Key facts
- Building or substantially modifying an AI feature typically makes you a provider; using a third-party AI system as-is typically makes you a deployer.
- A single SaaS product can involve both roles at once, for different embedded features.
- Obligations follow the AI feature's risk tier, not the SaaS company's size.
- Embedding a general-purpose AI model (GPAI) also brings separate GPAI-specific obligations into play.
- Map every AI feature in your product individually rather than assessing the product as a whole.
Working out your role
For each AI feature in your product, ask: did we build this model or system, or substantially adapt someone else's? If yes, you are likely a provider for that feature. Did we take a system or model largely as-is and use it under our own authority within our product? If yes, you are likely a deployer for that feature. Many SaaS companies are providers for a bespoke feature they built and deployers for an embedded third-party model in the same product.
Why this matters
Providers carry the heavier set of obligations: conformity assessment, technical documentation, risk management and, for high-risk systems, a full quality management system. Deployers carry lighter but still real duties: use the system as intended, monitor it, keep logs where required, and support the human oversight the system was designed for.
Embedding general-purpose AI models
If your product embeds a general-purpose AI model — most commonly a third-party large language model — separate GPAI obligations apply on top of your provider or deployer status for the feature itself. Check the underlying model provider's own compliance documentation, and confirm what it says about downstream use in a product like yours.
Practical next step
List every AI feature in your product as its own line item, tag each as provider or deployer, and classify each against the Act's risk tiers separately. Treating the whole product as one undifferentiated block is the most common mistake SaaS companies make here.
Frequently asked questions
Is a SaaS company a provider or deployer under the EU AI Act?
It depends on the feature — building or substantially adapting an AI feature typically makes you a provider; using a third-party system as-is typically makes you a deployer.
Can a SaaS company be both a provider and a deployer?
Yes — for different AI features within the same product, both roles can apply at once.
Does embedding a third-party AI model change our obligations?
Yes — it typically brings separate general-purpose AI (GPAI) obligations into play alongside your provider or deployer status for the feature.
Do the EU AI Act's obligations depend on company size?
No — they follow the AI feature's risk tier, not the size of the company offering it.
What is the most common mistake SaaS companies make?
Assessing the whole product as one block instead of classifying each AI feature separately.
Related pages
Sources
Last updated 19 June 2026.