Last reviewed: April 9, 2026
Jurisdictions covered: EU
Reading time: 14 minutes
AI Supply Chain Compliance: Who’s Responsible for What Under the EU AI Act
You licensed an AI model from a provider. You customized it for your industry, added your company’s branding, and offered it to your enterprise clients as part of your SaaS platform. Under the EU AI Act, you just became a provider — with all provider obligations, including conformity assessment, CE marking, and registration in the EU database.
Art. 25 of Regulation (EU) 2024/1689 turned you from customer into regulator-facing entity in one contract clause. You may not have known this was happening.
The EU AI Act does not regulate AI companies. It regulates AI roles. Five distinct roles carry different obligations, and most organizations occupy multiple roles simultaneously. A procurement team buying an AI tool is a deployer. A SaaS company white-labeling a third-party model is a provider. A systems integrator customizing AI for clients may be both. An EU-based subsidiary importing AI from a US parent is an importer.
No existing resource maps who owes what to whom across the full supply chain. This article does. For the risk classification framework that determines which systems trigger these obligations, see our Annex III guide.
Key Takeaways
- Five roles, five obligation sets. Provider, deployer, importer, distributor, and authorized representative each carry distinct legal responsibilities under the AI Act.
- Most organizations hold multiple roles. A company that develops AI, deploys it internally, and distributes it to partners is simultaneously a provider, deployer, and distributor.
- Deployers are NOT just “users.” Art. 26 imposes real obligations: human oversight, monitoring, incident reporting, input data quality, and FRIA for certain deployers.
- The rebranding trap (Art. 25): White-labeling, substantially modifying, or changing the intended purpose of someone else’s AI system makes you the provider — with full provider obligations.
- Providers carry the heaviest load. Risk management, data governance, technical documentation, conformity assessment, QMS, post-market monitoring, and 10-year record retention.
Provider Obligations: The Heaviest Load
Art. 16 assigns providers the most extensive obligations in the AI Act. If you are a provider of a high-risk AI system, you must:
| Obligation | Article | What It Requires |
|---|---|---|
| Risk management system | Art. 9 | Continuous, iterative risk identification and mitigation throughout the system’s lifecycle |
| Data governance | Art. 10 | Training, validation, testing data must be relevant, representative, free of errors, bias-examined |
| Technical documentation | Art. 11, Annex IV | Detailed documentation before market placement — system architecture, training data, testing methodology, accuracy metrics |
| Record-keeping | Art. 12 | Automatic event logging, 6-month minimum retention |
| Transparency | Art. 13 | Instructions for use covering capabilities, limitations, intended purpose, accuracy levels |
| Human oversight | Art. 14 | Design features enabling effective human oversight, including override and stop capabilities |
| Accuracy, robustness, cybersecurity | Art. 15 | Appropriate levels throughout lifecycle |
| Quality management system | Art. 17 | Written QMS with 13 elements covering the full AI lifecycle |
| Conformity assessment | Art. 43 | Self-assessment (Annex VI) or third-party (Annex VII) before market placement |
| CE marking | Art. 48 | Affix CE mark; visible, legible, indelible |
| EU database registration | Art. 49 | Register before placing on market (database not yet operational) |
| Post-market monitoring | Art. 72 | Documented system for monitoring performance after deployment |
| Serious incident reporting | Art. 73 | Report to market surveillance authority within 15 days |
| Document retention | Art. 18 | Keep technical documentation, QMS, declarations for 10 years |
This is not a checklist you complete once. Art. 9 requires risk management that runs “throughout the entire lifecycle.” Art. 72 requires monitoring as long as the system is in use. Being a provider is an ongoing commitment, not a one-time assessment.
Importers and Distributors: The Overlooked Roles
Importers (Art. 23) must verify that the non-EU provider has completed conformity assessment, prepared technical documentation, and affixed CE marking before placing the AI system on the EU market. If the importer has “sufficient reason” to believe the system is non-compliant, they must not place it on the market and must inform the provider and market surveillance authorities.
Distributors (Art. 24) must verify CE marking and documentation compliance before making the AI system available on the market. They must ensure storage and transport conditions do not jeopardize compliance. If they become aware of non-compliance, they must inform the provider or importer and, if necessary, the market surveillance authority.
These roles matter most for non-EU AI entering the European market. A US AI company selling through an EU reseller creates an importer (the reseller) who bears verification obligations — even though the reseller did not develop the AI.
GPAI in the Supply Chain
General-purpose AI model providers have separate obligations under Art. 53 that affect the supply chain:
Downstream information obligation. GPAI providers must give downstream providers of high-risk AI systems sufficient information and documentation to comply with their own obligations. If you build a high-risk AI system on top of a GPAI model, the GPAI provider must give you enough technical information to complete your conformity assessment, data governance documentation, and risk management.
In practice, this means GPAI providers (OpenAI, Anthropic, Google, Mistral, etc.) must publish model cards, technical documentation, and training data summaries — not just for regulatory compliance, but so their customers can comply with their own obligations as high-risk AI providers.
For the full GPAI analysis, see our GPAI Obligations guide.
What to Do Next
1. Identify your role(s). For each AI system your organization develops, uses, imports, or distributes, determine which of the five roles applies. Most organizations hold 2-3 roles simultaneously.
2. Map your AI supply chain. Document every AI component: who developed it, who provides it, who deploys it, whether any customization constitutes substantial modification under Art. 25.
3. Audit contracts. Review provider-deployer agreements for: obligation allocation, information sharing provisions, incident notification chains, audit rights, and liability allocation. If your contract doesn’t address AI Act obligations, it needs updating.
4. Budget for your role. Provider obligations cost EUR 20-150K+ per system (conformity assessment estimates). Deployer obligations require ongoing operational investment in human oversight, monitoring, and documentation. Plan accordingly.
For related guidance, see our impact assessment guide article.
Sources
Official Sources
- EU AI Act — Regulation (EU) 2024/1689, Art. 3, 16, 22-27, 43, 53 — Last accessed April 9, 2026
- artificialintelligenceact.eu — Art. 25 (Responsibilities Along Value Chain) — Last accessed April 9, 2026
Analysis & Commentary
- EP Think Tank — AI Act Enforcement Status, March 18, 2026 — National implementation status
- Competitive analysis: identified as #1 content gap across 15 competitor sites (no comprehensive supply chain responsibility matrix exists in English)
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for compliance planning. Reg Intel is not a law firm and does not provide legal services.