EU AI Act Applicability and Roles

Classify the thing being assessed before assigning roles. An AI system is a machine-based system with some autonomy that infers how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. A general-purpose AI model is an AI model that displays significant generality, can competently perform a wide range of distinct tasks, and can be integrated into downstream systems or applications.

Keep AI systems and GPAI models separate in the record. A customer-facing chatbot, triage workflow, scoring feature, or embedded product function is usually assessed as an AI system. A foundation model or other reusable model released for integration may need a GPAI model analysis even before a downstream application is classified.

Article 2 applies to several different trigger paths. It covers providers placing AI systems on the market or putting them into service in the Union, providers placing GPAI models on the Union market, deployers established or located in the Union, importers and distributors of AI systems, product manufacturers placing or putting into service an AI system with their product under their own name or trademark, authorised representatives for non-EU providers, and affected persons located in the Union.

A non-EU provider or deployer can still be in scope when the output produced by the AI system is used in the Union. The applicability record should therefore track where the provider, deployer, users, affected persons, product release, and output use are located rather than relying only on company headquarters.

The same organisation can hold different roles for different assets. A company can be a deployer when it uses a third-party screening tool, a provider when it releases its own AI system under its name, an importer when it places a third-country-branded AI system on the Union market, and a product manufacturer when an AI system is placed on the market or put into service together with its product under the manufacturer's name or trademark.

Role mapping should follow the legal definitions and the actual supply chain. Contract labels are useful evidence, but they do not replace facts about who develops, brands, imports, distributes, deploys, modifies, or integrates the AI system or model.

Article 25 prevents teams from freezing role assignments at procurement. A distributor, importer, deployer, or other third party becomes the provider of a high-risk AI system if it puts its own name or trademark on a high-risk AI system already placed on the market or put into service, makes a substantial modification while the system remains high-risk, or changes the intended purpose of an AI system, including a general-purpose AI system, so that it becomes high-risk.

For high-risk AI systems that are safety components of products covered by the listed Union harmonisation legislation, the product manufacturer is considered the provider when the high-risk AI system is placed on the market with the product under the manufacturer's name or trademark, or put into service under that name or trademark after the product is placed on the market.

A defensible applicability file should show how the team moved from definition and scope to classification. For high-risk screening, Article 6 covers product-linked high-risk systems and Annex III high-risk systems. If a provider treats an Annex III system as not high-risk because it does not pose a significant risk of harm and does not materially influence decision-making, Article 6 requires the assessment to be documented before market placement or putting into service.

The strongest evidence is concrete and versioned: intended-purpose statements, technical documentation, model documentation, supplier contracts, instructions for use, EU market records, output-use locations, Annex III analysis, Article 6 derogation reasoning where used, role-shift review, and an approval history showing who accepted the classification.