Deployer vs Provider
Vendor is provider. You (the customer deploying the AI) are deployer. Each has distinct obligations. Deployers have substantial obligations even on vendor-built AI.
Article 3(4) defines deployer as any natural or legal person using an AI system under its authority. If you fine-tune a vendor model substantially, change its intended purpose, or rebrand it, you become a provider under Article 25 and inherit the full provider obligations. Most CRM customers using Salesforce Einstein or HubSpot Breeze stay deployers — but adding custom prompts that materially change purpose can flip the role.
Deployer Obligations
Use the system per vendor instructions. Monitor for issues. Keep logs. Ensure human oversight configured. Inform users of AI interaction. Handle data subject rights. Report serious incidents to authorities.
Article 26 specifies deployer duties: assign human oversight to natural persons with the necessary competence and authority; monitor operation against the provider’s instructions; suspend use and inform the provider on suspicion of risk; keep automatically generated logs for at least six months; conduct a fundamental rights impact assessment under Article 27 before first deployment in scope; inform workers and their representatives before deploying workplace AI; cooperate with authorities. Public-sector and essential-services deployers must register their use in the EU database.
Documentation
Your specific deployment configuration. Who is the oversight lead. What human review processes exist. Retention of logs. Incident response playbook. Auditors will ask.
Maintain a deployer file with: system name and version, provider details and CE-marking reference, intended purpose as documented by provider, your specific configuration (prompts, integrations, data sources), oversight lead and backup, training records for oversight staff, log-retention policy and storage location, incident response runbook, FRIA output, and review cadence. Keep linked to your GDPR ROPA — the two registers should reference each other.
Practical Timeline
Inventory your AI systems now. Map to Annex III. Engage compliance/legal. Update documentation. Train staff. August 2 deadline isn’t negotiable. Starting late means compressed timeline and higher risk.
Suggested cadence: April-May, inventory and Annex III mapping. June, FRIA workshops with affected business units. July, oversight training and runbook tabletop exercises. Pre-August 2, EU database registration where required and final sign-off from the responsible C-level (typically CISO or DPO with legal countersignature).
Common Failure Modes
Treating provider’s CE marking as sufficient — it covers the system as built, not your deployment context. Skipping the FRIA because GDPR DPIA was already done — the AI Act FRIA is broader, covering rights beyond data protection. Designating “human oversight” as a checkbox role with no authority to actually stop the system. Failing to retain logs because they’re stored in an ephemeral SaaS tier you’ve never inspected.
What to Do This Week
Identify the natural person who will be your deployer-side human oversight lead for each high-risk system, in writing, with backup.
