Provider vs deployer under the EU AI Act: which one is your SaaS

# Provider vs deployer under the EU AI Act: which one is your SaaS

The EU AI Act assigns different obligations depending on whether you are a provider or a deployer of an AI system. Most SaaS companies are one or the other. Some are both. Getting this wrong means you either do too much compliance work or, worse, too little.

The definitions

Provider (Article 3(3)): A natural or legal person that develops an AI system or a general purpose AI model and places it on the market or puts it into service under its own name or trademark.

Deployer (Article 3(4)): A natural or legal person that uses an AI system under its authority, except where the AI system is used in the course of a personal non professional activity.

In plain language: if you built the AI, you are probably a provider. If you are using someone else's AI inside your product, you are probably a deployer.

How SaaS companies typically classify

You are a provider if:

• You trained your own AI model and ship it as part of your product
• You fine tuned a foundation model and serve predictions through your product
• You built an AI system and sell access to it under your brand name
• You take an open source model, modify it, and deploy it commercially

You are a deployer if:

• You call OpenAI's API and display the output in your product
• You use Anthropic's Claude to power a feature in your SaaS
• You integrate Google's Gemini API for content generation
• You embed a third party AI service without modifying the model itself

You might be both if:

• You use a third party model but wrap it in a system that makes autonomous decisions (you are the provider of the system, deployer of the model)
• You fine tune a third party model significantly enough that it becomes a new AI system under the Act's definitions

Why it matters

Providers have heavier obligations than deployers. For high risk AI systems (Annex III), providers must:

• Implement a risk management system (Article 9)
• Meet data governance requirements (Article 10)
• Maintain technical documentation (Article 11)
• Design for record keeping and logging (Article 12)
• Ensure transparency and provide instructions to deployers (Article 13)
• Enable human oversight (Article 14)
• Meet accuracy, robustness, and cybersecurity standards (Article 15)
• Conduct conformity assessments before placing the system on the market (Article 43)

Deployers of high risk systems have a lighter but still real set of obligations:

• Use the system according to instructions provided by the provider (Article 26(1))
• Ensure human oversight by persons with appropriate competence (Article 26(2))
• Monitor the system and report serious incidents (Article 26(5))
• Conduct a fundamental rights impact assessment for certain use cases (Article 27)
• Keep logs generated by the system for at least 6 months (Article 26(6))

For transparency obligations under Article 50, both providers and deployers have duties. If your product has a chatbot, generates content, creates deepfakes, or does emotion recognition, you must disclose this to users regardless of whether you are a provider or deployer.

The common mistake

Most SaaS companies calling the OpenAI API assume they have zero obligations because they did not build the model. Wrong.

If your SaaS uses a third party AI model and you deploy it in a way that falls under Annex III (for example, using AI to screen job applicants, assess creditworthiness, or triage insurance claims), you are a deployer of a high risk AI system. Deployer obligations apply to you.

And if your product wraps the API call in a system that makes decisions autonomously, you may have crossed from deployer into provider territory for the system as a whole, even though you did not train the underlying model.

How to figure out your classification

Step 1: List every AI feature in your product. Include every API call to an AI service, every model you run, every automated decision that uses AI.

Step 2: For each feature, ask: did you develop this AI system, or are you using one developed by someone else?

Step 3: Check if you modified a third party system enough to become the provider of a new system. Fine tuning, adding retrieval augmented generation, or building an autonomous agent around an API call can cross this line.

Step 4: For each feature, check if it falls under any Annex III category. If it does, the provider/deployer distinction determines your specific compliance obligations.

Step 5: Document your classification rationale. This is what you show to a regulator or an enterprise customer who asks.

Examples

Example 1: SaaS with AI powered customer support chat

You use Anthropic's Claude API to power a support chatbot in your product. You did not train or fine tune the model.

Classification: Deployer. Anthropic is the provider of the general purpose AI model. You deploy it as a chatbot.

Obligations: Article 50(1) transparency disclosure (tell users they are talking to AI). If the chatbot makes decisions that affect users' rights or access to services, review Annex III to check for high risk classification.

Example 2: SaaS with AI powered resume screening

You built a scoring algorithm that uses AI to rank job applicants. You trained the model on historical hiring data.

Classification: Provider of a high risk AI system. Resume screening falls under Annex III, point 4(a) (AI systems used to filter applications or evaluate candidates in recruitment).

Obligations: Full provider obligations for high risk systems. Risk management, data governance, technical documentation, conformity assessment.

Example 3: SaaS that uses OpenAI to generate marketing copy

You call GPT to generate ad copy and social media posts for your users.

Classification: Deployer. OpenAI is the model provider. You deploy it for content generation.

Obligations: Article 50(2) transparency. Mark AI generated content with machine readable metadata indicating it was generated by AI.

What to do next

Classify every AI feature in your product. Write down whether you are the provider or deployer for each one. Check Annex III. Then implement the obligations that match your role.

If you want a structured walkthrough, our open source checklist covers all 47 compliance items: github.com/GatisOzols/eu-ai-act-checklist

If you want someone to do the classification for you and hand back a compliance report in 5 business days: disclos.eu/audit

Last updated: 2026-06-04