EU AI Act: Deployer vs Provider — Who Bears Which Obligation
The EU AI Act assigns obligations by role, not by company. The same organisation can be a provider of one AI system and a deployer of another — and a deployer can quietly become a provider. This page explains the Article 3 definitions, how to tell which role you hold, and the Article 25 triggers that shift the heavier provider obligations onto a deployer.
EU AI Act: Deployer vs Provider — Who Bears Which Obligation
The EU AI Act assigns obligations by role, not by company. The same organisation can be a provider of one AI system and a deployer of another — and a deployer can quietly become a provider. This page explains the Article 3 definitions, how to tell which role you hold, and the Article 25 triggers that shift the heavier provider obligations onto a deployer.
Последнее обновление: 4 июля 2026 г.
What Is a Provider? (Article 3(3))
A provider develops an AI system or general-purpose AI model — or has one developed — and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
- Develops or commissions the AI system or GPAI model
- Places it on the EU market or puts it into service under its own name or trademark
- Carries the bulk of the high-risk obligations: risk management (Article 9), data governance (Article 10), technical documentation (Article 11 / Annex IV), record-keeping (Article 12), transparency to deployers (Article 13), human oversight design (Article 14), and conformity assessment
- Applies whether the system is supplied commercially or free of charge
What Is a Deployer? (Article 3(4))
A deployer uses an AI system under its own authority — except where the system is used in the course of a personal, non-professional activity.
- Uses the system in a professional context, under its own authority (formerly called the 'user' in earlier drafts)
- Must use the system in accordance with the provider's instructions for use
- Carries deployer-specific duties: assigning competent human oversight, monitoring operation, keeping the automatically generated logs it controls, and informing affected persons where required
- Certain deployers must also run a Fundamental Rights Impact Assessment (Article 27) before first use
How to Tell Which Role You Hold
Work through the distinction rather than assuming. The test is who put the system on the market under their name versus who is operating it:
- Did you build or brand the system? If it goes to market under your name or trademark, you are the provider — even if a third party wrote the code for you.
- Are you only running someone else's system? If you operate a system placed on the market by another company, under their name, you are the deployer.
- You can be both at once. An enterprise that builds an in-house agent (provider) while also using a vendor's agent platform (deployer) holds both roles for different systems.
- Provider obligations are heavier; deployer obligations are operational — oversight, monitoring, logging you control, and transparency to the people affected.
Importers, distributors and product manufacturers are separate operator roles with their own obligations — see the scope page for the full list.
When a Deployer Becomes a Provider (Article 25)
Article 25 sets out the situations where a deployer, distributor, importer or other third party takes on the full obligations of a provider for a high-risk AI system already on the market:
- Rebranding — you put your own name or trademark on a high-risk system already placed on the market, unless a contract allocates the obligations otherwise
- Substantial modification — you make a substantial modification to a high-risk system in a way that it remains high-risk
- Changing the intended purpose — you modify the intended purpose of a system (including a general-purpose AI system) that was not classified as high-risk so that it now becomes high-risk
- When any of these triggers, the original provider must cooperate, and you inherit the provider obligations — conformity assessment, technical documentation, record-keeping and the rest
This is the trap for teams that fine-tune, re-scope, or white-label a bought-in AI system: the paperwork you thought the vendor owned can shift to you.
How AIAgentree helps
AIAgentree is built to serve both roles from the same decision record, so evidence exists whichever side of Article 25 you land on:
- For providers: tamper-evident decision records support Article 12 record-keeping and the technical evidence a conformity file expects, exportable via REST, MCP, A2A and OpenTelemetry
- For deployers: human-oversight and approval workflows plus audit-fit retention (six months or more) produce the oversight evidence deployers are expected to keep
- EU data residency in Germany keeps those records inside the EU, and Python and TypeScript SDKs let either role capture decisions without re-plumbing their stack
Frequently Asked Questions
Can one company be both a provider and a deployer?
Yes. Roles are assigned per AI system, not per company. An organisation that builds and markets its own agent is a provider for that system, while simultaneously being a deployer of any third-party AI systems it operates. The obligations apply to each role separately.
What is the difference between provider and deployer obligations?
Providers carry the design-and-market obligations: risk management, data governance, technical documentation, conformity assessment, and transparency to deployers. Deployers carry operational obligations: using the system per instructions, assigning human oversight, monitoring, keeping the logs they control, and, for some, a Fundamental Rights Impact Assessment.
When does a deployer become a provider under Article 25?
In three situations: putting your own name or trademark on a high-risk system already on the market, making a substantial modification to a high-risk system, or changing the intended purpose of a system so that it becomes high-risk. Any of these makes you a provider with the full provider obligations.
If I fine-tune a vendor's model, am I now the provider?
Potentially. If the change is a substantial modification of a high-risk system, or it changes a non-high-risk system's intended purpose so it becomes high-risk, Article 25 can make you the provider. Read the vendor contract and the intended-purpose statement carefully before assuming the vendor still owns the obligations.
Does AIAgentree decide our role for us?
No. Classifying your role is a legal and organisational judgement about how you build, brand and use each system. AIAgentree produces the decision records and oversight evidence that either role needs to demonstrate — it does not replace the role analysis itself.
Continue exploring the EU AI Act guide
EU AI Act Compliance Guide
The complete guide to EU AI Act compliance for AI agents — start here.
Article 12 — Record-Keeping & Logging
What every high-risk AI system must log, and how to capture it.
Article 14 — Human Oversight
Designing effective human-in-the-loop controls for AI decisions.
Annex III — High-Risk AI Systems
Which AI use cases the Act classifies as high-risk.
EU AI Act Compliance Checklist
A step-by-step checklist to reach and document compliance.
Compliance Cost Calculator
Estimate your EU AI Act compliance effort and cost.
Deadlines & Timeline
Key enforcement dates, including the August 2, 2026 deadline.
Fines & Penalties
Penalty tiers up to €35M or 7% of global annual turnover.
Transparency Obligations (Art. 13 & 50)
Disclosure duties for AI systems and their outputs.
Risk Management & Conformity Assessment
Build a risk management system and assess conformity.
GPAI Obligations
Rules for providers of general-purpose AI models.
EU AI Act for US Companies
Extraterritorial scope and what US providers must do.
Omnibus Update
The latest changes to the EU AI Act timeline and rules.
Penalty Calculator
Estimate your maximum fine under the Article 99 tiers.
Article 11 + Annex IV
What technical documentation the EU AI Act requires.
Article 26: Deployer Obligations
What deployers of high-risk AI must do, including log retention.
Article 17: Quality Management
The QMS providers of high-risk AI must document.
Article 10: Data Governance
Data quality, bias mitigation, and governance duties.
Article 4: AI Literacy
The staff AI-literacy duty in force since February 2025.
FRIA (Article 27)
Who must run a Fundamental Rights Impact Assessment, and how.
Who Does It Apply To?
Scope, operators, and the extraterritorial reach of the EU AI Act.
Post-Market Monitoring
Articles 72–73: ongoing monitoring and incident reporting.
ISO 42001 vs EU AI Act
How the voluntary standard and the binding law fit together.
NIST AI RMF vs EU AI Act
A practical crosswalk between the framework and the law.
EU AI Act for Healthcare
High-risk medical AI, MDR/IVDR interplay, and clinician oversight.
EU AI Act for Financial Services
Credit scoring, insurance pricing, and existing financial regulation.
EU AI Act for HR & Employment
Hiring AI as high-risk, plus NYC LL144 and EEOC overlap.