--- title: "EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries" source_url: "https://www.sorena.io/artifacts/eu/ai-act/faq/provider-and-deployer-role-boundaries" author: "Sorena AI" description: "FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act provider deployer" - "Article 3 AI Act" - "Article 25 AI Act" - "AI Act operator" - "GPAI model provider" - "downstream provider" - "EU AI Act" - "Article 3 definitions" - "Article 25 responsibilities" - "provider" - "deployer" - "operator" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. *FAQ* *EU AI Act* ## EU AI Act Provider and Deployer Role Boundaries Article 3 starts the role split: a provider develops, has developed, places on the market, or puts into service an AI system or GPAI model under its name or trademark; a deployer uses an AI system under its authority. Article 25 can shift provider status to a distributor, importer, deployer, or other third party when branding, substantial modification, or a changed intended purpose turns the system into a high-risk AI system. Use this FAQ to classify EU AI Act roles before assigning obligations. It separates Article 3 role definitions from Article 25 role shifts, then covers downstream GPAI integrations and the evidence that should prove why a team is acting as provider, deployer, importer, distributor, authorised representative, product manufacturer, or another operator. ## What is the core provider-versus-deployer test under Article 3 of the EU AI Act? A provider is the actor that develops an AI system or general-purpose AI model, or has one developed, and places it on the market or puts the AI system into service under its own name or trademark. That test is about development control, commissioning, market placement, service launch, and branding, not only technical authorship. A deployer is the actor using an AI system under its authority, except for personal non-professional use. A company can therefore be a deployer of a supplier system even when the supplier remains the provider, because the company controls the concrete use context, users, operating process, input data under its control, and internal oversight. - Treat name, trademark, market-placement records, commissioning contracts, technical documentation, and launch materials as provider evidence. - Treat business-process ownership, user instructions, access controls, input-data procedures, monitoring records, and logs under the organisation's control as deployer evidence. - Do not use 'owner' as a substitute role. The AI Act uses defined actors such as provider, deployer, importer, distributor, authorised representative, product manufacturer, and operator. - Classify each system and model separately. A party can be the deployer of one AI system, the provider of a modified high-risk system, and a downstream provider integrating a GPAI model in another product. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 3 definitions](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Defines provider, deployer, authorised representative, importer, distributor, operator, placing on the market, putting into service, intended purpose, substantial modification, and GPAI model. ## How do importer, distributor, authorised representative, product manufacturer, and operator roles fit around provider and deployer roles? The AI Act uses 'operator' as an umbrella term that includes provider, product manufacturer, deployer, authorised representative, importer, and distributor. It is useful for scoping the full value chain, but it is not enough for assigning concrete duties because the named roles have different triggers. An authorised representative is a Union-based person with a written mandate from a provider to carry out obligations and procedures on the provider's behalf. An importer places on the Union market an AI system bearing the name or trademark of a third-country person. A distributor is a supply-chain actor, other than provider or importer, that makes an AI system available on the Union market. A product manufacturer can become the provider of a high-risk AI system when the high-risk AI system is a safety component of a product covered by listed Union harmonisation legislation and is placed on the market or put into service under the product manufacturer's name or trademark. - For authorised representatives, keep the written mandate and the provider identity; the mandate does not erase the provider role. - For importers, keep evidence of the third-country name or trademark on the AI system and the first Union market placement route. - For distributors, keep supply-chain records showing the system was made available without the distributor being the provider or importer. - For product manufacturers, keep the product-law file showing whether the AI system is a safety component and whether it is marketed or put into service under the manufacturer's name or trademark. - For operators, map every concrete actor to one of the named Article 3 roles before assigning obligations. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 3 operator and supply-chain definitions](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the distinction between operator as an umbrella term and the specific roles of authorised representative, importer, distributor, deployer, provider, and product manufacturer. - [Regulation (EU) 2024/1689 - Article 25 responsibilities along the AI value chain](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Explains when a product manufacturer is treated as provider for high-risk AI systems that are safety components of products. ## When does Article 25 shift a deployer or other third party into provider status? Article 25 is the role-shift rule for high-risk AI systems. A distributor, importer, deployer, or other third party is treated as the provider, and is subject to provider obligations, when one of three triggers is met: it puts its name or trademark on an already placed or put-into-service high-risk AI system; it makes a substantial modification to an already placed or put-into-service high-risk AI system so that it remains high-risk; or it changes the intended purpose of an already placed or put-into-service AI system, including a GPAI system, so that the system becomes high-risk. When an Article 25 shift occurs, the initial provider is no longer considered the provider of that specific AI system for AI Act purposes, but must closely cooperate with the new provider and provide necessary information, technical access, and other reasonably expected assistance. That cooperation rule does not apply where the initial provider clearly specified that its AI system must not be changed into a high-risk system. - Rebranding evidence: trademark, UI branding, packaging, app-store listing, customer contract, and public materials showing whose name is attached to the high-risk AI system. - Substantial-modification evidence: change request, architecture or operating-system change, model or software change, conformity-impact analysis, and whether the modification was foreseen in the initial conformity assessment. - Intended-purpose evidence: original instructions for use, technical documentation, sales materials, new use case, deployment context, and why the changed use brings the system within Article 6 high-risk classification. - Cooperation evidence: information requests to the initial provider, technical-access records, assistance received, refusals or limitations, and trade-secret handling. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 25 responsibilities along the AI value chain](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary source for Article 25 role-shift triggers: rebranding, substantial modification, changed intended purpose, cooperation by the initial provider, and product-manufacturer treatment. - [Regulation (EU) 2024/1689 - Article 3 substantial modification definition](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Defines substantial modification by reference to unplanned post-market or post-service changes affecting high-risk compliance or intended purpose. ## How should teams classify GPAI model providers, AI system providers, and downstream providers? A GPAI model provider is not automatically the provider of every AI system that later integrates the model. The legal text defines a general-purpose AI model separately, and Annex XII requires transparency information for downstream providers that integrate the model into their AI systems. Commission GPAI guidance gives practical examples: the actor that develops and places a GPAI model on the Union market is the provider; an actor that has a model developed on its behalf and places it on the market is the provider; and a downstream actor integrating a GPAI model into an AI system may be the provider of that AI system. For downstream modifications, the Commission guidance says not every modification makes the modifier a GPAI model provider. The modifier becomes the provider of the modified GPAI model only where the modification leads to a significant change in the model's generality, capabilities, or systemic risk, with the guidance giving an indicative training-compute criterion for that assessment. - Keep separate records for the GPAI model provider, the AI system provider, and the deployer that uses the system in a concrete process. - Ask for downstream-provider information listed in Annex XII, including model tasks, integration types, acceptable-use policies, release and distribution methods, licence, input and output modalities, and technical means for integration. - If a team fine-tunes or otherwise modifies a GPAI model, record who controlled the modification, what changed, the additional training data or compute evidence available, and whether the change affects generality, capabilities, or systemic risk. - If the GPAI model is integrated into a high-risk AI system, preserve the chain from model documentation to system technical documentation, instructions for use, human oversight, monitoring, and conformity evidence. Sources for this answer: - [Regulation (EU) 2024/1689 - GPAI model definition and Annex XII downstream-provider information](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Defines general-purpose AI model and lists transparency information that GPAI model providers provide to downstream providers integrating the model into AI systems. - [European Commission - Guidelines for providers of general-purpose AI models](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance on who is a GPAI model provider, when models are placed on the Union market, and when downstream modifiers become providers. - [European Commission - GPAI Model Documentation Form](https://ec.europa.eu/newsroom/dae/redirection/document/118118?ref=sorena.io) - Template evidence source showing information intended for AI Office, national competent authorities, and downstream providers integrating GPAI models. ## What evidence should prove a provider/deployer boundary decision? The evidence should prove the legal role, the factual trigger, and the boundary of responsibility. Avoid one generic AI owner record. Instead, keep a role matrix for each AI system and GPAI model version, because the same supplier relationship can involve several actors at different layers of the value chain. For deployer duties, preserve records showing use according to instructions, human oversight assignment, monitoring based on instructions for use, incident escalation to provider/importer/distributor and authorities where relevant, logs under deployer control, worker information where workplace use is involved, and any required fundamental-rights impact assessment for covered high-risk deployments. - Role matrix: provider, deployer, importer, distributor, authorised representative, product manufacturer, GPAI model provider, AI system provider, and downstream provider for each model or system version. - Market and service evidence: first Union market availability, putting into service, brand or trademark, product bundle, app or API release, and customer-facing materials. - Intended-purpose evidence: provider instructions, technical documentation, sales materials, deployment use case, affected user groups, and any changed purpose assessment. - Change evidence: modification description, whether the change was foreseen in the initial conformity assessment, impact on high-risk requirements, new conformity-assessment need, and provider cooperation records. - GPAI integration evidence: Annex XII-style downstream information, model dependencies, distribution channel, licence, integration means, acceptable-use policy, and modification or fine-tuning record. - Deployer operation evidence: oversight assignment, input-data controls, monitoring notes, log-retention rationale, worker or affected-person notices where applicable, and escalation records. Sources for this answer: - [Regulation (EU) 2024/1689 - Article 26 deployer obligations](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports deployer evidence for instructions-for-use compliance, human oversight, input-data relevance, monitoring, logs, workplace notice, affected-person notice, and authority cooperation. - [Regulation (EU) 2024/1689 - Article 27 fundamental rights impact assessment](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports evidence expectations for covered deployers of high-risk AI systems, including process, frequency, affected groups, risk, oversight, and mitigation information. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 3 role definitions, Article 25 value-chain responsibility shifts, Article 26 deployer obligations, Article 27 impact-assessment evidence, and Annex XII GPAI downstream-provider information. - Quote: "laying down harmonised rules on artificial intelligence" - [European Commission - Guidelines for providers of general-purpose AI models](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance used for GPAI model provider boundaries, placing-on-the-market examples, and downstream modifier treatment. - Quote: "clarify the scope of the obligations" - [European Commission - GPAI Model Documentation Form](https://ec.europa.eu/newsroom/dae/redirection/document/118118?ref=sorena.io) - Template used for practical GPAI evidence fields shared with AI Office, national competent authorities, and downstream providers. - Quote: "downstream providers" ## Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/ai-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/ai-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/ai-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/ai-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/ai-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/ai-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/ai-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/ai-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/ai-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/ai-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/ai-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/ai-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/ai-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/ai-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/ai-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/ai-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/ai-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/ai-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/ai-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/ai-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/ai-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/ai-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/ai-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/ai-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/ai-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act risk classification intake workflow](/artifacts/eu/ai-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/ai-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/ai-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/ai-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/ai-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/ai-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/ai-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/ai-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. *Recommended next step* *Placement: before sources* ## Turn provider, deployer, operator, and GPAI boundaries into evidence Sorena can help convert Article 3 and Article 25 role analysis into a system-by-system role matrix, supplier evidence request, and review-ready compliance record. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about provider, deployer, operator, Article 25, and GPAI model-provider boundaries using the cited sources on this page. - [Talk through implementation](/contact.md): Review your AI Act role matrix, supplier evidence, and downstream GPAI integration records with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/ai-act/faq/provider-and-deployer-role-boundaries