nudgecompliant

← Back to blog

EU AI Act Basics

7 min read

What is an AI Deployer Under the EU AI Act?

An AI deployer is a person or organisation that uses an AI system under its authority in a professional context. Most businesses using third-party AI tools are deployers rather than providers, but the role must be checked for each system and activity.

The official definition excludes people using AI in a purely personal, non-professional activity.

Common AI deployer examples

A business may be a deployer when it:

  • Uses Microsoft Copilot to support staff work
  • Operates a customer-service chatbot supplied by another company
  • Uses an AI recruitment tool to rank candidates
  • Uses AI to detect fraud or recommend credit decisions
  • Uses AI-assisted analytics to make operational decisions
  • Runs an emotion-recognition or biometric-categorisation system

The supplier may be the AI provider, while the customer organisation is the deployer. Both can have duties, but they are not the same duties.

The role depends on control and context

Paying for software is not the only test. Ask who uses the system under their authority, who chooses the purpose, and who applies its output.

A company using a standard AI service for internal tasks is commonly a deployer. A company that substantially modifies a system or sells it under its own name may also become a provider. A business can hold both roles in different circumstances.

Keep the role decision in your AI System Register, along with the reason for it.

Does the Act apply outside the EU?

It can. The Act covers deployers established or located in the EU. It can also cover providers and deployers outside the EU where output produced by the AI system is used in the EU.

This does not mean every overseas business with one EU customer automatically has every deployer duty. Territorial scope, actor role, system category, and the particular obligation must be assessed together.

General duties deployers should check

Article 4 requires providers and deployers to take measures to ensure an appropriate level of AI literacy among relevant staff and others operating systems on their behalf.

Article 50 can require deployers to disclose specified uses, including emotion recognition, biometric categorisation, deepfakes, and certain AI-generated public-interest text. Direct AI-interaction notices are framed around providers, so contracts and implementation responsibilities should be checked rather than assuming every Article 50 duty sits with the deployer.

Deployers must also follow any rules that apply to the system's category and use. High-risk AI systems create a much larger set of responsibilities.

High-risk deployer duties

For a defined high-risk system, deployer obligations may include:

  • Following the provider's instructions
  • Assigning competent human oversight
  • Ensuring relevant input data is appropriate where the deployer controls it
  • Monitoring operation and responding to risks or serious incidents
  • Keeping automatically generated logs under the required conditions
  • Completing a fundamental-rights impact assessment where Article 27 applies
  • Informing workers and, in specified cases, affected people

Not every hiring, finance, or healthcare tool is automatically high risk. The system must be tested against the Act's definitions, Annex III, and any relevant exclusions.

Provider and deployer responsibilities must connect

The provider supplies instructions and information. The deployer needs enough of that material to operate the system properly. Procurement should therefore check:

  • The provider's role and contact details
  • Intended purpose and prohibited uses
  • Known limitations and accuracy information
  • Logging and monitoring features
  • Human-oversight controls
  • Incident and support processes

A contract cannot remove a statutory duty, but it can make operational responsibility clearer.

What to do now

Create an inventory, assign an owner, identify your role, classify the use, record customer or employee impact, and preserve the provider's instructions. Train staff and add any required transparency notices.

If the system affects an important decision, obtain a focused legal and technical review. For ordinary tools, run the free audit to identify the likely deployer obligations in plain English.


This article provides general information, not legal advice.

Find out whether your business is an AI deployer →

Check my tools →