top of page

Provider vs Deployer Under the EU AI Act: What Is the Difference?

  • 7 days ago
  • 8 min read

Updated: 2 days ago

published: 17 June 2026


One of the first questions organisations should ask themselves when developing, supplying, modifying or using AI systems is whether they qualify as a provider or a deployer under the EU AI Act. Although these terms may appear straightforward, determining the correct role can be more complicated than many companies initially realise. This distinction is important because providers and deployers are subject to different obligations under the AI Act and, in some situations, an organisation can even transition from one role to another. In this article, we explain the difference between providers and deployers, when these roles arise, and why this distinction matters in practice.

 

What Is a Provider Under the EU AI Act?

A provider is defined in Article 3(3) of the AI Act (Regulation (EU) 2024/1689) as ‘a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge.’

 

Article 3(9) of the Act describes places on the market as ‘the first making available of an AI system or a general-purpose AI model on the Union market.

 

Additionally, Article 3(11) describes puts into service as ‘the supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose.’

 

When Does a Company Become a Provider Under the EU AI Act?

In practice, this means that there are essentially three requirements to become a provider of an AI system or a general-purpose AI model (GPAI) under the EU AI Act. These are:

  1. You need to develop an AI system or GPAI, or have an AI system or GPAI developed for you (i.e. outsource the development);

  2. You place the AI system or GPAI on the market or put the AI system into service; and

  3. This takes place under your own name or trademark.

 

In other words, a company only becomes a provider under the EU AI Act when it places an AI system or general-purpose AI model on the market or puts an AI system into service under its own name or trademark. It does not matter whether the AI system or GPAI is offered for payment or free of charge. For example, OpenAI makes several GPT models available free of charge, yet OpenAI still qualifies as a provider under the AI Act.

 

Importantly, the definition of a provider under the EU AI Act is broader than many organisations realise. An AI provider is not limited to companies that build AI systems themselves, such as software companies, machine learning developers, AI start-ups, or FinTech companies. Organisations that outsource the development of an AI system or GPAI can also become providers if they place the AI system on the market or put it into service under their own name or trademark.

 

Furthermore, it is also possible for a third party, such as a software developer, that creates an AI system for another company to become a provider simultaneously with that company. For example, when the software developer places the GPAI incorporated into the AI system on the market under its own name, it could become the provider of the GPAI while the company remains the provider of the AI system. This means that, in some cases, there may be multiple providers with separate obligations under the AI Act.

 

We will discuss the concept of multiple providers in more detail in a separate article.

 

Whether such an arrangement is even permitted under the applicable contractual and intellectual property arrangements is a separate legal question altogether. The allocation of provider responsibilities under the EU AI Act does not determine who owns the underlying technology or whether a party is contractually entitled to commercialise, integrate or distribute it. Businesses should therefore also carefully consider their software development agreements, licence terms and intellectual property rights.

 

What Is a Deployer Under the EU AI Act?

Under Article 3(4) and Recital 1 of the AI Act, a deployer means 'a natural or legal person, public authority, agency or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity. Depending on the type of AI system, the use of the system may affect persons other than the deployer.'

 

This essentially means that you are a deployer when:

  1. You are using an existing AI system under your authority; and

  2. This is done in the course of a professional activity.

 

This also means that you cannot be a deployer of a GPAI under the AI Act. That role does not exist. Therefore, when a company uses a GPAI (whether developed for it, purchased, or licensed from another company) in the course of a professional activity, the company cannot become the deployer of a GPAI but only the deployer of the AI system under the AI Act. We discuss GPAIs and their specific obligations more in depth in another article.

 

Deployers are often companies that simply use AI systems developed by other companies, for example through licensing a SaaS-based AI system.

 

Examples:

  • A bank using an AI credit-scoring system developed by another company.

  • A hospital using an existing AI diagnostic tool.

  • A law firm using ChatGPT to assist with drafting submissions.

  • A company using an AI recruitment tool purchased from another company.

 

As long as your company uses the AI system without rebranding it under the company's own name, and the AI is used in a professional context, your company will usually only qualify as a deployer. Deployers under the AI Act are responsible for ensuring the safe and compliant use of existing AI systems.


Does the EU AI Act Apply to Companies Outside the EU?

One of the most common misconceptions about the EU AI Act is that it only applies to companies established in the European Union. In reality, under Article 2(1) of the AI Act, the location of the provider or deployer is often irrelevant.

 

The AI Act can apply to companies established anywhere in the world if:

1.       They place an AI system or a general-purpose AI model (GPAI) on the EU market, or;

2.       They put an AI system into service in the EU; or

3.       The output of the AI system is used within the EU.

 

This means that a company does not need an office, subsidiary, or employees in the European Union to become subject to the AI Act.

 

For example, a US company offers an AI recruitment service. The AI runs on servers in the US and the company is entirely based there. A French company uploads CVs of potential French employees, and the AI ranks the candidates and recommends who should be interviewed. Even though the AI never physically enters the EU and the provider is based in the US, in this case the output of the AI system (the candidate rankings) is used in the EU.

 

In the example above, it may not be clear to the US company that the French company is using its AI system in a manner that results in the output of the AI system being used within the EU. However, if the provider definition of the Act is met, the US company may nevertheless fall within the geographical scope of the AI Act because of this use by the French company. For international third-country companies outside the EU, it is therefore critical to include certain clauses in their user agreements so that they do not unknowingly become subject to the EU AI Act.

 

Recital 22 of the AI Act does narrow this broad geographical scope somewhat by stating that the Act should apply to providers and deployers of AI systems established in a third country, to the extent that the output produced by those systems is intended to be used in the Union. The question remains when output can be considered to be 'intended' for use in the EU.

 

In short, the key question is usually not, 'Where is the company located?', but rather, 'Is the AI system, GPAI, or its output reaching the European Union?' If the answer is yes, the provider will often be subject to the EU AI Act regardless of whether it is established in the United States, the United Kingdom, Israel, India, Australia, or any other country outside the European Union.

 

Why Does the Difference Between a Provider and Deployer Matter?

Whether you are a deployer or a provider matters because it determines which obligations you have under the EU AI Act.

 

Since the AI Act is risk-based, your obligations do not only depend on your role, but also on the AI system involved. Whether an AI system is classified as low, medium, or high risk, and the type of AI system involved, are highly important factors in determining the specific obligations that apply to providers and deployers. However, we discuss these obligations for the different AI systems in more depth in another blog post.

 

It is important to first determine whether the AI Act applies to your organisation and, if so, whether you qualify as a provider or deployer.

 

When Can a Deployer Become a Provider Under the EU AI Act?

In some cases, it is also possible for a deployer to become a provider under the AI Act. Article 25(1) of the Act explicitly states that deployers or other third parties shall be considered to be providers of a high-risk AI system under the Act when they:

  1. Put their name or trademark on a high-risk AI system that has already been placed on the market or put into service, unless contractual agreements stipulate otherwise;

  2. Make a substantial modification to a high-risk AI system that has already been placed on the market or put into service in such a way that it remains a high-risk AI system; or

  3. Modify the intended purpose of an AI system, including a general-purpose AI system, that has not been classified as high risk and has already been placed on the market or put into service, in such a way that the AI system concerned becomes a high-risk AI system.

 

In these cases, the AI Act treats the deployer or third party as the provider of the AI system, and the provider that initially placed the AI system on the market or put it into service will no longer be considered the provider of that specific AI system according to Article 25(2).

 

However, this does not mean that the initial provider no longer has obligations under the AI Act. The initial provider must still closely cooperate with the new provider and make available the necessary information, as well as provide the reasonably expected technical access and other assistance required for the fulfilment of the obligations set out in the Act. We discuss Article 25 in more depth in another blog post.

 

Practical Tips for Companies Under the EU AI Act

As a company using an AI system for commercial purposes, it is important to understand what role you may have under the AI Act. Therefore, always take the following into account:

  • Determine from the outset what the purpose of your AI system will be and who will be able to use it, and under what conditions.

  • Determine whether you want to market the AI system under your own name or trademark.

  • Document the development process (or the outsourcing of that development) from the outset, including who did what and for what purpose.

  • When supplying your AI system to others, make sure that the contractual clauses regarding the use of AI output in the EU are very clear.

  • Make sure that all contracts between you and other parties, such as the developer of the AI system, the buyer or licensee of the AI system contain appropriate liability clauses. Seek legal advice if you are unsure what should be included in these contractual clauses.

  • Remember that even when you outsource the development of an AI system, or are based outside of the EU, you may still have a role and obligations under the AI Act.

 

Conclusion

Determining whether your organisation is a provider or a deployer under the EU AI Act is an essential step in understanding your compliance obligations. This assessment is not always straightforward and depends on several factors, including how the AI system is developed, marketed, modified, and used. Furthermore, organisations outside the European Union can also fall within the scope of the AI Act. Taking the time to correctly identify your role at an early stage can help avoid unexpected obligations and reduce legal and commercial risks later on.


Disclaimer: This article is intended to provide general information only and does not constitute legal advice. The law may apply differently depending on the specific facts of each case. Before taking any action based on the information in this article, you should obtain legal advice tailored to your circumstances. For advice on your specific situation, please contact Ingenium Law through contact@ingeniumlaw.com.

bottom of page