Provider and Deployer Obligations under the EU AI Act

Conceptual framework and regulatory purpose

The EU Artificial Intelligence Act (EU AI Act) introduces a harmonised, role-based regulatory framework for artificial intelligence systems placed on or used within the European Union. Central to this framework is the distinction between providers and deployers of AI systems.

This distinction is not merely terminological. The EU AI Act allocates different compliance, governance and documentation obligations depending on the role an actor assumes in the AI system’s lifecycle. Correct role identification is therefore a threshold issue, as it determines both the scope and intensity of regulatory responsibility.

The Regulation adopts a functional approach: roles are defined by actual activities and control over the AI system, not by contractual labels or commercial self-description.

Systematics of the role-based model

The EU AI Act distinguishes several actors along the AI value chain, including providers, deployers, importers and distributors. In practice, however, providers and deployers carry the core regulatory burden.

Roles are not mutually exclusive. Depending on the circumstances, a single organisation may qualify as both provider and deployer of the same AI system. The assessment is therefore context-specific and must be carried out for each AI system individually.

The provider

Legal definition and functional role

A provider is any natural or legal person, public authority or other body that:

develops an AI system or has it developed, and
places that system on the market or puts it into service under its own name or trademark.

The decisive factor is not who performed the technical development, but who assumes regulatory responsibility for the system’s market placement and intended purpose.

By defining the intended use, the provider effectively determines the regulatory classification of the AI system, including whether it qualifies as high-risk.

Core obligations of providers

Providers bear the primary responsibility for ensuring compliance with the EU AI Act. For high-risk AI systems, their obligations include, in particular:

classification of the AI system according to risk,
establishment of a risk management system,
preparation and maintenance of technical documentation,
implementation of data governance and data quality measures,
ensuring human oversight mechanisms,
conducting conformity assessments prior to market placement,
setting up post-market monitoring and corrective processes.

These obligations apply before the AI system is placed on the market and continue throughout its operational lifecycle.

The deployer

Legal definition and functional role

A deployer is any natural or legal person, public authority or other body that uses an AI system under its authority, without being the provider.

Deployers integrate AI systems into their operational processes, for example in human resources, customer interaction, risk assessment or decision support. Their role is therefore defined by use rather than development or market placement.

Core obligations of deployers

Deployer obligations focus on the lawful and appropriate use of AI systems. Depending on the system’s risk classification, these may include:

using the AI system in accordance with the provider’s instructions,
implementing human oversight measures where required,
monitoring system performance in the operational context,
reporting serious incidents or malfunctions,
complying with transparency obligations towards affected persons.

While deployers do not carry primary responsibility for system design, they are accountable for the real-world effects of AI use.

Key criteria for distinguishing providers and deployers

The distinction between provider and deployer is based on functional criteria, not contractual arrangements. Relevant questions include:

Who defines the intended purpose of the AI system?
Who places the system on the market or puts it into service for the first time?
Who makes substantial modifications to the system or its purpose?
Who controls compliance with conformity and documentation requirements?

A deployer may become a provider if it substantially modifies an AI system or changes its intended use in a way that affects regulatory classification. In such cases, provider obligations may arise retroactively.

Multiple roles and role transitions

The EU AI Act explicitly recognises that actors may assume multiple roles simultaneously. Common scenarios include:

organisations that develop AI systems for internal use,
deployers that significantly adapt third-party AI systems,
corporate groups sharing AI systems across entities.

In such cases, obligations must be assessed role by role, with careful attention to which activities trigger which regulatory responsibilities.

Role allocation in high-risk AI systems

The distinction between provider and deployer is particularly significant for high-risk AI systems, where the EU AI Act establishes a detailed and differentiated compliance regime.

Providers and deployers are subject to complementary obligations designed to ensure regulatory coverage across the entire AI lifecycle. Failure to correctly identify roles may result in compliance gaps, enforcement risks or misallocated accountability.

Regulatory rationale

The role-based approach of the EU AI Act reflects a deliberate policy choice to anchor responsibility where control and influence exist. Providers are accountable for system design, market access and regulatory conformity. Deployers are responsible for operational use and its effects.

This functional allocation aims to prevent responsibility from being diluted or contractually shifted and enhances the enforceability and effectiveness of AI regulation.

Conclusion

The EU AI Act draws a clear distinction between providers and deployers of AI systems and assigns distinct regulatory obligations to each role. The classification is determined by actual functions and control, not by contractual terminology.

Correct role identification is essential for compliance with the EU AI Act and for understanding the regulatory responsibilities associated with the development, placement and use of AI systems within the European Union.

Notice

The information provided on this page is for general informational purposes only and does not constitute legal advice.

Provider and Deployer Obligations under the EU AI Act

Recent Post

Corporate Governance Across the EU, the UK and Greece – Key Legal Differences

Data Transfers Between the EU and the United Kingdom Post-Brexit

Advance Directives with International Elements: Conflict-of-Laws Issues

Cross-Border AI Compliance: EU vs UK Regulatory Approaches

GDPR vs. UK GDPR: Where Compliance Frameworks Diverge

Transparency Obligations for AI Systems under EU Law

Prohibited AI Practices under the EU AI Act

Provider and Deployer Obligations under the EU AI Act

What qualifies as a high-risk AI system under the EU AI Act?

Provider and Deployer Obligations under the EU AI Act

Quick Contact

Useful Links