Provider vs Deployer: Who Must Do What
Understanding the different obligations for AI providers and deployers under the EU AI Act. Learn your role and responsibilities.
Are you a Provider or Deployer?
You develop/market the AI or substantially modify it.
You implement/operate an AI you obtained from a provider.
Obligations Table
| Role | Core Duties |
|---|---|
| Provider |
|
| Deployer |
|
Real-world Examples
Startup sells AI HR screening → provider duties.
A company that develops and markets an AI system for screening job candidates must fulfill all provider obligations including risk management, technical documentation, and conformity assessment.
Company uses 3rd-party HR AI → deployer duties (plus HR-specific safeguards).
A company that purchases and implements a third-party AI system for HR screening must fulfill deployer obligations including contextual risk analysis, following instructions, and maintaining oversight.
Key Differences Explained
Provider Responsibilities (Design-time)
Providers focus on design-time obligations - creating safe, compliant AI systems before they reach the market.
- • Design and implement risk management systems
- • Create comprehensive technical documentation
- • Ensure data quality and governance
- • Conduct conformity assessments for high-risk AI
- • Provide clear instructions for use
Deployer Responsibilities (Operational)
Deployers focus on operational obligations - using AI systems safely and responsibly in their specific context.
- • Conduct contextual risk analysis for their use case
- • Follow provider instructions carefully
- • Maintain human oversight during operation
- • Monitor system performance and log activities
- • Report incidents and maintain post-market monitoring
Not sure which role applies to you?
Run our free scan to determine your role and get specific compliance requirements for your AI system.