ইইউ এআই আইন কার্যকর হওয়ার 28 দিন বাকি
আরও জানুন →

EU AI Act: Deployer vs Provider — Who Bears Which Obligation

The EU AI Act assigns obligations by role, not by company. The same organisation can be a provider of one AI system and a deployer of another — and a deployer can quietly become a provider. This page explains the Article 3 definitions, how to tell which role you hold, and the Article 25 triggers that shift the heavier provider obligations onto a deployer.

Roles & Obligations — Article 3 & Article 25

EU AI Act: Deployer vs Provider — Who Bears Which Obligation

The EU AI Act assigns obligations by role, not by company. The same organisation can be a provider of one AI system and a deployer of another — and a deployer can quietly become a provider. This page explains the Article 3 definitions, how to tell which role you hold, and the Article 25 triggers that shift the heavier provider obligations onto a deployer.

সর্বশেষ আপডেট করা হয়েছে: ৪ জুলাই, ২০২৬

What Is a Provider? (Article 3(3))

A provider develops an AI system or general-purpose AI model — or has one developed — and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.

  • Develops or commissions the AI system or GPAI model
  • Places it on the EU market or puts it into service under its own name or trademark
  • Carries the bulk of the high-risk obligations: risk management (Article 9), data governance (Article 10), technical documentation (Article 11 / Annex IV), record-keeping (Article 12), transparency to deployers (Article 13), human oversight design (Article 14), and conformity assessment
  • Applies whether the system is supplied commercially or free of charge

What Is a Deployer? (Article 3(4))

A deployer uses an AI system under its own authority — except where the system is used in the course of a personal, non-professional activity.

  • Uses the system in a professional context, under its own authority (formerly called the 'user' in earlier drafts)
  • Must use the system in accordance with the provider's instructions for use
  • Carries deployer-specific duties: assigning competent human oversight, monitoring operation, keeping the automatically generated logs it controls, and informing affected persons where required
  • Certain deployers must also run a Fundamental Rights Impact Assessment (Article 27) before first use

How to Tell Which Role You Hold

Work through the distinction rather than assuming. The test is who put the system on the market under their name versus who is operating it:

  • Did you build or brand the system? If it goes to market under your name or trademark, you are the provider — even if a third party wrote the code for you.
  • Are you only running someone else's system? If you operate a system placed on the market by another company, under their name, you are the deployer.
  • You can be both at once. An enterprise that builds an in-house agent (provider) while also using a vendor's agent platform (deployer) holds both roles for different systems.
  • Provider obligations are heavier; deployer obligations are operational — oversight, monitoring, logging you control, and transparency to the people affected.

Importers, distributors and product manufacturers are separate operator roles with their own obligations — see the scope page for the full list.

When a Deployer Becomes a Provider (Article 25)

Article 25 sets out the situations where a deployer, distributor, importer or other third party takes on the full obligations of a provider for a high-risk AI system already on the market:

  • Rebranding — you put your own name or trademark on a high-risk system already placed on the market, unless a contract allocates the obligations otherwise
  • Substantial modification — you make a substantial modification to a high-risk system in a way that it remains high-risk
  • Changing the intended purpose — you modify the intended purpose of a system (including a general-purpose AI system) that was not classified as high-risk so that it now becomes high-risk
  • When any of these triggers, the original provider must cooperate, and you inherit the provider obligations — conformity assessment, technical documentation, record-keeping and the rest

This is the trap for teams that fine-tune, re-scope, or white-label a bought-in AI system: the paperwork you thought the vendor owned can shift to you.

How AIAgentree helps

AIAgentree is built to serve both roles from the same decision record, so evidence exists whichever side of Article 25 you land on:

  • For providers: tamper-evident decision records support Article 12 record-keeping and the technical evidence a conformity file expects, exportable via REST, MCP, A2A and OpenTelemetry
  • For deployers: human-oversight and approval workflows plus audit-fit retention (six months or more) produce the oversight evidence deployers are expected to keep
  • EU data residency in Germany keeps those records inside the EU, and Python and TypeScript SDKs let either role capture decisions without re-plumbing their stack

Frequently Asked Questions

Can one company be both a provider and a deployer?

Yes. Roles are assigned per AI system, not per company. An organisation that builds and markets its own agent is a provider for that system, while simultaneously being a deployer of any third-party AI systems it operates. The obligations apply to each role separately.

What is the difference between provider and deployer obligations?

Providers carry the design-and-market obligations: risk management, data governance, technical documentation, conformity assessment, and transparency to deployers. Deployers carry operational obligations: using the system per instructions, assigning human oversight, monitoring, keeping the logs they control, and, for some, a Fundamental Rights Impact Assessment.

When does a deployer become a provider under Article 25?

In three situations: putting your own name or trademark on a high-risk system already on the market, making a substantial modification to a high-risk system, or changing the intended purpose of a system so that it becomes high-risk. Any of these makes you a provider with the full provider obligations.

If I fine-tune a vendor's model, am I now the provider?

Potentially. If the change is a substantial modification of a high-risk system, or it changes a non-high-risk system's intended purpose so it becomes high-risk, Article 25 can make you the provider. Read the vendor contract and the intended-purpose statement carefully before assuming the vendor still owns the obligations.

Does AIAgentree decide our role for us?

No. Classifying your role is a legal and organisational judgement about how you build, brand and use each system. AIAgentree produces the decision records and oversight evidence that either role needs to demonstrate — it does not replace the role analysis itself.

Continue exploring the EU AI Act guide

EU AI Act Compliance Guide

The complete guide to EU AI Act compliance for AI agents — start here.

Article 12 — Record-Keeping & Logging

What every high-risk AI system must log, and how to capture it.

Article 14 — Human Oversight

Designing effective human-in-the-loop controls for AI decisions.

Annex III — High-Risk AI Systems

Which AI use cases the Act classifies as high-risk.

EU AI Act Compliance Checklist

A step-by-step checklist to reach and document compliance.

Compliance Cost Calculator

Estimate your EU AI Act compliance effort and cost.

Deadlines & Timeline

Key enforcement dates, including the August 2, 2026 deadline.

Fines & Penalties

Penalty tiers up to €35M or 7% of global annual turnover.

Transparency Obligations (Art. 13 & 50)

Disclosure duties for AI systems and their outputs.

Risk Management & Conformity Assessment

Build a risk management system and assess conformity.

GPAI Obligations

Rules for providers of general-purpose AI models.

EU AI Act for US Companies

Extraterritorial scope and what US providers must do.

Omnibus Update

The latest changes to the EU AI Act timeline and rules.

Penalty Calculator

Estimate your maximum fine under the Article 99 tiers.

Article 11 + Annex IV

What technical documentation the EU AI Act requires.

Article 26: Deployer Obligations

What deployers of high-risk AI must do, including log retention.

Article 17: Quality Management

The QMS providers of high-risk AI must document.

Article 10: Data Governance

Data quality, bias mitigation, and governance duties.

Article 4: AI Literacy

The staff AI-literacy duty in force since February 2025.

FRIA (Article 27)

Who must run a Fundamental Rights Impact Assessment, and how.

Who Does It Apply To?

Scope, operators, and the extraterritorial reach of the EU AI Act.

Post-Market Monitoring

Articles 72–73: ongoing monitoring and incident reporting.

ISO 42001 vs EU AI Act

How the voluntary standard and the binding law fit together.

NIST AI RMF vs EU AI Act

A practical crosswalk between the framework and the law.

EU AI Act for Healthcare

High-risk medical AI, MDR/IVDR interplay, and clinician oversight.

EU AI Act for Financial Services

Credit scoring, insurance pricing, and existing financial regulation.

EU AI Act for HR & Employment

Hiring AI as high-risk, plus NYC LL144 and EEOC overlap.