Key facts
- A provider develops or places an AI system on the market under its own name.
- A deployer uses an AI system under its own authority without being its provider.
- Obligations differ significantly — providers generally carry more extensive requirements.
- An organisation can be a provider for one system and a deployer for another.
- Customising a third-party AI system can sometimes shift an organisation into the provider role.
What defines a provider
A provider develops an AI system, or has one developed on its behalf, and places it on the market or puts it into service under its own name or trademark. Providers carry the most extensive obligations under the Act, including conformity assessment for high-risk systems, technical documentation and quality management.
What defines a deployer
A deployer uses an AI system under its own authority, having obtained it from a provider, without being the provider itself. Most businesses using off-the-shelf AI tools are deployers rather than providers. Deployer obligations are generally lighter than provider obligations, but still include duties such as human oversight and, for certain high-risk uses, a Fundamental Rights Impact Assessment.
When the line blurs
Substantially modifying a third-party AI system, rebranding it, or changing its intended purpose can shift an organisation from deployer into provider status for that system — a distinction that matters significantly for the scope of obligations that then apply.
Why getting this right matters
Misclassifying your role can mean missing obligations entirely (if you wrongly assume you are only a deployer when you have taken on provider responsibilities) or over-investing in compliance work that does not apply to your actual role. Assess role classification per AI system, not once for the whole organisation.
Frequently asked questions
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops and places an AI system on the market; a deployer uses an AI system under its own authority without being its provider.
Can an organisation be both a provider and a deployer?
Yes — for different AI systems, or in some cases even for the same system depending on how it is used and modified.
What can turn a deployer into a provider?
Substantially modifying, rebranding, or changing the intended purpose of a third-party AI system.
Do providers or deployers have more obligations?
Providers generally carry more extensive obligations, including conformity assessment and technical documentation for high-risk systems.
Why does correct role classification matter?
Misclassifying your role risks either missing real obligations or over-investing in compliance work that does not apply.
Related pages
Sources
Last updated 19 June 2026.