Under the EU AI Act (Regulation EU 2024/1689) the first compliance question is not "what does my AI system do", but "what role do I play in relation to that system". Obligations don't follow company size: they follow the role. The two figures that matter for most businesses are the provider and the deployer (the professional user).
The two roles: provider and deployer
The definitions are in Art. 3 of the Regulation:
- Provider: whoever develops an AI system — or has it developed — and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
- Deployer: whoever uses an AI system under its own authority in a professional activity (personal, non-professional use is excluded).
The same company can hold different roles on different systems: you are the deployer of the third-party tool you adopt and, at the same time, you may be the provider of the system you build in-house and offer to clients.
Who does what: obligations compared
For high-risk systems the difference in burden is stark.
The provider (Art. 16 and following) must, among other things:
- Establish a risk-management system and data governance.
- Draw up the technical documentation (Annex IV) and keep logs.
- Ensure transparency and instructions for use, design human oversight and ensure accuracy, robustness and cybersecurity.
- Pass the conformity assessment, affix the CE marking and register the system in the EU database.
- Take corrective actions and maintain a quality-management system.
The deployer (Art. 26) has lighter but non-trivial obligations:
- Use the system in line with the instructions from the provider.
- Assign human oversight to competent, trained people.
- Ensure that input data is relevant to the purpose.
- Monitor operation and inform provider and authorities of risks or serious incidents; keep the logs available.
- If an employer, inform affected workers; ensure transparency towards the people subject to the system.
On top of this, some deployers (e.g. public bodies and essential services) must carry out a fundamental-rights impact assessment (FRIA, Art. 27), and — where personal data is processed — a DPIA under Art. 35 GDPR.
When a deployer becomes a provider
This is the part that surprises people most. Art. 25 provides that a deployer (or a distributor, importer or third party) is deemed to be a provider of a high-risk system — with all the provider's obligations — in three cases:
- Rebranding: it puts its own name or trademark on a high-risk system already placed on the market.
- Substantial modification: it makes a substantial modification to a high-risk system already on the market.
- Change of purpose: it changes the intended purpose of an AI system (even a non-high-risk one) in such a way that it becomes high-risk.
In plain terms: heavily customising a model, reselling it under your own brand, or using it for a purpose other than the one declared can shift the provider's compliance burden onto you. It is one of the most common traps for those who "build on top of" third-party tools.
What this means in practice for an SME
- Map the roles, system by system: for each AI system, are you provider or deployer?
- For systems where you are a deployer, obtain and keep the instructions for use, define who performs human oversight and how you monitor.
- Check whether any use tips you into the provider role (Art. 25): that's where the risk of non-compliance jumps.
- Remember that AI literacy (Art. 4) applies to both roles.
Where to start
Clarifying roles is the first output of a gap assessment: a map of your AI systems, the role you hold on each and the obligations that follow, with priorities and owners. It is the cheapest way to avoid both over-engineering and nasty surprises — and the first step toward AI that is compliant, safe and defensible.