use for Microsoft may be a Prohibited Practice under your AI Systems contractual terms.
How to get ready
Whether your route is an independent assessment or full ISO 42001 certification, both rest on the same foundation: documented AI governance. A supplier that already has an AI policy, an inventory of its AI systems, an impact assessment process, vendor governance, and an incident procedure is far along toward either path. Building that documentation now is the work you can start today, before you book an assessor or a certification body.
One honest caveat. Templates and policies get you ready. They are not the certificate. ISO 42001 certification is issued by an accredited certification body after an audit, and an independent Section K assessment is performed by a qualified assessor; Microsoft publishes a preferred assessors list. Use strong documentation to prepare efficiently, then engage the right assessor for the formal step.
The SSPA Section K Readiness Kit
Skip the blank page. The kit maps ISO 42001 evidence to Section K, runs the v12 screening worksheet, indexes the evidence to assemble, and lays out the path to Green. Editable Word and PDF, built for exactly this moment.
Common questions
Section K is the part of Microsoft's Supplier Data Protection Requirements that covers AI Systems. It was added in DPR version 10, effective September 2024, and applies to suppliers who use AI in what they provide to Microsoft. The current version is 12, March 2026, with Section K as requirements 51 to 63.
Not necessarily, but independent assurance is required. Under DPR version 12, every supplier providing AI Systems needs independent assurance for Section K, and both routes are open: an independent assessment against Section K, or an ISO/IEC 42001 certificate, which Microsoft relies on as closely mapping to the DPR.
Version 12, March 2026, consolidates the DPR to 63 requirements, renumbers Section K to requirements 51 to 63, adds a networking security requirement and a prohibition on AI Systems that are a Prohibited Practice under your AI Systems terms, and removes the earlier Sensitive Use language.
No. Templates help you build the AI governance documentation that both routes rely on, but compliance is validated through an independent assessment by a qualified assessor or through ISO 42001 certification by an accredited body.