Transparency rules in2 Aug 2026
Library / Guide

What to expect from your AI provider

You are a deployer, but you depend on the provider doing their part. Knowing the provider duties tells you what to ask a vendor for, and what you can lean on.

The provider's job

For a high-risk system, the provider carries a heavy load: building in risk management, data governance, logging, and human-oversight features, preparing technical documentation, running a conformity assessment, and backing it all with a quality management system.

You do not have to do any of that, but you do benefit from it. A well-built high-risk system arrives with the features and the paperwork that make your own deployer duties achievable.

The CE mark and declaration of conformity

A high-risk system should carry a CE marking and come with an EU declaration of conformity, the provider's formal statement that it meets the Act's requirements. These are the visible signs that a provider has done the work.

Their absence on a system sold to you as compliant is a red flag worth stopping on. It is entirely reasonable to ask for both before you commit.

Instructions for use

The provider must give you clear instructions for use. These are not throwaway paperwork; they set out the system's intended purpose, its limits, and the human oversight it expects, which is exactly what keeps your own use inside the lines.

Read them, keep them, and make sure the people operating the system have them. Using a system outside its instructions is one of the easiest ways to take on risk that was meant to sit with the provider.

What to ask a vendor

Before you buy, ask whether the system is CE-marked, where data is processed, what human-oversight features exist, whether you can export the logs, and whether a data processing agreement is available.

A provider who handles the AI Act well will have ready answers. Hesitation or vagueness on these points tells you something about how much of the burden will land back on you.

Why it matters to you

Using a system outside its instructions, or one with no documentation behind it, undercuts your own compliance no matter how careful you are downstream. The provider's work is the foundation yours sits on.

Choosing providers who do their part is the single biggest thing that makes your deployer duties lighter. Vendor selection is a compliance decision, not only a procurement one.

Placeholder

This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.

Put it into practice

Classify your AI systems against the Act and generate the documents this guide describes.

A note on cookies

We use strictly necessary cookies to run the site and keep it secure. With your OK, we also use privacy-respecting, EU-hosted analytics to see how Veillo is used. No advertising, no third-party trackers. Read our cookie policy.