← Back to blog

"Am I a Provider or a Deployer?" — The Question Every Founder Needs to Answer

6 min read

Three founders walk into a bar. One built an AI, one bought an AI, one tweaked an AI. The AI Act treats them completely differently.

Here's the thing: the EU AI Act doesn't care what you call yourself. It cares what you do with AI. And depending on whether you're a "provider" or a "deployer," your obligations, costs, and deadlines look totally different.

Most SMEs I talk to assume they're just "using AI." But that's not a classification the law recognizes. You're either the company that builds the AI (provider) or the company that uses the AI (deployer) — and sometimes you're both.

Getting this wrong means you're preparing for the wrong obligations. Let's fix that.

Why Classification Actually Matters

The AI Act has completely different rulebooks for providers vs. deployers.

If you're a provider, you're responsible for designing the system to be safe, documenting how it works, running risk assessments, and — if it's high-risk — getting third-party readiness checks. Think: building a car.

If you're a deployer, you're responsible for using the system properly, monitoring it in your context, and being transparent with users when they interact with AI. Think: driving a car.

The cost difference? Providers of high-risk systems face initial readiness costs of €193k-330k. Deployers of those same systems? Much simpler obligations, mostly around proper use and transparency.

So yeah, classification matters.

Provider = You Build It (or Substantially Change It)

You're a provider if you:

  • Develop an AI system and put it on the market
  • Import an AI system from outside the EU to sell it here
  • Substantially modify an existing AI system beyond its intended use
  • Put your name or trademark on someone else's AI system

Notice that last one? If you white-label a chatbot vendor's product and sell it as yours, you just became a provider.

Deployer = You Use It

You're a deployer if you:

  • Use an AI system under your authority (meaning you control how it's used)
  • This includes off-the-shelf SaaS tools, APIs, and third-party platforms

Even if you didn't build it, if you're using it for your business, you're a deployer.

Real Scenarios — Because Abstract Definitions Help Nobody

Let's get specific. Here are 10 scenarios I see all the time:

You use Intercom's chatbot on your website. → You're a deployer. You didn't build the chatbot, you're just using it. Your obligation: disclose to users that they're talking to AI (that's Article 50, the transparency rule).

You built a custom recommendation engine for your e-commerce site. → You're a provider. You developed the AI system. Your obligations depend on whether it's high-risk (spoiler: product recommendations usually aren't).

You use GPT-4's API to power a feature in your product. → You're a provider. You're building a new AI system using OpenAI's model as a component. Your customers interact with your system, not OpenAI's.

You use Notion AI for internal company notes. → You're a deployer. Internal-use-only AI tools still count as "deploying under your authority."

You fine-tuned an open-source model on your own dataset and integrated it into your product. → You're a provider. You modified the model and put it on the market. This is textbook provider activity.

You use HubSpot's lead scoring feature. → You're a deployer. HubSpot built the AI, you're using it as intended.

You built a CV screening tool using OpenAI's API to rank job applicants. → You're a provider of a high-risk AI system. CV screening falls under Annex III (high-risk use cases for employment). This is the most regulated scenario — you'll need conformity assessment, technical documentation, the full works.

You modified a vendor's chatbot to handle sensitive customer data beyond what it was designed for. → You just became a provider. "Substantial modification beyond intended use" turns deployers into providers. This catches people off guard all the time.

You use Zendesk's AI ticket routing for customer support. → You're a deployer. Using it as designed, no modifications.

You integrated a third-party sentiment analysis API into your HR dashboard to monitor employee mood. → You're a provider of a potentially high-risk system. HR monitoring can trigger high-risk classification. Even though you didn't build the sentiment API, you built the HR system that uses it.

The Edge Case That Trips Everyone Up

Here's where it gets sneaky: deployers can become providers.

If you take an off-the-shelf AI tool and modify it substantially — or use it in a way the vendor never intended — you might cross the line into provider territory.

Example: You start with Intercom's chatbot (you're a deployer). Then you train it on proprietary medical data to give health advice (substantial modification + new use case). Congratulations, you're now a provider of a high-risk AI system.

The law doesn't care that you started with a SaaS tool. It cares what you ended up with.

The Obligation Matrix: Role × Risk Level

Your actual to-do list depends on both your role and the system's risk level. Here's the simple version:

Low/Limited-Risk Deployer (most common for SMEs)

  • Add transparency disclosures where required (chatbots, AI-generated content)
  • Use the system as intended
  • Monitor for obvious problems

Low/Limited-Risk Provider

  • Basic transparency obligations
  • Keep technical documentation
  • Ensure the system works as described

High-Risk Deployer

  • Transparency disclosures
  • Monitor the system in your specific use context
  • Assign human oversight
  • Keep usage logs

High-Risk Provider

  • Full conformity assessment (often by third-party approved assessor)
  • Extensive technical documentation
  • Risk management system
  • Ongoing monitoring after launch
  • Registration in EU database
  • This is the €193k-330k scenario

See why classification matters? A low-risk deployer might spend a weekend getting ready. A high-risk provider might spend six months and six figures.

Most SMEs Are Deployers — And That's Good News

If you're using off-the-shelf AI tools from Intercom, HubSpot, Notion, Zendesk, OpenAI (via their consumer/business products), you're almost certainly a deployer.

Deployers have simpler obligations. You won't need conformity assessments. You won't need to register in EU databases. You won't need to hire approved assessors.

You will need to:

  • Disclose when users interact with AI (Article 50)
  • Use systems as intended
  • Monitor for problems
  • If it's high-risk, assign a human to oversee decisions

That's manageable. That's a weekend project, not a six-month ordeal.

If You're Building AI Features Into Your Product — You're Probably a Provider

If you're a SaaS company adding AI features, you're almost certainly a provider.

"But we're just using OpenAI's API!" Doesn't matter. You're building a system that uses AI as a component. Your customers interact with your product, not OpenAI's. You're the provider.

The good news: most product features aren't high-risk. Recommendations, content generation, search improvements — usually low or limited-risk. You'll have obligations, but not the full high-risk conformity assessment gauntlet.

The exception: if your AI makes important decisions about people (hiring, firing, credit, benefits eligibility, law enforcement), you're in high-risk territory. Handle with care.

What to Do Right Now

Step 1: Take our 5-question Role Classifier quiz Answer five simple questions about how you use AI. We'll tell you if you're a provider, deployer, or both — and what that means for your August 2 deadline.

Step 2: Make a list of every AI system you use or build Seriously. Spreadsheet time. List the tool, what it does, whether you built it or bought it, and how you use it.

Step 3: For each system, classify your role Did you build it, buy it, or modify it? That determines provider vs. deployer status.

Step 4: Check the risk level Does it make important decisions about people? High-risk. Everything else? Probably low or limited-risk.

Step 5: Map your obligations Role + Risk = Your Readiness To-Do List.

Don't overthink this. You're not trying to write a legal dissertation. You're trying to figure out which rulebook applies to you.

The Bottom Line

If you're using Intercom's chatbot, you're a deployer. Add a disclosure, you're done.

If you built a custom recommendation engine, you're a provider. Document it, assess the risk, prepare accordingly.

If you're using GPT-4's API to power your product, you're a provider. Plan for documentation and risk assessment.

If you modified a vendor's tool beyond its intended use, you might've just become a provider without realizing it. Check that.

Most SMEs are deployers. Most deployers face simple obligations. Most simple obligations can be handled in a weekend.

But you need to know which category you're in — because the wrong classification means you're preparing for the wrong deadline with the wrong checklist.

Take the quiz. Get classified. Stop guessing.

Take the Role Classifier Quiz → [5 questions, 2 minutes, clarity forever]

This document supports readiness preparation. It does not constitute legal advice. The AI Act's provider and deployer definitions are found in Article 3. Classification depends on your specific circumstances. When in doubt, document your reasoning and consult qualified legal counsel.

Ready to find out if this applies to you?

The AI Act assessment takes 3 minutes. No signup. You'll see your classification instantly.

Take the assessment

Or stay in the loop

Get updates when rules change. No spam.