Provider, Deployer, or Both?

The EU AI Act defines two main roles with different sets of obligations.

Provider (Article 3(3)): The company that develops or builds the AI system and places it on the market or puts it into service. Even if they outsource the actual coding — if the AI system is released under their name or trademark, they are the provider.

Deployer (Article 3(4)): The company that uses an AI system in their operations under their own authority. They did not build it, but they deploy it for a specific purpose.

Understanding which role you play is critical because it determines what obligations you must fulfill.

Think of it like cars.

The Provider is the car manufacturer. BMW designs and builds the car. They are responsible for making sure it is safe — the brakes work, the airbags deploy, the emissions meet standards. They bear the heaviest safety obligations.

The Deployer is the taxi company. They buy the car and use it to drive passengers. They did not build the car, but they are responsible for using it properly — maintaining it, following traffic rules, having the right insurance, making sure their drivers are trained.

Both have responsibilities, but different ones. The manufacturer ensures the product is safe by design. The taxi company ensures it is used safely in practice. Same logic applies to AI systems.

Here is where it gets interesting. Article 25 describes situations where a deployer gets "promoted" to provider status — and inherits all the heavier provider obligations.

This happens when you: Put your own name or trademark on someone else's AI system. Substantially modify a high-risk AI system. Change the intended purpose of an AI system so that it becomes high-risk. Make a substantial modification to any high-risk AI system.

Example: You buy an off-the-shelf AI chatbot. You use it for customer service — you are a deployer. Then you customize it heavily to screen job applications — you have changed its intended purpose to a high-risk use case. Congratulations, you are now the provider of a high-risk AI system, with all the obligations that come with it.

This is called "role-shifting" and it catches many companies by surprise. The Witness Role Classifier tool helps you determine your exact role.

Your role determines the scope and weight of your compliance obligations.

Providers have MORE obligations because they built the system and are responsible for its design. They must ensure the AI system meets all technical requirements before placing it on the market. They must implement a quality management system, conduct conformity assessments, maintain technical documentation, and monitor the system after deployment.

Deployers have FEWER but still important obligations. They must use the system according to the provider's instructions, ensure human oversight by trained people, monitor the system's operation, keep logs, and in some cases conduct a Fundamental Rights Impact Assessment.

If you are both — you built the AI system AND you use it yourself — then you have ALL obligations. Both the provider obligations and the deployer obligations apply to you.