Under the EU AI Act (Regulation EU 2024/1689) the first compliance question is not "what does my AI system do", but "what role do I play in relation to that system". Obligations don't follow company size: they follow the role. The two figures that matter for most businesses are the provider and the deployer (the professional user).

The two roles: provider and deployer

The definitions are in Art. 3 of the Regulation:

  • Provider: whoever develops an AI system — or has it developed — and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
  • Deployer: whoever uses an AI system under its own authority in a professional activity (personal, non-professional use is excluded).

The same company can hold different roles on different systems: you are the deployer of the third-party tool you adopt and, at the same time, you may be the provider of the system you build in-house and offer to clients.

Who does what: obligations compared

For high-risk systems the difference in burden is stark.

The provider (Art. 16 and following) must, among other things:

  1. Establish a risk-management system and data governance.
  2. Draw up the technical documentation (Annex IV) and keep logs.
  3. Ensure transparency and instructions for use, design human oversight and ensure accuracy, robustness and cybersecurity.
  4. Pass the conformity assessment, affix the CE marking and register the system in the EU database.
  5. Take corrective actions and maintain a quality-management system.

The deployer (Art. 26) has lighter but non-trivial obligations:

  1. Use the system in line with the instructions from the provider.
  2. Assign human oversight to competent, trained people.
  3. Ensure that input data is relevant to the purpose.
  4. Monitor operation and inform provider and authorities of risks or serious incidents; keep the logs available.
  5. If an employer, inform affected workers; ensure transparency towards the people subject to the system.

On top of this, some deployers (e.g. public bodies and essential services) must carry out a fundamental-rights impact assessment (FRIA, Art. 27), and — where personal data is processed — a DPIA under Art. 35 GDPR.

When a deployer becomes a provider

This is the part that surprises people most. Art. 25 provides that a deployer (or a distributor, importer or third party) is deemed to be a provider of a high-risk system — with all the provider's obligations — in three cases:

  • Rebranding: it puts its own name or trademark on a high-risk system already placed on the market.
  • Substantial modification: it makes a substantial modification to a high-risk system already on the market.
  • Change of purpose: it changes the intended purpose of an AI system (even a non-high-risk one) in such a way that it becomes high-risk.

In plain terms: heavily customising a model, reselling it under your own brand, or using it for a purpose other than the one declared can shift the provider's compliance burden onto you. It is one of the most common traps for those who "build on top of" third-party tools.

What this means in practice for an SME

  1. Map the roles, system by system: for each AI system, are you provider or deployer?
  2. For systems where you are a deployer, obtain and keep the instructions for use, define who performs human oversight and how you monitor.
  3. Check whether any use tips you into the provider role (Art. 25): that's where the risk of non-compliance jumps.
  4. Remember that AI literacy (Art. 4) applies to both roles.

Where to start

Clarifying roles is the first output of a gap assessment: a map of your AI systems, the role you hold on each and the obligations that follow, with priorities and owners. It is the cheapest way to avoid both over-engineering and nasty surprises — and the first step toward AI that is compliant, safe and defensible.