EU AI Act topic guide

Provider vs deployer under the EU AI Act: who carries which duties

The EU AI Act distributes obligations across different actors in the AI supply chain. The most important distinction is between a "provider" (the entity that develops or commissions an AI system and places it on the market) and a "deployer" (the entity that puts the system to work in a professional context). Misidentifying your role can leave you either over-compliant or dangerously exposed.

Reviewed by the AI Act Navigator team · Last updated 9 June 2026

TL;DR

  • Provider: develops the AI and puts it on the market under their own name - carries the heaviest obligations (Article 16): risk management, data governance, technical documentation, conformity assessment, CE marking, registration.
  • Deployer: uses a provider's AI under their own authority in a professional context - carries Article 26 obligations: use per instructions, human oversight, data quality, log retention, staff notification, FRIA (where required).
  • Reclassification risk (Article 25): a deployer, importer or distributor becomes a provider if they put their own name on a high-risk system, substantially modify it, or change its intended purpose.
  • Importers and distributors have verification duties but lighter obligations - unless they trigger Article 25 reclassification.
Classify your AI systemObligations guide

Scope

What this covers

  • Provider obligations (Article 16): implement a risk management system (Art. 9); ensure data governance (Art. 10); prepare technical documentation (Art. 11); enable automatic logging (Art. 12); provide deployer information (Art. 13); design for human oversight (Art. 14); ensure accuracy, robustness and cybersecurity (Art. 15); implement a quality management system (Art. 17); conduct conformity assessment (Art. 43); draw up EU declaration of conformity and affix CE marking (Arts. 47-48); register in the EU database (Art. 49); conduct post-market monitoring and incident reporting (Arts. 72-73).
  • Deployer obligations (Article 26): use the system in accordance with provider instructions for use; assign human oversight to competent, authorised persons; ensure input data is relevant and representative; monitor operation and suspend use if risks arise; keep logs for at least 6 months; inform affected workers or their representatives before deploying in the workplace; inform natural persons subject to high-risk decisions.
  • FRIA requirement (Article 27): deployers that are public bodies, or that use AI for credit scoring or life/health insurance risk assessment/pricing, must conduct a Fundamental Rights Impact Assessment before deployment.
  • Reclassification as provider (Article 25): triggering conditions include: placing own name/trademark on a high-risk AI system; substantially modifying a high-risk AI system; changing the intended purpose of an AI system so that it becomes high-risk.

Non-EU providers must appoint an EU-based authorised representative (Article 22) who takes on specified responsibilities toward national authorities.

Source: Regulation (EU) 2024/1689 (EUR-Lex)

Compliance challenges

Key compliance challenges

  • Distinguishing "substantial modification" from routine configuration or fine-tuning - a change that alters the fundamental design of a high-risk system, or enables new capabilities in a new context, may trigger Article 25 reclassification.
  • Understanding what counts as "professional capacity" for deployers - personal non-professional use is excluded from the Act, but a sole trader or freelancer using AI in their business is a deployer.
  • Contractual allocation: providers and deployers can allocate certain obligations by contract, but neither can contract out of regulatory responsibility for their statutory duties.
  • Multi-party systems: where multiple providers contribute AI components that are integrated by a third party, each provider carries obligations for their own component.

The EU AI Act applies a risk-based approach: obligations scale with the level of risk posed. AI Act high-level summary

What to do

What to do

  1. Map every AI system in your organisation: for each, identify whether you developed it (provider), or merely use it (deployer), or distribute/import it.
  2. Check for reclassification risk under Article 25: have you branded, substantially modified or changed the intended purpose of any third-party high-risk system?
  3. For deployer roles: review the provider's instructions for use; assign trained human oversight personnel; set up log retention (minimum 6 months); prepare FRIA documentation if applicable.
  4. For provider roles: build out the Chapter III compliance programme for high-risk AI; appoint an EU authorised representative if you are non-EU.
  5. Review your contracts with providers to ensure they give you the information and documentation you need to perform your deployer obligations.

For the full obligations breakdown, see the AI Act obligations guide, and for role-specific duties see the provider vs deployer guide.

FAQ

Provider vs deployer: common questions

We use a third-party AI tool internally. Are we a deployer?
Yes, if you use the AI tool under your own authority in a professional context. As a deployer of a high-risk system you carry the Article 26 obligations. If the system is not high-risk, you have lighter or no mandatory obligations - though AI literacy (Article 4) applies regardless.
Can the deployer and provider be the same organisation?
Yes. If you develop an AI system and also use it in-house in a professional context, you are both provider and deployer. You must meet both sets of obligations.
We configure and customise a vendor's AI platform for clients - are we now the provider?
It depends. If you place the system on the market under your own name, or substantially modify the vendor's high-risk system, or change its intended purpose so it becomes high-risk, Article 25 reclassifies you as the provider with full provider obligations. Configuration within the vendor's intended parameters generally does not trigger reclassification - but the line is not always clear.
What documentation must a provider give the deployer?
For high-risk AI, the provider must provide instructions for use (Article 13) containing everything a deployer needs to use the system correctly: technical capabilities and limitations, performance metrics, human oversight instructions, data input requirements, maintenance and logging guidance. Deployers must use the system in accordance with those instructions.
Are importers and distributors exposed to fines?
Yes. Importers and distributors carry verification obligations (Articles 23-24) and can be fined for non-compliance with their own duties under Article 99. And if they trigger Article 25 reclassification, they face the full provider fine exposure (up to €15m/3% for non-compliance, or €35m/7% for prohibited practices).

Get AI Act-ready

Use the risk classifier to find your system's tier, then explore the obligations and checklist for your role.

Classify your AI system

This is guidance, not legal advice

This is guidance to help you understand how the EU AI Act applies to provider vs deployer, not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified legal adviser.

Sources

  1. [1]Regulation (EU) 2024/1689 (EU AI Act) - EUR-Lexretrieved 9 Jun 2026
  2. [2]European Commission: AI regulatory frameworkretrieved 9 Jun 2026
  3. [3]AI Act Explorer: high-level summaryretrieved 9 Jun 2026
  4. [4]AI Act implementation timelineretrieved 9 Jun 2026
  5. [5]Council of the EU: Digital Omnibus provisional agreement, 7 May 2026retrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

Provider vs deployer under the EU AI Act: roles and obligations explained | AI Act Navigator · AI Act Navigator