EU AI ACT — GUIDE
Deployer vs provider — who owns what under the EU AI Act
The EU AI Act allocates obligations by role, not by company size. A correct role assessment is the first compliance step: it decides whether you carry the heavy provider obligations under Article 16 or the operational deployer obligations under Article 26. The decision is fact-driven and per AI system, not per organisation.
Definitions (Article 3)
- Provider (Art 3(3)) — a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model, or has it developed, and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
- Deployer (Art 3(4)) — a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity.
- Importer (Art 3(6)) — placing on the EU market an AI system that bears the name or trademark of a person established outside the EU.
- Distributor (Art 3(7)) — anyone in the supply chain, other than the provider or importer, that makes an AI system available on the EU market.
Obligation split for high-risk AI
Providers bear the bulk of the design-time and market-entry duties. Deployers bear the operational duties from the moment they put a system into service inside their own organisation.
| Obligation | Provider (Art 16) | Deployer (Art 26) |
|---|---|---|
| Risk management system (Art 9) | Yes | No (but uses provider’s outputs) |
| Data and data governance (Art 10) | Yes | Input-data quality only (Art 26(4)) |
| Technical documentation (Art 11, Annex IV) | Yes | No |
| Record-keeping / logs (Art 12) | Design | Retain at least 6 months (Art 26(6)) |
| Transparency to deployer (Art 13) | Yes — instructions for use | Follow the instructions (Art 26(1)) |
| Human oversight (Art 14) | Design | Assign competent persons (Art 26(2)) |
| Accuracy, robustness, cybersecurity (Art 15) | Yes | Maintain operating conditions |
| Conformity assessment + CE marking | Yes | No |
| EU database registration (Art 49) | Yes | Where deployer is a public authority (Art 49(1a)) |
| Worker information (Art 26(7)) | No | Yes — before put into service in workplace |
| Affected-person information (Art 26(11)) | No | Yes |
| Fundamental rights impact assessment (Art 27) | No | Yes for public bodies and listed cases |
| Post-market monitoring (Art 72) | Yes | Cooperate / report incidents (Art 26(5)) |
| Serious-incident reporting (Art 73) | Yes | Inform provider without delay |
When a deployer becomes a provider (Article 25)
Article 25(1) lists four triggers that turn a deployer (or distributor, importer or other third party) into a provider of a high-risk AI system, with all the Article 16 obligations attached:
- Re-branding. Putting your name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements with the original provider.
- Substantial modification. Making a substantial modification to a high-risk system that remains high-risk under Article 6.
- Modifying the intended purpose. Changing the intended purpose of an AI system not classified as high-risk in such a way that it becomes high-risk under Article 6.
- Acting on a GPAI model. Integrating a general-purpose AI model into your own AI system that you place on the market under your own name, without using the GPAI model purely as off-the-shelf.
Article 25(2) requires the original provider to cooperate with the new provider so the latter can comply.
Typical HR-tech allocation
- HR-tech SaaS vendor that builds and ships a CV-screening model under its own brand: provider of a high-risk AI system (Annex III point 4(a)).
- Employer using that SaaS to filter applicants: deployer of a high-risk AI system.
- Employer that fine-tunes a foundation model on its own data and deploys the result for hiring: provider under Article 25(1)(b) (substantial modification) or Article 25(1)(d) (GPAI integration), depending on facts.
- Reseller rebranding a third-party HR-tech model under its own name: provider under Article 25(1)(a).
Why this matters before procurement
Article 26 deployer duties cannot be discharged without provider cooperation. Negotiate before signing: who supplies the instructions for use, who guarantees Art 50(2) machine-readable marking, who covers Art 73 serious-incident analysis, how logs are surfaced to support the Art 26(6) six-month retention duty, and how Art 25 triggers are flagged in the change-management process.
Related EU guides
- EU AI Act for recruitment AI
- Article 50 transparency from 2 August 2026
- AI inventory requirements
- NIS2 and HR systems
Sources
- Regulation (EU) 2024/1689, Articles 3, 16, 25, 26, 27, 49, 50, 72, 73 — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
Note: Role assessment is fact-driven; the same organisation can be a deployer for one system and a provider for another. PowerQuant supplies software and documentation for use in your internal compliance process — not legal advice.
PowerQuant Module 1
AI inventory with per-system role assessment, Annex III classification and Article 25 trigger flags. Delivered in 5 working days. Fixed fee, no subscription.
Price in EUR: FOUNDER_DECISION (placeholder pending Alex confirmation).