The EU AI Act does not impose the same obligations on everyone who touches an AI system. Your compliance burden depends entirely on which role you occupy in the AI value chain. Two companies using the same AI product can have entirely different obligations depending on how they use it, whether they modified it, and whether they placed it on the market under their own name.
Getting the role determination wrong in either direction carries risk. Underestimating your role means missing compliance obligations. Overestimating it means wasting resources on requirements that do not apply to you.
This guide sets out every role defined in the Act, explains what triggers each one, and provides a questionnaire to help you determine which role applies to your organisation.
The Six Roles Under the EU AI Act
| Role | Definition | Article |
|---|---|---|
| Provider | Develops an AI system or GPAI model and places it on the market or puts it into service under its own name or trademark | Article 3(3) |
| Deployer | Uses an AI system under its own authority in a professional context | Article 3(4) |
| Authorised representative | EU-established entity appointed by written mandate to act on behalf of a non-EU provider | Article 3(5) |
| Importer | EU-established entity that places on the market an AI system bearing the name or trademark of a non-EU person | Article 3(6) |
| Distributor | Entity in the supply chain that makes an AI system available on the EU market, other than provider or importer | Article 3(7) |
| Product manufacturer | Manufacturer of an Annex I regulated product who integrates an AI system and places it on the market under their own name | Article 3(8), Article 25 |
One organisation can hold more than one role simultaneously. A company that develops its own AI product (provider), uses third-party AI tools internally (deployer), and resells AI software from a US vendor (importer) holds three roles at once, each with separate obligations.
Role Definitions in Detail
Provider
A provider is any natural or legal person that develops an AI system or GPAI model and places it on the EU market or puts it into service under its own name or trademark, whether for payment or free of charge.
What triggers provider status:
- You built the AI system and sell or licence it to others
- You fine-tune or substantially modify a third-party model and deploy it under your own brand
- You integrate an AI model into a product and place that product on the market under your name
- You are a public authority that develops an AI system for its own use
What does not make you a provider:
- Using a third-party AI tool internally without modification
- Reselling an AI system without modifying it or rebranding it as your own
Provider obligations are the most extensive under the Act. For high-risk AI systems they include conformity assessment, technical documentation, CE marking, EU Declaration of Conformity, registration, post-market monitoring, and incident reporting. For GPAI models they include technical documentation, copyright transparency, and, for systemic risk models, adversarial testing and AI Office reporting.
| Provider type | Key trigger | Primary obligations |
|---|---|---|
| Provider of high-risk AI system | System listed in Annex III or safety component in Annex I product | Conformity assessment, technical documentation, CE marking, registration, post-market monitoring |
| Provider of GPAI model (standard) | GPAI model placed on EU market | Technical documentation, copyright transparency, model card |
| Provider of GPAI model (systemic risk) | Model with high-impact capabilities, compute exceeding 10^25 FLOPs | Above plus adversarial testing, incident reporting, AI Office cooperation |
| Non-EU provider | Established outside EU, places system on EU market | All of the above plus mandatory Authorised Representative appointment |
Deployer
A deployer is any natural or legal person, public authority, agency, or other body that uses an AI system under its own authority, except where the system is used for purely personal non-professional activity.
What triggers deployer status:
- Your company uses an AI-powered hiring tool, even if procured from a vendor
- Your organisation uses AI for credit decisions, fraud detection, or customer risk scoring
- Your hospital uses an AI-assisted diagnostic tool
- Your school uses AI to assess student performance or determine access to programmes
- Any professional use of an AI system under your own authority and control
What does not make you a deployer:
- Using an AI-powered consumer app for personal purposes unrelated to professional activity
The deployer role is widely misunderstood. Many organisations assume that because they did not build the AI, they have no obligations. Under the Act, deployers of high-risk AI systems carry significant independent obligations including human oversight, Fundamental Rights Impact Assessments, log retention, and staff notification duties.
When a deployer becomes a provider:
A deployer crosses into provider territory when it:
- Substantially modifies a high-risk AI system
- Places a modified system on the market under its own name
- Changes the intended purpose of the system in a way that would require a new conformity assessment
- Uses the system for a purpose outside the scope of the original provider’s instructions in a way that creates a new high-risk use case
| Deployer scenario | Risk classification | Key obligations |
|---|---|---|
| Using AI chatbot for customer service | Likely limited or minimal risk | Transparency disclosure only |
| Using AI for CV screening and candidate ranking | High risk (Annex III, employment) | FRIA, human oversight, log retention, staff notification |
| Using AI for credit scoring | High risk (Annex III, essential services) | FRIA, human oversight, log retention |
| Using AI for medical image analysis | High risk (Annex III or Annex I product) | FRIA, human oversight, instructions compliance |
| Using AI for employee performance monitoring | High risk (Annex III, employment) | FRIA, human oversight, log retention |
Authorised Representative
An authorised representative is a natural or legal person established in the EU who has received and accepted a written mandate from a non-EU provider to perform compliance obligations on its behalf.
What triggers the requirement:
- You are a provider of a high-risk AI system established outside the EU
- You are a provider of a GPAI model established outside the EU and placing the model on the EU market from 2 August 2025
What the role involves:
The authorised representative is not a passive filing address. It carries direct regulatory obligations and faces independent penalties for non-performance.
| Obligation | High-risk AI (Art. 22) | GPAI model (Art. 54) |
|---|---|---|
| Verify technical documentation is correctly prepared | Yes | Yes |
| Hold technical documentation for 10 years | Yes | Yes |
| Provide documentation to authorities on request | Yes | Yes |
| Cooperate with competent authorities | Yes | Yes |
| Terminate mandate and notify authorities if provider breaches the Act | Yes | Yes |
| Assist with Article 49 registration | Yes | No |
UK establishment does not qualify. Post-Brexit, a UK-based entity cannot serve as an EU Authorised Representative.
Importer
An importer is a natural or legal person established in the EU that places on the EU market an AI system bearing the name or trademark of a person established outside the EU.
What triggers importer status:
- You are EU-established and you bring a non-EU AI product to market under the original vendor’s name
- You are the first point of EU market entry for a non-EU AI system
What importers must verify before placing a system on the market:
| Verification requirement | Legal basis |
|---|---|
| Provider has completed the required conformity assessment | Article 23(1)(a) |
| Technical documentation is available | Article 23(1)(b) |
| CE marking is affixed and Declaration of Conformity issued | Article 23(1)(c) |
| Provider has appointed an Authorised Representative | Article 23(1)(d) |
Importers must also indicate their name, registered trade name, and contact address on the AI system or its packaging, and retain copies of the Declaration of Conformity and technical documentation for 10 years.
Distributor
A distributor is any person in the supply chain, other than the provider or importer, that makes an AI system available on the EU market.
What triggers distributor status:
- You resell an AI system without modifying it and without being the original provider or the EU importer
- You make an AI system available to end users as part of a broader product or service offering
Key obligations:
- Verify CE marking is affixed before making a high-risk system available
- Verify required documentation accompanies the system
- Inform the provider or importer of suspected non-compliance
- Report serious incidents to authorities
When a distributor becomes a provider:
A distributor that modifies a high-risk AI system, places it on the market under its own name, or changes its intended purpose is treated as a provider under the Act and assumes full provider obligations from that point.
Product Manufacturer
A product manufacturer that integrates an AI system into a product covered by EU harmonisation legislation listed in Annex I (medical devices, machinery, vehicles, aviation safety components, and others) and places that product on the EU market under its own name is treated as a provider of the AI system.
This means the full provider compliance burden applies to the AI component of the product, in addition to whatever sector-specific product safety requirements govern the product itself.
Annex I product categories include:
- Medical devices and in vitro diagnostic medical devices
- Machinery
- Radio equipment
- Lifts
- Pressure equipment
- Personal protective equipment
- Civil aviation safety components
- Motor vehicles and agricultural machinery
Role Determination Questionnaire
Work through the questions below in order. Stop at the first answer that determines your role. Your organisation may satisfy more than one path.
Step 1: Are you a provider?
Q1.1 Did your organisation develop the AI system, or commission its development, and is it placed on the market or put into service under your name or trademark?
- Yes → You are a provider. Proceed to Step 1a to determine your provider obligations.
- No → Proceed to Q1.2.
Q1.2 Did your organisation take a third-party AI model and substantially modify it, fine-tune it for a new purpose, or integrate it into a product placed on the market under your name?
- Yes → You are likely a provider of the modified system. Proceed to Step 1a.
- No → Proceed to Q1.3.
Q1.3 Are you a public authority that developed an AI system for your own use?
- Yes → You are a provider.
- No → Proceed to Step 2.
Step 1a: If you are a provider, determine your provider category
Q1a.1 Is your AI system listed in Annex III (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice)?
- Yes → You are a provider of a high-risk AI system.
Q1a.2 Is your AI system a safety component of a product covered by Annex I legislation?
- Yes → You are a provider of a high-risk AI system and may also be a product manufacturer.
Q1a.3 Is your system a general-purpose AI model capable of performing a wide range of distinct tasks?
- Yes → You are a GPAI model provider. Proceed to Q1a.4.
Q1a.4 Was your GPAI model trained using compute exceeding 10^25 floating-point operations, or has the AI Office designated it as posing systemic risk?
- Yes → You are a provider of a GPAI model with systemic risk and face additional obligations.
- No → You are a standard GPAI model provider.
Q1a.5 Is your organisation established outside the EU?
- Yes → You must appoint an Authorised Representative established in the EU before placing your system on the EU market.
Step 2: Are you a deployer?
Q2.1 Does your organisation use an AI system in a professional context under your own authority, including through vendor-supplied tools?
- Yes → You are a deployer. Proceed to Q2.2.
- No → Proceed to Step 3.
Q2.2 Is the AI system used in any of the following contexts: hiring or HR decisions, credit or insurance assessment, medical diagnosis, education access or assessment, law enforcement, migration processing, critical infrastructure management?
- Yes → You are a deployer of a high-risk AI system and carry obligations under Article 26 including FRIA, human oversight, and log retention.
- No → You are a deployer of a lower-risk system. Transparency obligations may still apply.
Q2.3 Are you using the system for a purpose outside the scope of the provider’s instructions, or have you modified the system?
- Yes → You may have crossed into provider status. Return to Step 1.
Step 3: Are you an importer?
Q3.1 Is your organisation established in the EU?
- No → Proceed to Step 4.
- Yes → Proceed to Q3.2.
Q3.2 Are you placing on the EU market an AI system that bears the name or trademark of a person established outside the EU?
- Yes → You are an importer. You must verify conformity assessment, CE marking, technical documentation, and Authorised Representative appointment before placing the system on the market.
Step 4: Are you a distributor?
Q4.1 Are you making an AI system available on the EU market without being the provider or importer?
- Yes → You are a distributor.
Q4.2 Have you modified the system or placed it on the market under your own name?
- Yes → You are now treated as a provider. Return to Step 1.
Step 5: Do you need an Authorised Representative?
Q5.1 Are you a provider of a high-risk AI system or GPAI model established outside the EU?
- Yes → You must appoint an EU-established Authorised Representative before placing your system on the EU market.
- No → This obligation does not apply.
EU AI Act Role Summary Table
| Scenario | Role(s) | High-risk obligations triggered |
|---|---|---|
| US company selling AI hiring software to EU clients | Provider + must appoint Authorised Representative | Yes |
| EU bank using an AI credit scoring tool from a vendor | Deployer | Yes (Annex III, essential services) |
| EU distributor reselling unchanged US AI software | Distributor | Verification obligations only |
| EU company importing US AI system under US vendor name | Importer | Pre-market verification obligations |
| Medical device manufacturer integrating AI diagnostics | Provider + product manufacturer | Yes |
| Company fine-tuning GPT for proprietary HR tool | Provider (modified system) | Yes if used for employment decisions |
| Company using AI chatbot for website FAQ | Deployer | No (limited risk) |
| Canadian GPAI model provider with EU users | Provider + must appoint Authorised Representative | GPAI obligations from August 2025 |
| EU law firm using AI for document review | Deployer | Depends on use case |
Frequently Asked Questions
Can one organisation hold more than one role?
Yes, and this is common. An organisation that develops its own AI product (provider), uses third-party AI tools internally (deployer), and resells a US vendor’s AI system (importer) holds three distinct roles simultaneously. Each role carries independent obligations that must be managed separately.
We bought an AI tool from a vendor. Are we just a deployer?
In most cases, yes. If you use the tool as supplied, for its intended purpose, you are a deployer. If you modify the tool, integrate it into a product you sell under your own name, or use it for a purpose the vendor did not intend, you may cross into provider territory.
We are a SaaS company. We build on top of a foundation model. Are we a provider?
Almost certainly yes. If you integrate a foundation model into a product you place on the market under your own name or brand, the Act treats you as the provider of that product. Your obligations depend on what the product does and whether it falls into a high-risk category.
Our AI system was built by a contractor. Who is the provider?
The provider is the entity that places the system on the market or puts it into service under its own name or trademark. If you commissioned the development and the system is deployed under your brand, you are the provider regardless of who wrote the code.
We are a non-EU company. Do we need an Authorised Representative immediately?
The deadline depends on your product type. GPAI model providers needed an Authorised Representative from 2 August 2025. High-risk AI system providers must comply by 2 August 2026. There is no grace period after those dates.
What is the difference between an importer and an Authorised Representative?
An importer places an AI system on the EU market under the original vendor’s name and is the first point of EU market entry. An Authorised Representative acts on behalf of a non-EU provider across all compliance matters, including regulatory correspondence and documentation. One entity can hold both roles if it accepts the written mandate.
We are a distributor. If we add our own branding to an AI system, does our role change?
Yes. A distributor that places an AI system on the market under its own name or trademark is treated as a provider under Article 3(3) and assumes full provider obligations. Rebranding is sufficient to trigger this shift.
Does the Act apply to AI systems used only internally, not sold to customers?
Yes. Putting an AI system into service includes internal deployment. A company that builds and deploys an AI system for its own employees’ use is a provider. If that system is used in employment decisions or other Annex III contexts, it is a high-risk provider.
What does substantial modification mean?
The Act does not specify a precise threshold. The relevant test is whether the modification changes the intended purpose of the system in a way that would require a new conformity assessment. Changing the risk profile, the deployment context, or the use case to one listed in Annex III is the clearest signal that a modification is substantial.
We are a law firm advising clients on AI. Do we have obligations under the Act?
Not as a provider or deployer of AI systems, unless you use AI tools in your own practice. If you use AI-assisted document review or contract analysis tools professionally, you are a deployer for those tools. If the tools do not fall into Annex III categories, your obligations are limited.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024 and applicable guidance issued by the European AI Office through May 2026. It does not constitute legal advice.
![EU AI Act High-Risk System Requirements [UPDATED May 2026]](https://grecta.com/wp-content/themes/blankslate/assets/images/2026/03/hero-image-EU-AI-Act-compliance-automation-platform.png)
