Provider vs deployer (EU AI Act)
Under the EU AI Act (Regulation (EU) 2024/1689), a provider develops an AI system or has one developed and places it on the EU market under its own name, while a deployer uses an AI system under its authority in a professional capacity. The two roles carry sharply different obligations, and one organisation can be both.
How the roles differ
- Provider (Article 3(3)) - develops or commissions an AI system and places it on the market or puts it into service under its own name or trademark. Carries the heaviest duties for high-risk systems: risk management, data governance, technical documentation, conformity assessment, and the EU declaration of conformity.
- Deployer (Article 3(4)) - uses an AI system under its authority for professional purposes. Lighter but real duties under Article 26: follow the provider's instructions, ensure human oversight, monitor operation, and keep logs.
- Most SMBs are deployers of third-party AI tools. Some are also providers of AI features inside their own products.
When a deployer becomes a provider
Under Article 25, a deployer can be reclassified as a provider and inherit provider obligations if it puts its name or trademark on a high-risk system, makes a substantial modification to one, or modifies the intended purpose of an AI system so that it becomes high-risk. Getting the role right early decides which obligations apply, so ComplyAgent records the provider or deployer status for each system in your inventory.
Last reviewed June 2026 by the ComplyAgent team.
See also our EU AI Act compliance guide, ISO/IEC 42001 and NIST AI RMF, or browse the full glossary.