Obligations depend on type of operator and risk category

As we explained in our first article, the EU AI Act focuses regulation of AI systems on 4 categories of risk:

1. Unacceptable risk
2. High-risk
3. Limited/specific transparency risk
4. Minimal/no risk.

Obligations are placed on various operators in the AI value chain: providers (developers) and their authorised representatives; deployers (users); importers; distributors; and product manufacturers. We discuss these below.

The nature and extent of the obligations imposed depends on the category of operator and the level of risk which applies to the AI system in question.

Most obligations fall on the providers, and then deployers, of high-risk systems. We’ll be delving into high-risk systems and their associated obligations in the next article in this series.

Regardless of the risk category, providers and deployers of all AI systems must take measures to ensure a sufficient level of AI literacy of their staff and others dealing with the operation and use of AI systems on their behalf (Article 4 of the Act). This obligation applies from 2 February 2025. In practice, this means implementing appropriate training programmes and policies and procedures to ensure compliance.

Types of operator

• Provider: An individual or organisation that develops, or commissions the development of, an AI system or general-purpose AI model [1] and places it on the market or puts the AI system into service under its own name or trademark. They don’t have to be located/established in the EU.
• Authorised representative: An individual or organisation located/established in the EU that performs obligations or carries out procedures relating to the Act on the provider’s behalf.
• Deployer: An individual or organisation using an AI system for professional purposes.

Note that both providers and deployers will be caught if they’re located/established outside of the EU but the output produced by the AI system is used in the EU.

• Importer:  An individual or organisation located/established in the EU that places on the market an AI system bearing the name or trademark of a non-EU established entity.
• Distributor:  An individual or organisation in the supply chain, other than the provider or the importer, that makes an AI system available on the market.
• Product manufacturer: While not specifically defined in the Act, product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark fall within the Act’s scope.

This is particularly relevant in relation to high-risk AI systems. The product manufacturer will be considered the provider where these systems are safety components of products covered by EU product safety legislation listed in the Act.

Note that any deployer, importer, distributor, or other third party will be considered a provider of a high-risk AI system if:

• in respect of such a system already placed on the market or put into service, they put their name or trademark on it or substantially modify it; or,
• in respect of a non-high-risk AI system (including a general-purpose one) already placed on the market or put into service, they modify its intended purpose to make it high-risk.

What do ‘place on the market’, ‘make available on the market’ and ‘put into service’ mean?

• ‘Placing on the market’ means the first making available of an AI system or a general-purpose AI model on the EU market.
• ‘Making available on the market’ means the supply of an AI system or a general-purpose AI model for distribution or use on the EU market in the course of a commercial activity, whether in return for payment or free of charge.
• ‘Putting into service’ means the supply of an AI system for first use directly to the deployer or for own use in the EU for its intended purpose.

What should you do now?

Identify the role the business plays in relation to any AI systems and general-purpose AI models so that you can start to assess any potential exposure to the Act. Does it fall within the list of operator types set out above? Assessing the business’ use of or interaction with AI systems against the various risk categories in the Act will further help to isolate the areas you need to be looking at to comply.

If your business is caught by the Act, start thinking now about the steps you’re going to put in place to make sure your staff and others are sufficiently AI literate.

EU AI Act: How we can support you

The Act is long and complex and we’ll be helping to break it down bit by bit over the next few months and beyond. Next time we’ll be focusing on what comprises a high-risk AI system and the obligations that follow from that. If you have any queries in the meantime, and/or need advice on complying with the AI literacy requirement, please get in touch with Sally or James.

Confused about what AI is and how to introduce it into your business? Click here to access our guide to demystifying AI.

[1] ‘General-purpose AI models’ include large generative AI models which are capable of carrying out a wide range of distinct tasks and may be integrated into a lot of AI systems. They are specifically defined in the Act.