⚠ Status as of 17 July 2026: the obligations of provider (Art. 16), deployer (Art. 26), importer (Art. 23) and distributor (Art. 24) covered by this guide already apply to Annex III high-risk systems from 2 August 2026 (Article 113 of Regulation (EU) 2024/1689). The AI Digital Omnibus, signed on 8 July 2026 and still pending publication in the Official Journal (OJEU), would move the applicability of Annex III — and with it, the real date each role's obligations start applying — to 2 December 2027, but until it is published it is not applicable law.

Regulation (EU) 2024/1689 — the European AI Act — does not impose the same obligations on everyone who touches an AI system. It splits responsibility across four distinct roles — provider, deployer, importer and distributor — and each answers to different articles, with very different compliance burdens. Getting your role wrong is the costliest mistake a Spanish SME can make: applying a deployer's obligations when you're really a provider (or the other way round) leaves real compliance gaps exposed to the Article 99 penalty regime.

This guide explains what each role owes, using the Regulation's exact text, and lands the nuance that confuses SMEs the most: Article 25, which can turn a deployer, importer or distributor into a provider overnight — with all its obligations — without the company realising it has crossed that line.

In brief: the AI Act recognises 4 roles with their own obligations. The provider (Art. 16) develops the system and answers for conformity assessment, technical documentation and CE marking. The deployer (Art. 26-27) uses it under its own authority and answers for human oversight, the quality of the data it feeds in and, in some cases, a fundamental rights impact assessment (FRIA). The importer (Art. 23) brings the system into the EU from a third country and verifies the provider's compliance before marketing it. The distributor (Art. 24) makes it available in the supply chain without being provider or importer. And the key nuance: under Article 25, if you put your brand on someone else's system, substantially modify it, or change its purpose until it becomes high-risk, you become a provider with all the Article 16 obligations, even if you never "manufactured" it. Check your case with the free AI Act risk classifier, no signup required.

Not sure which role applies to you or which obligations follow? See the AI Act compliance service.

How many roles does the AI Act recognise, and how do they differ?

Article 3 of the Regulation defines each role by what the company does with the system, not by its size or sector. A provider (Art. 3.3) develops an AI system or has one developed and places it on the market or puts it into service under its own name or brand, whether paid or free. A deployer (Art. 3.4) is whoever uses the system under its own authority, unless used in a purely personal, non-professional activity. An importer (Art. 3.6) is the person or entity established in the EU that places on the EU market a system bearing the name of a company established outside the EU. A distributor (Art. 3.7) is any other link in the supply chain, other than provider or importer, that makes a system available on the EU market.

Most Spanish SMEs are deployers: they contract an ATS for recruitment, a risk-scoring engine or a chatbot already built by a third party. But reselling that same system under your own brand, integrating it into your own product, or bringing it in from a provider outside the EU is enough to change your role — and with it, your obligations.

What obligations does the provider of a high-risk AI system have?

Article 16 falls on whoever develops the system and places it on the market under its own brand. Its main obligations, listed letter by letter in the article itself:

Almost no Spanish SME is the provider of a system bought unmodified from a third party. If your company develops AI software it sells to other businesses, or does any of the three things Article 25 describes below, this is your role — with the twelve obligations above.

What must the deployer of a high-risk system do?

The deployer is the company using the system under its own authority — your SME, if you contract an ATS or a scoring engine already built by someone else. Article 26 imposes obligations it cannot delegate to the provider:

Article 27 adds an obligation many SMEs don't know about: public bodies, essential public-service providers and deployers using credit or insurance systems (points 5(b) and 5(c) of Annex III) must carry out a fundamental rights impact assessment (FRIA) before putting the system into service. The risk classification and Annex III guide details when this assessment applies and what it must document.

What obligations does an importer of an AI system have?

The importer (Art. 3.6) is whoever places on the EU market a high-risk system bearing the name or brand of a company established outside the European Union. It's a common role if your SME distributes in Spain a product with AI from a US, UK or Asian manufacturer. Article 23 requires it, before marketing the system, to:

And the distributor? (Article 24)

The distributor (Art. 3.7) is any other link in the supply chain — other than provider or importer — that makes an AI system available on the EU market, typically a reseller, systems integrator or sales channel. Article 24 requires it to:

Importers and distributors share a philosophy — both verify before moving the system, both keep watch afterwards — but the importer is always the first link when the provider is outside the EU, with the extra obligation of keeping documentation for 10 years, which the distributor does not have.

When does a deployer, importer or distributor become a provider?

This is the nuance that confuses SMEs the most, and the hardest to fix after the fact: Article 25 ("Responsibilities along the AI value chain") states that a distributor, importer, deployer or other third party is deemed to be a provider of a high-risk system — and becomes subject to all the Article 16 obligations above — in any of these three circumstances (Art. 25.1):

  1. Rebranding: you put your name or trademark on a high-risk system already placed on the market or put into service by another provider (Art. 25.1.a). Example: you buy a generic recruitment ATS and launch it as your own product.
  2. Substantial modification: you substantially modify a high-risk system already placed on the market, in a way that it remains high-risk (Art. 25.1.b). Example: you retrain a credit-scoring model you bought from a third party with your own data, materially changing its behaviour.
  3. Change of intended purpose: you modify the purpose of a system — including a general-purpose AI system (GPAI) — that was not classified as high-risk and already placed on the market, to the point it becomes high-risk (Art. 25.1.c). Example: you take a generic language model and adapt it to automate recruitment decisions.

If any of the three applies to you, the Regulation doesn't leave a middle ground: you become a full provider, with all twelve obligations of Article 16 — conformity assessment, technical documentation, quality management system, registration, CE marking — even though you never "built" the system from scratch. The original provider is released from those specific obligations, but Article 25.2 still requires it to closely cooperate with the new provider and make available the information and technical access reasonably needed. Article 25.4 requires that cooperation to be set out in a written agreement between both parties — unless the component is offered under a free and open-source licence — and allows the AI Office to publish voluntary model contract terms, free of charge.

For SMEs integrating third-party models (GPAI, external providers' APIs) into their own product, this is the single riskiest compliance point in the whole cluster: it's easy to cross the Article 25 line without realising it, especially under scenario (c), change of intended purpose. The GPAI and foundation models guide goes deeper into when integrating a general-purpose model turns you into a "downstream" provider.

Comparison table: obligations by role

RoleKey articleBefore marketing / usingWhile the system operatesCan it become a provider?
ProviderArt. 16Conformity assessment, technical documentation, quality management system, CE marking, EU registration.Logs under its control, corrective actions, cooperation with authorities.Already is — the starting point.
DeployerArt. 26-27Assign competent human oversight; where applicable, a FRIA (Art. 27).Monitor input data, monitor operation, keep logs 6 months, inform staff.Yes — if it substantially modifies the system or changes its purpose (Art. 25.1).
ImporterArt. 23Verify non-EU provider's conformity, CE marking and authorised representative.Keep documentation 10 years, transport conditions, cooperate with authorities.Yes — same scenarios as Art. 25.1.
DistributorArt. 24Verify CE marking, declaration of conformity and instructions for use.Storage conditions, withdrawal/recall if non-conformity is detected.Yes — same scenarios as Art. 25.1.

How do I know which role I have, step by step?

Before applying any of the obligation blocks above, answer these questions in order:

  1. Did you develop the system, or have it developed under your brand? If yes, you're a provider (Art. 16) from the outset.
  2. Do you use it as delivered by a third party, unmodified and without your brand on it? You're a deployer (Art. 26-27).
  3. Do you bring it into the EU bearing the brand of a company outside the Union? You're an importer (Art. 23), plus a deployer if you also use it.
  4. Do you market it in Spain without being the one who developed or imported it? You're a distributor (Art. 24).
  5. Have you put your brand on it, substantially modified it, or changed its purpose until it became high-risk? You become a provider (Art. 25), whatever your starting role was.

The AI Act risk classifier walks you through these questions alongside your system's classification, free and with no signup. If you're also unsure whether GDPR, ENS, NIS2 or DORA apply, the "which regulation applies to you?" wizard clarifies it in ten questions.

Prefer to work out your role together and leave with an action plan by article? Book a diagnostic session.

Does the Digital Omnibus change the split of roles?

Not directly. The AI Digital Omnibus (COM(2025) 836, procedure 2025/0359(COD)), adopted by the Council of the EU on 29 June 2026 and signed on 8 July 2026, delays the applicability timeline of Annex III to 2 December 2027 and Annex I to 2 August 2028 — but it does not touch the text of Articles 16, 23, 24, 25, 26 or 27, which define the roles and their obligations without an expiry date of their own. What changes with the delay is when those obligations become enforceable for a given Annex III system, not who has to comply with each block.

As of this guide, the Omnibus remains pending publication in the OJEU, so the date applicable to Annex III high-risk systems is 2 August 2026 (Art. 113), not December 2027. The full timeline — including what's already in force today without exception: prohibited practices since February 2025, GPAI obligations since August 2025, Article 50 transparency unchanged — is in AI Act 2026: the compliance timeline after the Digital Omnibus.