EU AI Act Provider Obligations: The Complete Checklist (2026)
A provider carries the heaviest load under the EU AI Act. If you develop an AI system — or put your name or trademark on one — and place it on the EU market, you are the provider, and for high-risk systems that means a full conformity assessment, technical documentation and a CE mark before you can sell. This page lists every provider obligation with its article, in plain English.
Are you a provider?
You are a provider if you develop an AI system (or a general-purpose AI model) and place it on the market or put it into service under your own name or trademark — whether you built it yourself or had it built for you, and whether you charge for it or give it away. Article 25 also turns a deployer into a provider the moment they put their name on a high-risk system, substantially modify it, or repurpose it into a high-risk use. Location doesn't matter: if the output is used in the EU, you're in scope.
The mistake teams make
The most expensive mistake: assuming you're 'just a deployer' after white-labelling or fine-tuning someone else's model. Under Art. 25, rebranding a high-risk system as your own, or substantially modifying it, makes you the provider — inheriting the entire Art. 16 obligation set, including a fresh conformity assessment.
Provider obligations, article by article
- Art. 9Risk management system
Establish, run and document a continuous, iterative risk-management process across the whole lifecycle.
- Art. 10Data & data governance
Use training, validation and test data that is relevant, representative and examined for bias.
- Art. 11 + Annex IVTechnical documentation
Draw up the full technical file before placing on the market and keep it current.
- Art. 12Record-keeping (logging)
Design the system to automatically log events over its lifetime for traceability.
- Art. 13Transparency to deployers
Supply clear instructions for use so deployers can meet their own obligations.
- Art. 14Human oversight
Build in measures that let a human effectively oversee, intervene and stop the system.
- Art. 15Accuracy, robustness & cybersecurity
Achieve appropriate accuracy and resilience against errors, faults and attacks.
- Art. 17Quality management system
Operate a documented QMS covering the whole compliance strategy and processes.
- Art. 18–19Documentation & logs keeping
Keep the technical file and auto-generated logs for at least 10 years / 6 months.
- Art. 20Corrective actions & duty to inform
Withdraw or recall non-conforming systems and notify authorities and deployers.
- Art. 43Conformity assessment
Pass the required conformity assessment (self-assessment or notified body) before market.
- Art. 47–48EU declaration of conformity + CE marking
Draw up the declaration and affix the CE marking to signal conformity.
- Art. 49EU database registration
Register the high-risk system in the EU database before putting it into service.
- Art. 72Post-market monitoring
Run a plan to actively collect and review real-world performance data after launch.
- Art. 73Serious incident reporting
Report serious incidents to the market-surveillance authority, generally within 15 days.
Key deadlines
- 2 Feb 2025 — prohibited-practice ban + AI literacy already in force
- 2 Aug 2025 — GPAI-model provider obligations apply
- 2 Aug 2026 — most high-risk provider obligations (Annex III) apply
- 2 Aug 2027 — high-risk systems that are safety components of regulated products
FAQ
Is my company a provider or a deployer?
You're a provider if you develop the AI system or place it on the market under your own name. You're a deployer if you use a system built by someone else. If you rebrand or substantially modify a high-risk system (Art. 25), you become the provider even if you didn't build it.
Do providers outside the EU have to comply?
Yes. The Act is extraterritorial: if your AI system, or its output, is used in the EU, you are in scope regardless of where you are based. Non-EU providers of high-risk systems must also appoint an EU authorised representative (Art. 22).
What happens if a provider skips the conformity assessment?
Placing a high-risk system on the market without a valid conformity assessment, CE marking and EU-database registration is a breach that can attract fines of up to €15 million or 3% of global annual turnover, whichever is higher.
Not sure? You might also be a…
Run the free 2-minute checker — deterministic, no sign-up.