Most teams don’t think they are providers under the EU AI Act.
And in many cases, that assumption feels reasonable:
“We didn’t build the model.”
“We’re just integrating existing AI.”
“We’re using third-party systems.”
But this is exactly where the risk begins.
Because under the EU AI Act, you can be a provider without building the AI system.
The Real Misunderstanding
The common mental model is:
“Provider = the company that builds the AI.”
That’s only partially true.
In practice, the regulation assigns the provider role to the entity that:
- places the system on the market under its name, or
- materially shapes how the system behaves or is used
This means the moment you:
- embed AI into your product
- configure or fine-tune it
- define its use case
- expose it to users
—you may have crossed into provider territory.
Even if the underlying model is not yours.
A Typical Scenario
Consider a SaaS company that:
- integrates a third-party AI model
- adapts prompts, workflows, or outputs
- builds a feature around it
- offers it to customers as part of its product
From a technical perspective, nothing was “built.”
But from a regulatory perspective:
→ the company is no longer just using AI
→ it is placing an AI system on the market
That distinction is critical.
Why This Matters More Than It Seems
The provider role carries the heaviest obligations under the EU AI Act.
Including, depending on the system:
- conformity assessments
- technical documentation
- risk management systems
- monitoring and post-market controls
Misclassifying yourself as “just a deployer” can result in:
- incomplete compliance
- missing documentation
- exposure during audits or procurement
The Three Roles (In Practice)
To understand where you stand, you need to distinguish between:
Provider
You shape and place the system on the market.
Deployer
You use the system under your authority.
Distributor
You make the system available without modification.
The Key Insight
Roles are not defined by who built the model.
They are defined by:
- who controls the system’s behavior
- how it is integrated
- how it is presented to users
And most importantly:
👉 whether you take responsibility for how it operates in context
Where Most Companies Get It Wrong
1. “We didn’t build it, so we’re not responsible”
→ False in many integration scenarios
2. Ignoring customization
Prompt design, workflows, UI, and constraints
can shift your role significantly
3. Treating roles as static
Roles evolve with:
- product changes
- new features
- deeper integrations
A Better Way to Think About It
Instead of asking:
“Did we build the AI?”
Ask:
- Are we presenting this as part of our product?
- Are we shaping how it behaves?
- Are users interacting with it through us?
- Are we accountable for its output?
If the answer is yes to most of these:
→ you are likely operating as a provider
Final Thought
The EU AI Act is not built around technical ownership.
It is built around responsibility.
And responsibility follows how AI is used, shaped, and delivered—
not just how it was created.
