EU AI Act · Art. 3(3)

EU AI Act Provider Obligations: The Complete Checklist (2026)

A provider carries the heaviest load under the EU AI Act. If you develop an AI system — or put your name or trademark on one — and place it on the EU market, you are the provider, and for high-risk systems that means a full conformity assessment, technical documentation and a CE mark before you can sell. This page lists every provider obligation with its article, in plain English.

Are you a provider?

You are a provider if you develop an AI system (or a general-purpose AI model) and place it on the market or put it into service under your own name or trademark — whether you built it yourself or had it built for you, and whether you charge for it or give it away. Article 25 also turns a deployer into a provider the moment they put their name on a high-risk system, substantially modify it, or repurpose it into a high-risk use. Location doesn't matter: if the output is used in the EU, you're in scope.

The mistake teams make

The most expensive mistake: assuming you're 'just a deployer' after white-labelling or fine-tuning someone else's model. Under Art. 25, rebranding a high-risk system as your own, or substantially modifying it, makes you the provider — inheriting the entire Art. 16 obligation set, including a fresh conformity assessment.

Provider obligations, article by article

  • Art. 9
    Risk management system

    Establish, run and document a continuous, iterative risk-management process across the whole lifecycle.

  • Art. 10
    Data & data governance

    Use training, validation and test data that is relevant, representative and examined for bias.

  • Art. 11 + Annex IV
    Technical documentation

    Draw up the full technical file before placing on the market and keep it current.

  • Art. 12
    Record-keeping (logging)

    Design the system to automatically log events over its lifetime for traceability.

  • Art. 13
    Transparency to deployers

    Supply clear instructions for use so deployers can meet their own obligations.

  • Art. 14
    Human oversight

    Build in measures that let a human effectively oversee, intervene and stop the system.

  • Art. 15
    Accuracy, robustness & cybersecurity

    Achieve appropriate accuracy and resilience against errors, faults and attacks.

  • Art. 17
    Quality management system

    Operate a documented QMS covering the whole compliance strategy and processes.

  • Art. 18–19
    Documentation & logs keeping

    Keep the technical file and auto-generated logs for at least 10 years / 6 months.

  • Art. 20
    Corrective actions & duty to inform

    Withdraw or recall non-conforming systems and notify authorities and deployers.

  • Art. 43
    Conformity assessment

    Pass the required conformity assessment (self-assessment or notified body) before market.

  • Art. 47–48
    EU declaration of conformity + CE marking

    Draw up the declaration and affix the CE marking to signal conformity.

  • Art. 49
    EU database registration

    Register the high-risk system in the EU database before putting it into service.

  • Art. 72
    Post-market monitoring

    Run a plan to actively collect and review real-world performance data after launch.

  • Art. 73
    Serious incident reporting

    Report serious incidents to the market-surveillance authority, generally within 15 days.

Key deadlines

  • 2 Feb 2025 — prohibited-practice ban + AI literacy already in force
  • 2 Aug 2025 — GPAI-model provider obligations apply
  • 2 Aug 2026 — most high-risk provider obligations (Annex III) apply
  • 2 Aug 2027 — high-risk systems that are safety components of regulated products

FAQ

Is my company a provider or a deployer?

You're a provider if you develop the AI system or place it on the market under your own name. You're a deployer if you use a system built by someone else. If you rebrand or substantially modify a high-risk system (Art. 25), you become the provider even if you didn't build it.

Do providers outside the EU have to comply?

Yes. The Act is extraterritorial: if your AI system, or its output, is used in the EU, you are in scope regardless of where you are based. Non-EU providers of high-risk systems must also appoint an EU authorised representative (Art. 22).

What happens if a provider skips the conformity assessment?

Placing a high-risk system on the market without a valid conformity assessment, CE marking and EU-database registration is a breach that can attract fines of up to €15 million or 3% of global annual turnover, whichever is higher.

Not sure? You might also be a…

See exactly which role and obligations apply to you

Run the free 2-minute checker — deterministic, no sign-up.

Run the free check