Who’s Who in the EU AI Act: Providers, Deployers & Other Key Roles Explained
A simple guide to the main actors defined in the EU AI Act — who they are, what they do, and when you “become the provider.”
Why Roles Matter
Under the EU AI Act, who you are determines what you must do.
The law assigns specific obligations based on your role in the AI system’s lifecycle — from design to deployment.
Understanding these roles early helps organizations correctly allocate compliance duties, avoid liability, and ensure documentation aligns with the right obligations.
Let’s break down the main roles in plain English.
The Provider — the “Manufacturer” of AI
The Provider is the actor who develops an AI system or places it on the market under their name or brand, regardless of whether it’s for commercial or non-commercial use.
You are considered the Provider if you:
Build an AI system from scratch.
Commission development by a third party but sell it under your brand.
Make significant modifications to an existing system, changing its intended purpose.
Integrate multiple components or models into a new system.
Key responsibilities include:
Conducting conformity assessments before market release.
Preparing and maintaining technical documentation.
Ensuring data quality, risk management, and human oversight mechanisms.
Implementing post-market monitoring and incident reporting procedures.
Cooperating with authorities during audits or investigations.
✅ Rule of thumb: if your name or logo appears on the AI product — you’re the Provider.
The Deployer — the “User in Charge”
The Deployer (sometimes called the “operator”) is the entity that uses an AI system in real-world operations — such as a company applying AI to hiring, healthcare, credit scoring, or customer service.
You’re the Deployer if you:
Use a third-party AI model or tool within your business process.
Configure or fine-tune an AI model for your internal use.
Integrate AI output into decision-making processes (e.g., HR, lending, education).
Key responsibilities include:
Using the AI system as intended by the Provider.
Monitoring its performance and reporting anomalies or incidents.
Ensuring human oversight when required.
Maintaining transparency with affected individuals (especially in high-risk contexts).
Keeping usage logs and records for accountability.
✅ Rule of thumb: if you’re using an AI system to make or support decisions — you’re the Deployer.
The Importer — the “EU Entry Point”
The Importer is any person or organization that brings an AI system from outside the EU into the EU market.
Their job: ensure the system complies with the EU AI Act before it’s made available.
Core duties:
Verifying the system carries the correct CE marking.
Checking that documentation and declarations of conformity are complete.
Ensuring the Provider outside the EU has met their obligations.
✅ Rule of thumb: if you act as the bridge between a non-EU developer and EU users — you’re the Importer.
The Distributor — the “Middleman”
A Distributor makes an AI system available on the EU market without altering it — think resellers, app stores, or B2B marketplaces.
Responsibilities:
Verifying that labeling, CE marking, and documentation are intact.
Ensuring the AI has not been modified or misused before resale.
Taking corrective action or halting distribution if issues arise.
✅ Rule of thumb: if you resell or distribute AI systems, but didn’t develop or deploy them — you’re the Distributor.
The Authorized Representative — the “EU Contact Point”
If a Provider is based outside the EU, they must appoint an Authorized Representative within the EU.
This representative acts as the official point of contact for authorities and can be held responsible for non-compliance in certain cases.
General-Purpose AI (GPAI) Roles
The Act also introduces special responsibilities for GPAI Providers — those developing or fine-tuning foundation models like large language models (LLMs).
They must:
Publish model documentation and training summaries.
Support downstream compliance for Deployers using their model.
Report serious incidents or systemic risks to the EU AI Office.
When Do You “Become the Provider”?
This is one of the trickiest — and most important — questions.
You “become the Provider” when you:
Modify an AI system’s intended purpose.
Retrain or fine-tune a foundation model in a way that changes its function or risk profile.
Integrate multiple models or tools into a new combined system.
Commercialize an open-source or third-party model under your own brand.
✅ Example:
If you take an open-source LLM, fine-tune it for legal document analysis, and release it as “LexiAI,” you are the Provider — even if you didn’t build the original model.
Plain-English Summary
Role | What You Do | Key Responsibility |
|---|---|---|
Provider | Builds or markets AI under their name | Full compliance & documentation |
Deployer | Uses AI in operations | Safe use, oversight, record-keeping |
Importer | Brings AI into the EU | Verifies compliance before entry |
Distributor | Resells existing AI | Ensures labeling & conformity |
Authorized Representative | EU contact for non-EU provider | Liaison with regulators |
GPAI Provider | Builds or adapts foundation models | Transparency & risk mitigation |
Key Takeaway
The EU AI Act’s obligations flow along the AI supply chain.
Every participant — from developer to end user — carries a piece of the compliance puzzle.
Identifying your correct role early ensures you invest in the right processes, documentation, and oversight mechanisms.
