Provider or deployer: which one are you?
The single most useful question under the Act is whether you are a provider or a deployer. It decides how heavy your duties are. For most businesses the answer is deployer, but not always.
The two roles, defined
The Act splits the businesses it covers into roles, and the two that matter for almost everyone are provider and deployer. A provider develops an AI system, or has one developed, and places it on the market or puts it into service under its own name or trademark. A deployer uses an AI system under its own authority in the course of its business.
The plain version: the company that builds and sells the tool is the provider; the company that buys it and uses it is the deployer. The maker of a CV-screening product is the provider. The employer who runs it on their applicants is the deployer.
Why the distinction decides your workload
The two roles carry very different weights. Providers shoulder the build-side duties: a conformity assessment, technical documentation, a quality management system, CE marking for high-risk systems, and registration. That is a serious programme of work.
Deployer duties are lighter, but they are real and they are the ones most businesses actually face: use the system as the provider intended, keep a competent human in oversight, mind the input data you control, keep logs, and inform the people affected. Knowing which role you are in tells you which list is yours.
Most SMBs are deployers
If you buy, subscribe to, or otherwise use AI tools that someone else built, you are a deployer. You did not create the model; you are putting an existing one to work. That describes the overwhelming majority of small and medium businesses, and it is the role Veillo is built around.
Being a deployer is not a soft option, especially for high-risk uses, but it is a well-defined, manageable set of duties rather than the full provider burden.
When a deployer turns into a provider
The line is not fixed, and it is worth knowing what moves it, because crossing it changes your obligations sharply. You can take on provider duties if you put your own name or trademark on a high-risk system and offer it as yours, if you make a substantial modification to one, or if you repurpose a system into a high-risk use it was not built for.
Building your own model, or fine-tuning an existing one and offering the result to others, also puts you on the provider side. None of this is a trap to fear, but if your plans head that way, get advice early, because the heavier duties follow.
Importers, distributors, and wearing two hats
The Act names two more roles with their own lighter duties: importers, who bring a system from outside the EU onto the market, and distributors, who make it available along the chain. Most businesses are neither.
The roles are also assessed per system, not once for your whole company. You might deploy a dozen tools and provide one you built in-house. For each system, ask the same question afresh: are we using this, or are we the ones putting it on the market?
How to settle it for your business
For each AI system you use, the test is simple. Did we build it or brand it as ours? If not, and we are simply using it, we are the deployer, and the deployer duties are the ones to work through.
Veillo treats every system in your register on these terms, so your obligations follow from your actual role, system by system, rather than from a single guess about the whole company.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.