Provider vs Deployer

The EU AI Act makes a fundamental distinction between providers and deployers. A provider is the one who develops or has an AI system developed and places it on the market under their own name. A deployer is an organization that uses an AI system professionally. This distinction determines which obligations apply to you.

Use this decision tree to determine if you are a provider or deployer. Question 1: Did you develop or have the AI system developed? If no → you are probably a deployer. If yes → go to question 2. Question 2: Do you market it under your own name/brand? If yes → you are a provider. If no → question 3. Question 3: Do you use it only internally? If yes → you are still a provider (also for internal use). Note: if you buy an AI tool, significantly modify it, and resell it under your own name, you are both deployer and provider.

As a provider of a high-risk AI system, you have extensive obligations. You must implement a risk management system that remains active throughout the lifecycle. Technical documentation must be prepared before market introduction. You are responsible for conformity assessment, CE marking and registration in the EU database. After launch, you must perform post-market monitoring and report serious incidents.

As a deployer of a high-risk AI system, you have fewer obligations than a provider, but they are no less important. You must carefully follow the provider's instructions. For public organizations and certain high-risk applications, you must perform a Fundamental Rights Impact Assessment (FRIA). Meaningful human oversight is mandatory, as is monitoring input data. Serious incidents must be reported.

There are situations where your role is not immediately clear. If you buy an AI system, significantly modify it, and market it under your own name, you are both deployer (of the original system) and provider (of the modified system). If you integrate General Purpose AI like ChatGPT into your own system, you may become provider of the combined system. Importers and distributors of AI systems from outside the EU have special obligations under Articles 26 and 27.

The Digital Omnibus on AI proposal of November 19, 2025 contains multiple changes directly affecting provider and deployer obligations. For providers: the registration requirement for AI systems exempted from high-risk classification via Art. 6(3) is removed. Instead, a documented self-assessment suffices. The EDPB and EDPS warn in their Joint Opinion 1/2026 that this undermines accountability and creates an undesirable incentive to claim exemptions. For deployers: high-risk obligations are deferred to 6 or 12 months after harmonized standards become available, with an ultimate deadline of December 2027 or August 2028. The AI Office becomes exclusively responsible for supervision of AI systems based on GPAI models. Additionally, both providers and deployers would be allowed to process (sensitive) personal data for bias detection in all AI systems, not just high-risk. SME exemptions are extended to small mid-caps.