The EU AI Act assigns obligations based on what your company does with AI, not whether you work in a “tech” industry. The single most important question to answer is this one: are you a provider or a deployer?
The answer determines which obligations apply to you, how much documentation you need, and how complex your compliance programme will be. For most organisations, the answer is deployer, and that is actually the simpler side of the fence.
What the distinction means
Providers are companies that develop, train, or place AI systems on the EU market. If you have built an AI product, you are a provider for that system. The obligations are substantial: conformity assessments, CE marking, technical documentation, registration in the EU database, and post-market monitoring.
Deployers are companies that use AI systems in their operations. You procure the system, integrate it into your workflows, and your staff interact with it. You did not build the underlying model.
Approximately 95% of organisations that will need to comply with the AI Act are deployers. The Act does not only apply to AI companies. It applies to any company operating in the EU that uses AI tools to make or inform decisions about people.
What deployers look like in practice
The deployer category is broader than most legal teams initially assume.
A law firm using AI to review contracts is a deployer. A recruitment team using an applicant tracking system with automated CV ranking is a deployer. A bank using a third-party credit scoring model is a deployer. A logistics company using route optimisation software is a deployer. A hospital using an AI diagnostic tool is a deployer.
In each case, the AI system was built by someone else. The organisation procured it, configured it for their use, and put it to work.
Compare that to a software company that has trained its own recommendation engine and sells access to it as part of a subscription product. That company is a provider for the recommendation engine. If it also uses a third-party payroll AI internally, it is simultaneously a deployer for that system.
What deployers do not need to do
This is where the distinction saves you a lot of work.
Deployers are not responsible for:
- CE marking of the AI system
- Conformity assessments
- Technical documentation of the model architecture
- Registration of the system in the EU AI Act database
- Post-market monitoring of the model’s performance over time
Those are provider obligations. The provider of your ATS, your AI customer service tool, or your fraud detection system carries them, not you.
What deployers do need to do
The deployer obligations are real, but they are manageable.
AI literacy policy (Article 4): Every organisation using AI must ensure staff have adequate AI literacy. This means a written policy that identifies which roles interact with AI systems, what knowledge those roles require, and how the organisation will maintain that knowledge. This obligation has been enforceable since February 2025.
Risk classification: For each AI system you use, you need to determine where it falls in the risk hierarchy: prohibited, high-risk (Annex III), limited risk, or minimal risk. You document the classification and the reasoning. This determines what further obligations, if any, apply.
Usage policies for high-risk systems: If any of your AI systems fall into Annex III categories (employment, credit, education, law enforcement, and others), you need a usage policy, human oversight procedures, logging, and in some cases, applicant or user notifications. See the Annex III guide for the full category breakdown.
Transparency notices: Where you deploy AI in customer-facing contexts, users must be told. Article 50 has its own requirements around chatbots and synthetic media.
”We just use third-party tools” does not exempt you
This is the most common misconception among compliance teams, and it creates real exposure.
Using a third-party tool makes you a deployer. It does not make you exempt. The deployer obligations apply to you regardless of who built the system. You remain responsible for classifying the risk of the systems you use, maintaining an AI literacy policy for your staff, and, where applicable, putting high-risk deployer controls in place.
What you can do is verify that your provider has met their obligations. If you are using a high-risk AI system under Annex III, your provider should be able to show you their CE mark and technical documentation. Ask for it. If they cannot produce it, that is a procurement risk, not just a compliance gap.
The edge case: when you become a provider
Fine-tuning a model changes your status. If you take a foundation model, train it on your own data, and deploy the resulting system externally (or even internally in certain contexts), you may become a provider for that use case under Article 25. The specifics depend on the degree of modification and how the system is used.
This matters most for companies that are building custom AI capabilities on top of commercial model APIs. If your development team is doing this, it is worth a specific review with legal counsel.
Three questions to determine where you stand
If you are uncertain about your classification, start here:
- Did your company train, fine-tune, or substantially modify the AI system? If yes, you may be a provider for that system.
- Did your company build the AI product you are selling or offering to customers? If yes, you are a provider for that product.
- Are you procuring and operating an AI system built by someone else? If yes, you are a deployer.
Most organisations answer no, no, yes. That is the deployer path, with a concrete and achievable set of obligations.
Know your obligations as a deployer
Answer 20 questions about your AI systems. AIActComply generates your complete compliance documentation, prefilled for deployers, in 11 EU languages.
Check my compliance →