The Two Main Roles in the EU AI Act
Regulation (EU) 2024/1689 defines two central actors in the AI value chain:
- Provider – Anyone who develops or commissions the development of an AI system and places it on the market under their own name (Art. 3(3))
- Deployer – Anyone who uses an AI system under their own authority (Art. 3(4))
Who Is a Provider?
Art. 3(3) EU AI Act: A natural or legal person that develops or commissions the development of an AI system and places it on the market or puts it into service under its own name or trademark.
Typical providers:
- Software companies that develop AI products
- Tech startups with AI-based SaaS solutions
- Companies that train an AI model and offer it as an API
- Companies that substantially modify an existing AI system (Art. 25) – thereby becoming a provider
Who Is a Deployer?
Art. 3(4) EU AI Act: A natural or legal person that uses an AI system under its own authority – except in the course of a personal, non-professional activity.
Typical deployers:
- A bank using a third-party credit scoring system
- An HR department using an AI tool for candidate screening
- A hospital deploying an AI diagnostic solution
- A public authority using an AI system for social welfare decisions
Obligations Compared
| Obligation | Provider (Art. 16) | Deployer (Art. 26) |
|---|---|---|
| Risk management system (Art. 9) | Yes – establish and maintain | No |
| Data governance (Art. 10) | Yes | No |
| Technical documentation (Art. 11) | Yes – create and update | No (but may request access) |
| Record-keeping (Art. 12) | Yes – enable system logs | Yes – retain logs |
| Transparency (Art. 13) | Yes – instructions for use | Yes – duty to inform affected persons |
| Human oversight (Art. 14) | Yes – enable | Yes – carry out |
| FRIA (Art. 27) | No | Yes (for public bodies, credit scoring, HR) |
| Conformity assessment (Art. 43) | Yes | No |
| CE marking (Art. 48) | Yes | No |
| EU database registration (Art. 49) | Yes | Yes |
| Incident reporting (Art. 62) | Yes | Yes |
When Does a Deployer Become a Provider?
Art. 25 EU AI Act defines important cases:
- Substantial modification – The deployer substantially modifies a high-risk AI system
- Own name/trademark – The deployer places the system on the market under its own name
- Change of intended purpose – The system is used for a high-risk purpose not intended by the provider
In these cases, the deployer assumes all provider obligations – including technical documentation and conformity assessment.
Decision Guide: Are You a Provider or Deployer?
- Did you develop the AI system yourself or commission its development? → Provider
- Are you placing it on the market under your own name/trademark? → Provider
- Have you substantially modified an existing system? → Provider (Art. 25)
- Are you using a third-party system without substantial modification? → Deployer
Correctly Assigning Obligations with AIvunera
When using our document generator, you select your role (provider/deployer). Our AI tailors the generated drafts accordingly:
- As a provider, you receive: Technical documentation (Annex IV), transparency notice (Art. 13), and a FRIA if needed
- As a deployer, you receive: FRIA (Art. 27), transparency notice (Art. 26), and guidance on collaborating with the provider