Who is the 'deployer' of an AI system?

Article 3(4) defines a deployer as a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity. Personal household use is excluded. Deployer duties on high-risk AI systems are in Article 26: use the system in accordance with the instructions for use; assign human oversight to natural persons with the necessary competence, training and authority; ensure input data is relevant and sufficiently representative; monitor operation against the instructions; suspend use and inform the provider on a risk under Article 79(1); keep logs at least six months unless Union or national law requires longer; inform workers and their representatives if the deployer is an employer; cooperate with competent authorities. Specific deployer-side disclosures apply under Article 50(3) and 50(4).

What does Article 22 require of non-EU providers?

Article 22 requires providers established in third countries, prior to making a high-risk AI system available on the Union market, to appoint by written mandate an authorised representative established in the Union. The mandate must empower and require the authorised representative to perform the tasks in Article 22(3), which include verifying the EU declaration of conformity and the technical documentation have been drawn up, keeping a copy of the documentation for ten years after the system is placed on the market, providing competent authorities with information and documentation on a reasoned request, cooperating with competent authorities on any action they take to mitigate or reduce risks, complying with the registration obligations in Article 49, or verifying that the provider has done so, and terminating the mandate where the authorised representative considers or has reason to consider that the provider acts contrary to its obligations under the Regulation. Article 22 is distinct from Article 54 for non-EU GPAI model providers.

What is the Article 27 fundamental-rights impact assessment?

Article 27 requires specific deployers of high-risk AI systems to perform a fundamental-rights impact assessment (FRIA) prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in Annex III point 2 (critical infrastructure). The duty falls on deployers that are bodies governed by public law or private entities providing public services, and on deployers using high-risk AI systems referred to in points 5(b) and 5(c) of Annex III (creditworthiness scoring and risk assessment / pricing for life and health insurance). The FRIA must describe the deployer's processes in which the system will be used, the period and frequency of use, the categories of natural persons and groups likely to be affected, the specific risks of harm likely to have an impact on those persons or groups, the implementation of human oversight measures, the measures to be taken in case of materialisation of those risks including the arrangements for internal governance and complaint mechanisms. The deployer notifies the market-surveillance authority of the results. The FRIA may build on a Data Protection Impact Assessment under Article 35 GDPR where appropriate, but the two assessments are separate legal duties on different addressees.

What is the difference between a 'deployer' under the EU AI Act and a 'controller' under GDPR?

They are distinct concepts. A 'deployer' under Article 3(4) EU AI Act uses an AI system under its own authority — the focus is on the AI system's operational use. A 'controller' under Article 4(7) GDPR determines the purposes and means of processing personal data — the focus is on the personal-data processing. A single legal person can be both for the same activity (e.g., an HR department deploying a CV-screening AI is the deployer of the AI system AND the controller of the candidate personal data) but the two roles trigger different obligations under different Regulations. Article 2(7) of the EU AI Act preserves Union personal-data-protection law in parallel; Article 26(9) provides the operational hook for DPIA cross-reference.

When do the deployer obligations start to apply?

Deployer obligations on high-risk AI systems under Article 26 apply from the same dates as the underlying system regime — 2 August 2026 for Annex III systems and 2 August 2027 for Annex I systems under the published Regulation, subject to deferral by the provisional AI Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I) if adopted. Article 27 FRIA applies on the same schedule for the in-scope deployer categories.

Roles and responsibilities

Q: Who is the 'provider' of an AI system under the EU AI Act?

Article 3(3) defines a provider as a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge. Provider duties on high-risk AI systems are concentrated in Article 16 and the substantive Articles 8–15. Provider duties on general-purpose AI models are in Article 53 and (for systemic-risk GPAI) Article 55.

Q: When does a deployer or distributor become a provider under Article 25?

Article 25(1) makes a distributor, importer, deployer or other third party a provider of a high-risk AI system, with full provider obligations under Article 16, where any of three triggers is met: (a) they put their name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements; (b) they make a substantial modification to a high-risk AI system that has already been placed on the market or has already been put into service in such a way that it remains a high-risk AI system pursuant to Article 6; (c) they modify the intended purpose of an AI system, including a general-purpose AI system, that has not been classified as high-risk and has already been placed on the market or put into service, in such a way that the AI system concerned becomes a high-risk AI system in accordance with Article 6. Article 25(2) requires the INITIAL provider to make available to the new provider the technical documentation, capabilities/limitations information and other assistance necessary for the new provider to comply with Section 2 — unless the initial provider clearly specified the system is not to be changed into a high-risk system and the change occurred contrary to those instructions.

The EU AI Act assigns obligations by legal role. The Article 3 definitions are the operative anchor: provider, deployer, importer, distributor, authorised representative. The substantive Article 16 / 22 / 23 / 24 / 26 / 27 obligations attach to each role independently. Article 25 governs how responsibility transfers when a downstream actor substantially modifies a system or puts its own name on it — the "accidental provider" trap.

This is one of the surfaces that practitioners most often blur. Provider and deployer obligations are not "the same compliance work split between teams" — they are separate legal duties on separate addressees, with separate deadlines, separate evidence, and separate enforcement.

Quick decision

You build the AI system and place it on the EU market under your own name → Article 3(3) provider. Article 16 duties; Articles 8–15 substantive obligations if the system is high-risk.
You use someone else's AI system in your operations (not personal household use) → Article 3(4) deployer. Article 26 duties.
You bring a third-country provider's high-risk AI system into the EU → Article 3(6) importer. Article 23 duties (verify conformity, CE mark, declaration, authorised representative).
You make a system available on the EU market without being the provider or importer → Article 3(7) distributor. Article 24 duties (verify CE mark, storage, recall).
You are a non-EU provider of a high-risk AI system → appoint an authorised representative under Article 22 before placing on the EU market.
You are a public-sector deployer, a private entity providing public services, or you deploy an Annex III(5)(b)/(c) (credit / insurance) system → Article 27 FRIA applies before first use (except for high-risk AI systems intended for use in Annex III point 2 — critical infrastructure — which Article 27(1) excludes).
You put your own name on a high-risk system, substantially modify one, or repurpose a non-high-risk system into a high-risk use → Article 25 makes you a provider with full Article 16 + Articles 8–15 duties.

TL;DR

Five legal roles under Article 3: provider, deployer, importer, distributor, authorised representative. The role determines the obligation set.
Article 16 anchors provider duties on high-risk AI systems; Article 26 anchors deployer duties.
Article 25 is the "accidental provider" trap — substantial modification, intended-purpose change to a high-risk use, or rebranding makes the downstream actor a provider.
Article 27 FRIA is a deployer-side duty on public-sector deployers and on deployers of Annex III(5)(b)/(c) systems — excluding systems intended for the Annex III point 2 (critical infrastructure) area. Distinct from Article 35 GDPR DPIA.
Article 22 authorised representative for non-EU high-risk-system providers; Article 54 for non-EU GPAI model providers. The two are independent.
Deployer duties under Article 26 apply on the same schedule as the underlying high-risk system regime (Annex III: 2 August 2026; Annex I: 2 August 2027 — subject to Omnibus deferral if adopted).

AI Omnibus provisional agreement (May 2026)

Status: provisional political agreement, pending formal adoption

On 7 May 2026 the Council presidency and European Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI (originally proposed by the Commission on 19 November 2025, part of the 'Omnibus VII' simplification package). The deal must still be formally endorsed by the Council and the Parliament and undergo legal/linguistic revision before adoption. This framework page will be updated once the Omnibus is formally adopted. Until then, the existing EU AI Act text remains legally binding.

Relevant to this page (all conditional on formal adoption):

Annex III deployer-side duties would shift to 2 December 2027 (from 2 August 2026); Annex I would shift to 2 August 2028 (from 2 August 2027). The Article 26 substantive duties are unchanged.
Annex III non-high-risk registration model would be reinstated — providers that determine an Annex III system is not high-risk under Article 6(3) would continue to register the determination in the EU database under Article 49(2).
Simplified compliance for Small Mid-Caps (SMCs) — the Article 16 documentation and QMS burden would be reduced for SMCs as defined in Commission Recommendation (EU) 2025/1099 (final scope subject to consolidated text).

Until adopted, the published 2024/1689 obligations on each role remain the binding reference.

Primary source

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — EUR-Lex CELEX 32024R1689 · OJ L, 12.7.2024 · Articles 3, 16, 22, 23, 24, 25, 26, 27.

Article 3 — the definitions that anchor the regime

Article 3(3) — provider

'provider' means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;
— Article 3(3), Regulation (EU) 2024/1689

The provider concept is placement / putting-into-service plus own-name attribution. Building an AI system for internal use without placing it on the market or putting it into service does not make you a provider in the Article 3(3) sense — but Article 25(1)(a) can still convert a deployer into a provider via own-name attribution.

Article 3(4) — deployer

'deployer' means a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity;
— Article 3(4), Regulation (EU) 2024/1689

Personal household use is the only excluded case. All other use under one's authority — including by public bodies, NGOs, charities, and SMEs — makes the user a deployer.

Article 3(5) — authorised representative

'authorised representative' means a natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system or a general-purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;
— Article 3(5), Regulation (EU) 2024/1689

A single legal entity in the Union can be both an Article 22 (high-risk system) and Article 54 (GPAI model) authorised representative — but the two mandates and duty sets are separate.

Article 3(6) — importer

'importer' means a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country;
— Article 3(6), Regulation (EU) 2024/1689

Article 3(7) — distributor

'distributor' means a natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market;
— Article 3(7), Regulation (EU) 2024/1689

Article 3(8) — operator

'operator' means a provider, product manufacturer, deployer, authorised representative, importer or distributor;
— Article 3(8), Regulation (EU) 2024/1689

"Operator" is the umbrella term used throughout the Regulation when an obligation applies to any of the five roles.

Article 16 — provider obligations on high-risk AI systems

Providers of high-risk AI systems shall:
(a) ensure that their high-risk AI systems are compliant with the requirements set out in Section 2;
(b) indicate on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable, their name, registered trade name or registered trade mark, the address at which they can be contacted;
(c) have a quality management system in place which complies with Article 17;
(d) keep the documentation referred to in Article 18;
(e) when under their control, keep the logs automatically generated by their high-risk AI systems as referred to in Article 19;
(f) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure as referred to in Article 43, prior to its being placed on the market or put into service;
(g) draw up an EU declaration of conformity in accordance with Article 47;
(h) affix the CE marking to the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, to indicate conformity with this Regulation, in accordance with Article 48;
(i) comply with the registration obligations referred to in Article 49(1);
(j) take the necessary corrective actions and provide information as required in Article 20;
(k) upon a reasoned request of a national competent authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Section 2;
(l) ensure that the high-risk AI system complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882.
— Article 16, Regulation (EU) 2024/1689

Article 16 is the entry point to the provider regime. Each lettered duty maps to a separate substantive Article (17 QMS, 18 documentation, 19 logs, 20 corrective actions, 43 conformity assessment, 47 declaration, 48 CE marking, 49 registration). The Article 16 duties layer on top of the Section 2 (Articles 8–15) requirements.

Article 22 — authorised representatives for non-EU providers of high-risk AI systems

A non-EU provider of a high-risk AI system must, prior to making the system available on the EU market, appoint by written mandate an authorised representative established in the Union. The Article 22(3) tasks include:

Verifying that the EU declaration of conformity and the technical documentation have been drawn up and that the provider has carried out an appropriate conformity assessment procedure.
Keeping at the disposal of competent authorities and national authorities a copy of the EU declaration of conformity, the technical documentation and, if applicable, the certificate issued by the notified body, for a period of 10 years after the high-risk AI system has been placed on the market or put into service.
Providing competent authorities, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system.
Cooperating with competent authorities on any action the latter takes in relation to the high-risk AI system, including to reduce and mitigate the risks posed by the high-risk AI system.
Complying with the registration obligations in Article 49, or, if registration is carried out by the provider, ensuring that the information referred to in Annex VIII Section A point 3 is correct.
Without prejudice to the responsibilities of the provider, terminating the mandate if the authorised representative considers or has reason to consider that the provider acts contrary to its obligations under the Regulation. In such a case, the authorised representative informs the relevant market-surveillance authority and, where applicable, the relevant notified body.

The Article 22 authorised representative is distinct from the Article 54 authorised representative for non-EU GPAI model providers. A non-EU entity placing both a high-risk AI system and a GPAI model on the EU market needs both mandates (potentially to the same EU entity, but with distinct tasks).

Article 23 — importer obligations

Before placing a high-risk AI system on the market, importers of such a system shall ensure that the system is in conformity with this Regulation by verifying that:
(a) the relevant conformity assessment procedure referred to in Article 43 has been carried out by the provider of the high-risk AI system;
(b) the provider has drawn up the technical documentation in accordance with Article 11 and Annex IV;
(c) the system bears the required CE marking and is accompanied by the EU declaration of conformity referred to in Article 47 and instructions for use;
(d) the provider has appointed an authorised representative in accordance with Article 22(1).
— Article 23(1), Regulation (EU) 2024/1689

Article 23 further requires the importer to indicate its name, registered trade name or trademark and contact address on the system or its packaging or accompanying documentation, ensure storage and transport conditions do not affect compliance, keep a copy of the certificate issued by the notified body (if applicable) and the instructions for use available to competent authorities for 10 years, and cooperate with competent authorities.

If an importer considers or has reason to consider that a high-risk AI system is not in conformity, it shall not place the system on the market until conformity has been brought about, and shall inform the provider, the authorised representatives, and the market-surveillance authorities if the system presents a risk under Article 79(1).

Article 24 — distributor obligations

Before making a high-risk AI system available on the market, distributors shall verify that it bears the required CE marking, that it is accompanied by a copy of the EU declaration of conformity referred to in Article 47 and instructions for use, and that the provider and the importer of that system, as applicable, have complied with their respective obligations as laid down in Article 16, points (b) and (c) and Article 23(3).
— Article 24(1), Regulation (EU) 2024/1689

Article 24 requires the distributor to ensure storage and transport conditions do not jeopardise compliance, take corrective measures if it considers or has reason to consider that a system is not in conformity, and immediately inform the provider, importer, and competent authorities if the system presents a risk under Article 79(1). A distributor who makes a high-risk AI system available on the market without the proper documentation does not automatically become a provider under Article 25(1) — Article 25(1) has only three triggers (own-name attribution, substantial modification, intended-purpose change into high-risk). The distributor instead faces non-compliance and corrective-action duties under Article 24 itself. Article 25(1) status is reserved for the three triggers in Article 25(1)(a)–(c).

Article 25 — the accidental-provider rules

Any distributor, importer, deployer or other third-party shall be considered to be a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:
(a) they put their name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements stipulating that the obligations are otherwise allocated;
(b) they make a substantial modification to a high-risk AI system that has already been placed on the market or has already been put into service in such a way that it remains a high-risk AI system pursuant to Article 6;
(c) they modify the intended purpose of an AI system, including a general-purpose AI system, which has not been classified as high-risk and has already been placed on the market or put into service in such a way that the AI system concerned becomes a high-risk AI system in accordance with Article 6.
— Article 25(1), Regulation (EU) 2024/1689

Article 25(1)(b) — the substantial-modification trap

A deployer that fine-tunes the model, modifies prompts in a way that materially changes outputs, changes the deployment context in a way that changes the system's intended purpose, or rebrands a vendor's system can fall into Article 25(1) — with full Article 16 + Articles 8–15 + Article 43 + CE marking obligations transferring to the deployer. Article 3(23) defines "substantial modification" as a change that affects the compliance of the AI system with the Section 2 requirements or results in a modification to the intended purpose. Document the rationale for why deployment-time changes are not substantial modification — keep it as a standing audit record.

EU AI Act · Article 25

When a deployer becomes a provider

Before

Standard value chain

Original provider

Art. 16 · Arts. 8–15 · Art. 43 · Art. 47 · Art. 48 CE

Deployer

Art. 26 deployer duties

Trigger

Article 25(1) events

25(1)(a)Put own name or trade mark on a high-risk AI system already on the market.

25(1)(b)Make a substantial modification (Art. 3(23)) to a high-risk AI system on the market — fine-tuning, prompt or context changes only when they meet that test.

25(1)(c)Modify a non-high-risk system (incl. a GPAI system) so its intended purpose makes it high-risk under Article 6.

After

Obligations transfer

Original provider

Retains duties on the unmodified system.

Former deployer · now provider

Now owns

Art. 16Arts. 8–15Art. 43Art. 47Art. 48 CE

Art. 25(2)The initial provider makes technical documentation, capabilities and limitations available to the new provider — unless it clearly specified the system was not to be changed into a high-risk system and the change occurred contrary to those instructions.

Art. 25(4)The written-agreement duty with third-party suppliers does not apply to publicly accessible FOSS tools / services / components, other than GPAI models.

Article 25(2) requires the initial provider of the converted high-risk AI system to make available to the new provider (the one converted under Article 25(1)) the technical documentation, the information about the capabilities and limitations of the system, and other assistance necessary for the new provider to comply with the Section 2 requirements. The duty does not apply where the initial provider has clearly specified that the AI system is not to be changed into a high-risk AI system and the change occurs contrary to those instructions.

Article 25(3) addresses the Annex I sectoral case: where a high-risk AI system is a safety component of a product covered by Annex I Section A and the product manufacturer places the high-risk AI system on the market or puts it into service together with the product under the product manufacturer's own name or trademark, the product manufacturer is considered the provider and is subject to Article 16 — preserving the integration with sectoral conformity-assessment regimes rather than duplicating obligations.

Article 25(4) is the written-agreement rule: providers of high-risk AI systems and the third parties that supply tools, services, components or processes used or integrated into the high-risk AI system shall, by written agreement, specify the information, capabilities, technical access and other assistance needed for the provider of the high-risk AI system to fully comply with the Section 2 obligations. The Article 25(4) written-agreement duty does not apply to publicly accessible tools, services, processes or components, other than general-purpose AI models, that are released under a free and open-source licence.

Article 26 — deployer obligations on high-risk AI systems

Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems, pursuant to paragraphs 3 and 6.
— Article 26(1), Regulation (EU) 2024/1689

The Article 26 duty set (paragraphs as published in OJ 2024/1689):

Article 26(2) — assign human oversight to natural persons who have the necessary competence, training and authority, and the necessary support. This is the operational counterpart to the Article 14 provider-side oversight design.
Article 26(3) — without prejudice to Article 26(1) and (2), the deployer is free to organise its own resources and activities to implement the human-oversight measures indicated by the provider in the instructions for use.
Article 26(4) — to the extent the deployer exercises control over input data, ensure that the input data is relevant and sufficiently representative in view of the intended purpose.
Article 26(5) — monitor the operation of the high-risk AI system on the basis of the instructions for use; if the deployer considers that use in accordance with instructions may result in a risk of the high-risk AI system presenting a risk under Article 79(1), it shall, without undue delay, inform the provider or distributor and the relevant market-surveillance authority and suspend the use. For serious incidents under Article 73 the deployer shall immediately inform first the provider, and then the importer or distributor and the relevant market-surveillance authorities; if the deployer cannot reach the provider, Article 73 applies mutatis mutandis. Sensitive operational data in the law-enforcement context may be excluded from the notification.
Article 26(6) — log retention: deployers of high-risk AI systems shall keep the logs automatically generated by the system, to the extent the logs are under their control, for a period appropriate to the intended purpose and at least six months, unless Union or national law (in particular Union law on the protection of personal data) provides otherwise.
Article 26(7) — before putting into service or use of a high-risk AI system at the workplace, deployers who are employers shall inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system.
Article 26(8) — deployers that are public authorities, agencies or bodies of the Union, or that act on their behalf, shall comply with the registration obligations referred to in Article 49.
Article 26(9) — where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a DPIA under Article 35 GDPR.
Article 26(10) — deployers of high-risk AI systems referred to in Annex III(1)(a) (post-remote biometric identification) used in the context of a targeted search for a specific person suspected or convicted of having committed a criminal offence shall request prior authorisation for the use of the system from a judicial authority or independent administrative authority of the Member State in which the use is to take place. This is Article 26(10)'s own authorisation regime — separate from Article 5(1)(h) and the 5(2)–(7) regime applicable to real-time RBI under Article 5.
Article 26(11) — without prejudice to Article 50, deployers of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system.
Article 26(12) — deployers shall cooperate with relevant competent authorities on any action the latter takes in relation to the high-risk AI system to implement the Regulation.

The relationship with GDPR is anchored in Article 2(7) (the AI Act does not affect Union law on personal-data protection, privacy, and the confidentiality of communications); Article 26(9) provides the operational hook for DPIA cross-reference; Article 26(11) triggers the natural-person notification duty in Annex III decision-influencing deployments.

Article 27 — fundamental-rights impact assessment

Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5 (b) and (c) of Annex III, shall perform an assessment of the impact on fundamental rights that the use of such system may produce.
— Article 27(1), first sub-paragraph, Regulation (EU) 2024/1689

The Article 27(1) FRIA content requirements are points (a)–(f):

(a) a description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose.
(b) a description of the period of time and frequency within which each high-risk AI system is intended to be used.
(c) the categories of natural persons and groups likely to be affected by its use in the specific context.
(d) the specific risks of harm likely to have an impact on the categories of natural persons or groups, taking into account the information given by the provider under Article 13.
(e) a description of the implementation of human oversight measures, according to the instructions for use.
(f) the measures to be taken in the case of the materialisation of those risks, including the arrangements for internal governance and complaint mechanisms.

Article 27(3) requires the deployer to notify the market-surveillance authority of the results of the assessment by submitting the filled-out template. The AI Office is to develop the template under Article 27(5). Article 27(4) recognises that where the obligations laid down in Article 27 are already met through a DPIA under Article 35 GDPR, or under Article 27 of Directive (EU) 2016/680 (Law Enforcement Directive), the FRIA may complement those assessments — but they remain separate legal duties and the Article 27 EU AI Act specific content is not satisfied by a DPIA alone.

Article 27 ≠ Article 35 GDPR DPIA

A FRIA addresses fundamental rights and risks of harm from the AI deployment context. A DPIA addresses risks to data subjects from personal-data processing. The two can share evidence; they cannot substitute for one another. The Article 27 deployer must perform both where both are triggered (a Member State public-sector AI deployment processing personal data will typically need both).

How to operationalise role-based duties in Modulos

Modulos models legal roles as a first-class project-level setting (multi-select) on the EU AI Act application template — Project → Settings → EU AI Act → Role. Setting the role scopes the active MFF-1 / OFF-1 requirements. A single project can carry multiple roles where the same legal entity is both for the same system.

The per-role obligations map onto the following requirements:

Requirement	Description	OJ Article
`ORF-11`	Corrective Actions (org)	Article 16 / Article 20
`ORF-12`	Duty of Information (org)	Article 20
`ORF-13`	Cooperation with Competent Authorities (org)	Article 21
`MRF-41`	Disclosure of Contact Information	Article 16(b)
`MRF-39`	Accessibility	Article 16(l)
`ORF-8`	Quality Management System (org)	Article 17
`ORF-62`	Documentation Keeping (org)	Articles 18 / 22 / 23
`MRF-37`	EU Representative	Article 22
`MRF-114`	EU Representative Mandate	Article 22
`MRF-115`	EU Representative Duty to Verify Evidence of Conformity	Article 22(3)
`MRF-116`	EU Representative Registration	Article 22(3) / Article 49
`MRF-112`	Duty to Verify Evidence of Conformity	Article 23 (importer)
`MRF-113`	Duty to Ensure Appropriate Storage or Transport Conditions	Article 23 / Article 24
`MRF-117`	Modification Assistance	Article 25(2)
`MRF-118`	Integration Assistance	Article 25(4)
`MRF-14`, `ORF-14`	Use and Oversight (deployer)	Article 26
`ORF-49`	Deployment Monitoring and Incident Handling (org)	Article 26
`ORF-57`	Deployer Cooperation with Competent Authorities (org)	Article 26
`MRF-48`	Relevant and Representative Data in Use	Article 26(4)
`MRF-50`	Keeping Logs by Deployer	Article 26(6)
`MRF-52`	Transparent Deployment at Workplace	Article 26(7)
`MRF-53`	Public Deployer Registration	Article 26(8) / Article 49(3)
`MRF-51`	Using Provider-Supplied Information for DPIA	Article 26(9)
`MRF-54`	Post-Remote Biometric ID Authorisation and Reporting	Article 26(10)
`MRF-55`	Transparent Automated Decision-Making	Article 26(11)
`MRF-56`	Explanation of Automated Decisions	Article 86
`MRF-15`	Fundamental Rights Impact Assessment	Article 27
`ORF-36`	AI Literacy (org)	Article 4

Operating rules:

The Article 25(1)(b) substantial-modification rationale is recorded as control-level evidence on MRF-117 (Modification Assistance) — not a dedicated workflow surface. Modulos surfaces a scoping question that prompts the deployer to confirm whether deployment-time changes constitute substantial modification; the rationale and supporting evidence (model fingerprint, prompt-template version, fine-tuning records) are linked to controls on the requirement.
The Article 27 FRIA (MRF-15) lives on MFF-1 as evidence-attached — the FRIA document, its update history, and the market-surveillance-authority notification artefact are stored as control-level evidence. The FRIA is a deployer-authored document with structured supporting evidence; no dedicated FRIA workflow surface.
The Article 26(6) log retention duty (MRF-50) is operationally an evidence-keeping requirement; Modulos can host the deployer's log-retention attestation as control-level evidence.
Article 4 AI literacy (ORF-36) applies to providers and deployers of any AI system from 2 February 2025, regardless of high-risk classification.

Cross-framework mapping (preview)

EU AI Act	Adjacent provision
Article 3(3) provider	(Distinct from GDPR Article 4(7) controller; distinct from product-liability "manufacturer" under PLD)
Article 3(4) deployer	(Distinct from GDPR controller — see FAQ)
Article 16 provider duties	ISO 42001 Clauses 5–9; ISO 9001 QMS; sectoral conformity-assessment regimes
Article 17 QMS	ISO 9001; ISO 42001; ISO 13485 (medical devices)
Article 22 authorised representative	(Distinct from Article 54 GPAI authorised representative)
Article 25 accidental provider	(No direct analogue — specific to the AI Act value chain)
Article 26 deployer duties	NIST AI RMF GOVERN / MANAGE; ISO 42001 operational controls
Article 26(9) DPIA cross-reference	Article 35 GDPR DPIA (separate duty, may share evidence)
Article 27 FRIA	(Conceptually adjacent to DPIA but legally distinct; Council of Europe AI Convention HUDERIA)
Article 79(1) risk	NIS2 Article 21 risk management; ISO 31000

EU AI Act overview

Four obligation regimes, classification flow, common misreadings

High-risk AI systems

Article 6 routing; Articles 8–15 substantive obligations on providers

Prohibited practices and transparency

Article 5 prohibitions + Article 50 deployer-side transparency duties

Conformity assessment and CE marking

Article 43 routes; declaration; CE marking; EU database registration

General-purpose AI models

Chapter V — Article 54 authorised representatives for non-EU GPAI providers

Operationalizing in Modulos

Role tagging, OFF-1 / MFF-1 rollout, evidence patterns

Source attribution

Regulation (EU) 2024/1689 — Articles 3, 16, 17, 22, 23, 24, 25, 26, 27, 49 and 79 — is published in the Official Journal of the European Union L of 12 July 2024 (CELEX 32024R1689). Verbatim quotes on this page reflect the OJ-published text. The AI Omnibus consolidated text, when published, will supersede where it amends.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Roles and responsibilities

Quick decision

TL;DR

AI Omnibus provisional agreement (May 2026)

Article 3 — the definitions that anchor the regime

Article 3(3) — provider

Article 3(4) — deployer

Article 3(5) — authorised representative

Article 3(6) — importer

Article 3(7) — distributor

Article 3(8) — operator

Article 16 — provider obligations on high-risk AI systems

Article 22 — authorised representatives for non-EU providers of high-risk AI systems

Article 23 — importer obligations

Article 24 — distributor obligations

Article 25 — the accidental-provider rules

Article 26 — deployer obligations on high-risk AI systems

Article 27 — fundamental-rights impact assessment

How to operationalise role-based duties in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

Roles and responsibilities ​

Quick decision ​

TL;DR ​

AI Omnibus provisional agreement (May 2026) ​

Article 3 — the definitions that anchor the regime ​

Article 3(3) — provider ​

Article 3(4) — deployer ​

Article 3(5) — authorised representative ​

Article 3(6) — importer ​

Article 3(7) — distributor ​

Article 3(8) — operator ​

Article 16 — provider obligations on high-risk AI systems ​

Article 22 — authorised representatives for non-EU providers of high-risk AI systems ​

Article 23 — importer obligations ​

Article 24 — distributor obligations ​

Article 25 — the accidental-provider rules ​

Article 26 — deployer obligations on high-risk AI systems ​

Article 27 — fundamental-rights impact assessment ​

How to operationalise role-based duties in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

Roles and responsibilities

Quick decision

TL;DR

AI Omnibus provisional agreement (May 2026)

Article 3 — the definitions that anchor the regime

Article 3(3) — provider

Article 3(4) — deployer

Article 3(5) — authorised representative

Article 3(6) — importer

Article 3(7) — distributor

Article 3(8) — operator

Article 16 — provider obligations on high-risk AI systems

Article 22 — authorised representatives for non-EU providers of high-risk AI systems

Article 23 — importer obligations

Article 24 — distributor obligations

Article 25 — the accidental-provider rules

Article 26 — deployer obligations on high-risk AI systems

Article 27 — fundamental-rights impact assessment

How to operationalise role-based duties in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution