AIRegistra

EU AI Act

Role declaration

The EU AI Act assigns obligations based on the role your company plays with respect to a given AI system. Most companies play more than one role. The Act defines four operator roles in Article 3:

  • Provider — develops or has developed an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark.
  • Deployer — uses an AI system under its authority. This is the role most companies fall into for the AI tools they buy.
  • Importer — established or located in the EU, places on the market an AI system that bears the name or trademark of a natural or legal person established outside the EU.
  • Distributor — natural or legal person in the supply chain, other than the provider or importer, that makes an AI system available on the EU market.

Each role carries a distinct set of obligations. Article 4 (AI literacy) applies to providers and deployers.

Decision tree

Walk through the questions in order. You can land on more than one role.

1. Do you build or have someone build AI features under your brand?

If your company ships software with embedded AI capabilities — even if the underlying model is from a third party (OpenAI, Anthropic, Mistral, Cohere, your own fine-tune) — and you place those AI features on the market under your own name or trademark, you are a provider.

Examples:

  • A B2B SaaS that has a “summarise this thread” button using OpenAI under the hood. Provider.
  • A consumer app whose feature set includes an AI assistant fine-tuned by you. Provider.
  • An internal-only tool used by your employees, not placed on the market. Not a provider for that tool — see below.

2. Do you use AI tools to do your work?

If anyone at your company uses ChatGPT, Claude, Gemini, Copilot, Notion AI, or any other AI tool in the course of their work — for company purposes, on company data — you are a deployer of those tools.

This is the role that catches everyone. There is no exemption for “we only use it lightly” or “we use the free tier”. If your team uses the tool for company work, you are a deployer of that tool.

3. Do you bring AI systems into the EU on behalf of a non-EU vendor?

If your company is the EU-side party that imports an AI system from a non-EU provider and places it on the EU market — for example, a European subsidiary of a US AI company doing the EU release work — you are an importer of that system.

This rarely applies to mid-market companies. It usually shows up where a company is operating as the EU presence for a non-EU partner.

4. Do you resell or distribute AI systems made by others?

If you make AI systems available on the EU market without modifying them materially — typical of a reseller or marketplace operator — you are a distributor of those systems.

Like the importer role, this is uncommon for mid-market deployers and providers.

Two common combinations

Most mid-market companies land on one of these two combinations.

Pure deployer (most common)

You use AI tools (the deployer role) but you do not build or ship AI features under your own name. You are a deployer of every AI tool your team uses, and you are nothing else for AI Act purposes. The Act’s obligations on you flow through the deployer track.

Provider + deployer (common for SaaS companies)

You build AI features into your product (the provider role) and you use AI tools internally (the deployer role). You have two separate obligation streams:

  • As provider: the AI features you ship come with provider obligations (technical documentation, conformity, post-market monitoring, instructions for use, AI literacy of your own staff).
  • As deployer: your internal use of third-party AI tools comes with deployer obligations (use according to instructions, monitoring, AI literacy of staff using those tools, logs in some cases).

These are tracked separately in AIRegistra. Declaring both roles seeds two checklists.

Why role declaration matters

The role(s) you declare drives:

  • Which AI Act readiness checklist you see — provider has ~16 items, deployer has ~24, importer ~11, distributor ~10.
  • Which evidence categories matter — providers care about technical documentation; deployers care about training records and usage logs.
  • What auditors and customers expect to see — your role is the first question on most AI-Act-aware vendor questionnaires.

Misdeclaring (e.g., declaring “deployer” when you are also a provider) does not reduce your obligations. The obligations attach to the role, not the declaration. AIRegistra’s role-declaration step exists so the readiness checklist can show you the right items, not as a regulatory filing in itself.

Edge cases

A few patterns confuse companies:

  • Internal-only AI features. If you build an AI feature for your own staff and never place it on the market, you are not a provider for that feature. You are still a deployer of any third-party models or tools used inside it.
  • Embedded AI from a vendor. If your product re-exposes an AI feature from a vendor under their brand (e.g., “Powered by OpenAI”), the lines depend on the integration. Talk to counsel.
  • Heavy customisation. Substantially modifying a third-party AI system before deploying it can shift you from deployer to provider for that modified system. Article 25.
  • Free trials and proofs-of-concept. Article 4 applies regardless of payment. If your team uses a free-tier AI tool for company work, you are a deployer of it.

Where to go next

This is general information, not legal advice. Application to your company depends on your specific facts; consult your own counsel.

7 min read · Last updated

Found something out of date? Email hello@airegistra.com.