Who must do what, and by when. Deployers, providers, risk levels: everything you need to know — with a self-assessment tool to understand your position immediately.
The EU AI Act does not only apply to those who develop artificial intelligence. It applies to anyone who uses it professionally — and that includes the majority of European businesses that have adopted software with AI components. The starting point is understanding your role and the risk level of the systems you use.
This distinction is fundamental: obligations differ significantly depending on your role in the AI supply chain.
Designs, develops and places an AI system on the market. Carries the heaviest obligations: complete technical documentation, conformity assessment, registration in the EU database, and primary liability.
⚠️ If you fine-tune a third-party model for a specific use case, you may be classified as a provider even if you did not develop the base model.
Uses an existing AI system within their own operational context. Fewer obligations than providers, but concrete and binding ones: human oversight, staff training, risk management, transparency towards end users.
⚠️ Most European SMEs are deployers, not providers — but this does not mean they are exempt from obligations.
The AI Act classifies AI systems into four categories. The risk level determines which obligations apply.
Systems that manipulate human behaviour, exploit vulnerabilities, implement government social scoring, or use real-time biometric identification in public spaces. In force since February 2025.
Systems used in critical sectors that directly impact people's rights, health or safety. Risk management, documentation, human oversight, and audit trails are mandatory for both deployers and providers.
Systems that interact with human users (chatbots, deepfakes, generated content). The primary obligation is to disclose that the user is interacting with an AI system.
The majority of AI systems fall here: spam filters, content recommendations, AI in games. No mandatory obligations, although voluntary codes of conduct are encouraged.
Obligations vary depending on your role and the risk level of the system. This table summarises the principal requirements for high-risk systems.
| Obligation | Provider | Deployer | Deadline |
|---|---|---|---|
| AI Literacy — train staff who use AI systems | ✓ | ✓ | Feb 2025 ✅ |
| Risk management system — identify and mitigate risks | ✓ | partial | Aug 2026 ⚠️ |
| Technical documentation — specifications, data, testing | ✓ | – | Aug 2026 ⚠️ |
| Human oversight — override mechanisms and controls | ✓ | ✓ | Aug 2026 ⚠️ |
| Logs and audit trail — traceability of decisions | ✓ | ✓ | Aug 2026 ⚠️ |
| Transparency towards individuals — inform those subject to AI decisions | ✓ | ✓ | Aug 2026 ⚠️ |
| EU database registration — for high-risk systems | ✓ | some cases | Aug 2026 ⚠️ |
| Serious incident reporting — notification to authorities | ✓ | ✓ | Aug 2026 ⚠️ |
6 questions. 2 minutes. Find out immediately whether you are subject to obligations and which ones apply.
This self-assessment is for guidance only and does not constitute legal advice. For a comprehensive analysis, please book a free call.