Which EU AI Act role are you?
The EU AI Act attaches obligations to roles, not to organisations in the abstract. Before anything else, you have to work out which role you occupy for a given AI system — because a provider and a deployer answer for very different things. This is a plain-English guide to the four roles most organisations need to understand.
Why the role question comes first
The same AI system can sit in several hands on its way to the people it affects — the organisation that builds it, the one that brings it into the EU, the one that resells it, and the one that finally uses it. The Act spreads accountability across that chain by defining distinct roles and giving each a tailored set of duties. Identifying your role (or roles) is therefore the foundational step in any EU AI Act readiness exercise.
The four roles below are the ones most organisations encounter. Each links to a full definition with its primary source. For the heaviest duties — those on high-risk AI — see the dedicated explainer; for the law itself, see what the EU AI Act is.
Provider
Article 3(3)Develops an AI system or general-purpose AI model (or has one developed) and places it on the market or puts it into service under its own name or trademark.
Core obligations (high-level)
- ·Risk-management system across the lifecycle
- ·Data governance and technical documentation
- ·Logging, transparency, and instructions for use
- ·Human-oversight design, accuracy, robustness, and cybersecurity
- ·Conformity assessment, EU declaration of conformity, and CE marking
- ·Registration, post-market monitoring, and serious-incident reporting
You’re likely a provider if: You build, train, or brand the system yourself — or you put your name on someone else’s.
Deployer
Article 3(4)Uses an AI system under its own authority in a professional capacity (the role formerly called “user” in earlier drafts).
Core obligations (high-level)
- ·Use the system in line with the provider’s instructions
- ·Assign competent, trained human oversight
- ·Monitor operation and suspend or report when risks emerge
- ·Keep the logs the system generates, where under your control
- ·Inform affected people in certain cases
- ·For some deployers, carry out a fundamental-rights impact assessment
You’re likely a deployer if: You adopt a third-party AI tool and put it to work in your operations. Most organisations are here.
Importer
Article 3(6)Is located or established in the EU and places on the market an AI system that carries the name or trademark of a person established outside the EU.
Core obligations (high-level)
- ·Verify the provider completed the conformity assessment
- ·Check the technical documentation, CE marking, and declaration exist
- ·Confirm an authorised representative has been appointed
- ·Ensure storage and transport don’t compromise conformity
- ·Add your contact details and cooperate with authorities
You’re likely a importer if: You bring a non-EU developer’s AI system into the EU market.
Distributor
Article 3(7)Is in the supply chain — other than the provider or importer — and makes an AI system available on the EU market.
Core obligations (high-level)
- ·Verify the CE marking, declaration, and instructions are present
- ·Check the provider and importer met their own obligations
- ·Act (and don’t supply) where you consider a system non-conforming
- ·Ensure storage and transport don’t compromise conformity
You’re likely a distributor if: You resell or otherwise pass on an AI system without developing or importing it.
Obligations shown are a high-level summary. The detailed duties for high-risk systems sit in Articles 16–27 of the Regulation.
A deployer can quietly become a provider
Under Article 25, a deployer, distributor, or importer is treated as the provider of a high-risk system — and takes on the full provider obligations — if it puts its own name or trademark on the system, makes a substantial modification to it, or changes the intended purpose of a system so that it becomes high-risk. Fine-tuning a third-party model, re-branding a vendor tool, or repurposing a system into a high-risk use can all move you up the chain without you intending it.
The practical lesson: revisit your role whenever you customise, re-badge, or repurpose an AI system — not just when you first procure it. See substantial modification for how this threshold works.
You can be in scope without an EU office
The Act applies extraterritorially (Article 2). It reaches providers that place AI systems on the EU market wherever they are based, deployers located in the EU, and providers and deployers outside the EU where the system’s output is used in the EU. For organisations in Australia and elsewhere, that means EU obligations can attach to AI whose outputs reach people in the Union — so the role analysis matters even without an EU presence.
Beyond the four above, the Act defines an operator as an umbrella covering all of these roles plus the product manufacturer (where AI is a safety component of a regulated product) and the authorised representative (an EU-based party a non-EU provider must appoint). The moments that trigger obligations are placing on the market and putting into service.
Frequently asked questions
Am I a provider or a deployer under the EU AI Act?
In short: if you build, train, or put your own name or trademark on the system, you are likely a provider. If you take a third-party system and use it under your own authority in your operations, you are likely a deployer. Providers carry the heaviest obligations; deployers carry lighter but still real ones. Many organisations are deployers, not providers — but the same organisation can be a provider for one system and a deployer for another.
Can a company be both a provider and a deployer?
Yes. The roles attach to a system, not to your organisation as a whole, so you can be a provider of one AI system and a deployer of another at the same time. Work out your role separately for each AI system you build, buy, or use.
Can a deployer become a provider?
Yes — this is one of the most important traps. Under Article 25, a deployer, distributor, or importer is treated as the provider of a high-risk system (and takes on the provider obligations) if it puts its own name or trademark on the system, makes a substantial modification to it, or changes the intended purpose of a system so that it becomes high-risk. Fine-tuning or repurposing a third-party model can quietly move you into the provider role.
Does the EU AI Act apply to organisations outside the EU?
It can. The Act applies extraterritorially: to providers that place AI systems on the EU market wherever they are established, to deployers located in the EU, and to providers and deployers outside the EU where the output of the system is used in the EU. An organisation with no EU office can still be in scope.
What is an “operator” under the EU AI Act?
Operator is an umbrella term (Article 3(8)) covering a provider, product manufacturer, deployer, authorised representative, importer, or distributor. The Act uses it as shorthand when an obligation applies to several roles at once.
When do these obligations start to apply?
The Act’s obligations are phasing in over several years, with different dates for prohibited practices, general-purpose AI models, transparency duties, and high-risk systems. Those dates are being adjusted through the EU’s Digital Omnibus process, so always check the current timeline rather than relying on a fixed date.
Related glossary terms
Not sure where your systems land?
Mapping your AI to the right roles — and the obligations that follow — is exactly the kind of work that benefits from a structured look. Start with a quick self-assessment, or start a conversation.
This page is a high-level explanation of the EU AI Act’s role definitions, not legal advice, and it does not capture every nuance or exception. Role classification can be fact-specific. Always verify against the text of Regulation (EU) 2024/1689 and your own legal counsel.