Log in Contact
Articles

Provider vs Deployer

Provider vs Deployer: Understanding Your Role Under the EU AI Act

One of the most important — and often misunderstood — aspects of the EU AI Act is the distinction between providers and deployers of AI systems.

Your classification determines:

  • Which legal obligations apply
  • Who is responsible for compliance
  • What documentation and assessments are required

In practice, many organisations assume they are simply “users” of AI. Under the EU AI Act, however, this assumption can lead to significant compliance gaps.

This guide explains:

  • What counts as a provider vs a deployer
  • How to determine your role
  • What obligations follow from each

What Is a Provider Under the EU AI Act?

A provider under the EU AI Act is the organisation responsible for developing and placing an AI system on the market. This role carries the most extensive compliance obligations, as it directly relates to how the system is designed, built, and validated.

Definition

A provider is any organisation that develops an AI system and places it on the market, or puts it into service under its own name.

  • Develops an AI system and places it on the market
  • Puts the system into service under its own name

This applies whether the system is used internally, sold, or licensed.

Examples of providers
  • A company building an AI recruitment tool
  • A fintech developing a credit scoring model
  • A SaaS platform offering AI-powered analytics
Key responsibilities

Providers carry the heaviest compliance burden under the EU AI Act.

  • Risk management system
  • Technical documentation
  • Data governance
  • Conformity assessment
  • CE marking
  • Registration in the EU database

In short: providers are responsible for how the AI system is built and designed.

What Is a Deployer Under the EU AI Act?

Definition

A deployer (referred to as a “user” in the EU AI Act) is an organisation that uses an AI system under its own authority in a professional context.

  • Uses an AI system under its own authority
  • Applies it in a professional context
Examples of deployers
  • A university using AI for exam monitoring
  • A company using AI for hiring decisions
  • A bank using a third-party credit scoring tool
Key responsibilities

Deployers are responsible for ensuring the AI system is used correctly and in compliance with applicable requirements.

  • Proper use of the AI system
  • Human oversight
  • Monitoring of outputs
  • Compliance with provider instructions
  • Conducting a FRIA (where required)

In short: deployers are responsible for how the AI system is used.

Provider vs Deployer: Key Differences

Element Provider Deployer
Role Builds and places AI system on the market Uses AI system in practice
Primary responsibility Design, development, and compliance of the system Use, oversight, and monitoring of the system
Risk management system Required Not required (but must follow provider instructions)
Technical documentation Required Not required
Human oversight Built into system design Must be implemented in practice
FRIA (AI Act) Not required Required in many high-risk use cases
Conformity assessment Required before market placement Not required

When Are You Both a Provider and a Deployer?

The AI Act creates a clear distinction between two primary roles, and your obligations depend on which you hold.

Providers develop an AI system and place it on the market under their own name — whether for sale, licensing, or internal use at scale. Providers bear the heaviest compliance obligations: technical documentation, conformity assessment, CE marking, and registration.

Deployers (referred to as “users” in the original regulation) use an AI system under their own authority for professional purposes. Deployers are responsible for operating the system as intended, ensuring human oversight, monitoring performance, and conducting FRIAs where required.

Many organisations are both. A company that builds a custom recruitment AI for internal use is a provider. The same company using a third-party credit scoring tool is a deployer. Each role must be identified, and obligations managed accordingly.

Example:

A company builds an internal AI recruitment tool → Provider
The same company uses a third-party credit scoring system → Deployer

In practice, many organisations are both.

Why This Distinction Matters

Misclassification can lead to:

  • Missing required documentation
  • Failing conformity assessments
  • Lack of proper oversight
  • Regulatory penalties

The obligations are not interchangeable

How to Determine Your Role (Practical Checklist)

Ask these questions:
  • Did we develop this AI system ourselves?
  • Are we placing it on the market?
  • Are we using someone else’s AI system?
  • Do we modify or re-purpose an existing system?
Quick rule
Build it → Provider
Use it → Deployer
Do both → Both roles apply
Common mistakes to avoid
  • Assuming “we didn’t build it, so we’re not responsible”
  • Ignoring deployer obligations (especially FRIA)
  • Treating vendor AI as fully outsourced compliance
  • Not documenting internal AI development
Preparing for the 2026 deadline
  • Map all AI systems in your organisation
  • Classify each system (provider vs deployer)
  • Identify high-risk systems
  • Align with FRIA and DPIA processes
This is a foundational step for AI Act compliance.

Conclusion

The provider vs deployer distinction is not just a legal definition — it is a practical compliance framework.

Organisations that clearly identify their role will be better positioned to:

  • Allocate responsibilities
  • Implement governance
  • Avoid regulatory risk

In most cases, the challenge is not choosing one role — but managing both effectively.

Tags:
case study
gdpr
gutenberg
interesting
FRIA vs DPIA
PREVIOUS
FRIA vs DPIA
eu ai act penalties
NEXT
EU AI Act Penalties

Related Posts

Try our service now!

Eyerything you need to accept cord payments and grow your business anywhere on the planet.
Get Started Now