← Back to blog

Provider vs Deployer: Which Role Do You Have Under the EU AI Act?

2026-07-11·6 min read·Basics, Provider, Deployer

Why role matters more than risk level

Most founders start by asking "is my product high-risk?" That's the wrong first question. The AI Act assigns obligations based on role first, risk category second. Get the role wrong, and you'll either over-build compliance you don't need, or miss obligations that actually apply to you.

The four roles (only two matter for most SaaS)

RoleWhat it meansCommon for
ProviderDevelops an AI system, or has one developed, and places it on the market under its own nameSaaS companies fine-tuning or building on top of a model
DeployerUses an AI system under its own authority in the course of a professional activitySaaS companies calling an off-the-shelf API without modification
ImporterPlaces a non-EU provider's system on the EU marketRare for software-only SaaS
DistributorMakes an AI system available without being the providerRare for software-only SaaS

The test most founders get wrong

The line between provider and deployer isn't "did you write the model" — it's "whose name is the system placed under, and did you modify its intended purpose."

The practical reality: most AI SaaS companies are providers of the system they ship (their product), even when they're deployers of the underlying model they call via API. Both roles can apply to the same company for different parts of the same product.

Why this changes what you need to do

If you're a ProviderIf you're a Deployer
Technical documentation (Annex IV)Use the system per the provider's instructions
Risk management system (Art. 9)Human oversight during actual use (Art. 26)
Conformity assessment before market placementMonitor operation, report serious incidents
Registration in EU database (high-risk)Keep logs the provider's system generates
Post-market monitoring (Art. 72)Inform affected persons where required

Providers carry the heavier documentation burden. Deployers carry the operational-diligence burden. If you're both — which is common — you carry pieces of each.

Quick self-check

Ask these three questions about your product:

  1. Does it carry your brand/name to the end user? → leans provider.
  2. Did you set its intended purpose, or did a vendor? → your own purpose = provider signal.
  3. Do you only consume an API without repackaging it as your own system? → leans deployer only, for that specific component.

The bottom line

Don't skip straight to "am I high-risk." Determine your role first — it decides which article numbers even apply to you, and it's the first thing a lawyer will ask when you finally book that call.


Not sure where your product stands?

Run a free AI Act readiness scan. Get your risk score in 2 minutes.

→ Get your free risk score