Provider vs. Deployer: Who's Responsible?

Learn the difference between provider and deployer obligations under the EU AI Act, and why vendor compliance does not equal deployer compliance.

What Is Provider vs. Deployer: Who's Responsible??

Understand the critical distinction between AI providers and deployers under the EU AI Act. Learn why buying a compliant vendor product does not absolve your company of its own legal obligations, and practice evaluating vendor compliance documentation during procurement.

What You'll Learn in Provider vs. Deployer: Who's Responsible?

Provider vs. Deployer: Who's Responsible? — Training Steps

  1. Provider vs. Deployer

    The EU AI Act assigns different obligations depending on your role in the AI value chain: Provider - The company that develops an AI system or places it on the market. Responsible for conformity assessment, CE marking, and technical documentation. Deployer - The company that uses an AI system under its own authority. Responsible for Fundamental Rights Impact Assessment, human oversight, monitoring, and incident reporting. BrightPath Consulting is a deployer. When the company buys a vendor's AI tool, the vendor's compliance does not absolve BrightPath of its own legal obligations under the Act.

  2. Email from IT Director

    An email arrives from Rachel Kim, BrightPath's IT Director. Three AI vendors have submitted proposals, and Alice needs to evaluate their compliance posture before procurement decisions are made.

  3. Vendor 1: TalentMatch AI

    Alice clicks the TalentMatch AI link in Rachel's email to open the vendor's compliance documentation. This vendor has done their provider obligations well: conformity assessment completed, CE marking obtained, technical documentation available, and intended purpose clearly stated. The system is classified as High Risk under Annex III area 4 (employment).

  4. Deployer Obligations for High-Risk AI

    Even though TalentMatch AI is a compliant vendor, BrightPath as the deployer has its own set of mandatory obligations under the EU AI Act. These obligations exist independently of the vendor's compliance status. Alice opens the Deployer Obligations Checklist linked in Rachel's email.

  5. Knowledge Check: FRIA Responsibility

    Before reviewing the next vendor, let's confirm a key concept about deployer obligations.

  6. Vendor 2: QuickReply Bot

    The next vendor is QuickReply Bot, a customer service chatbot. Alice clicks the QuickReply Bot link in Rachel's email. This is a Limited Risk AI system - its primary provider obligation is transparency documentation, which has been met. BrightPath's deployer obligation is simpler here: ensure customers know they are talking to AI, not a human.

  7. Vendor 3: InsightIQ

    The final vendor is InsightIQ, an AI-powered employee performance analytics platform. Alice clicks the InsightIQ link in Rachel's email to open the product page. Something about this vendor's claims should raise a red flag.

  8. The Misclassification Problem

    InsightIQ processes employee performance data to make promotion and team composition recommendations. This is employment-related AI decision-making, which is High Risk under Annex III of the EU AI Act. The vendor either deliberately misclassified the product to avoid compliance costs, or genuinely does not understand the regulation. Either way, BrightPath cannot rely on the vendor's self-classification. As a deployer, the company has an independent duty to verify risk classification before deployment.

  9. Knowledge Check: Misclassified Vendor

    A critical procurement scenario that tests your understanding of deployer responsibilities when vendor claims do not match reality.

  10. Send Procurement Recommendations

    Alice replies to Rachel with a per-vendor recommendation: which tools BrightPath can deploy, under what deployer conditions, and which one must be rejected outright.