Skip to content

EU AI Act

Who must comply with the EU AI Act's transparency rules

You must comply with the EU AI Act if any of three things is true: you place an AI system on the EU market (wherever you are established), you are established or located in the EU and use an AI system professionally, or you are located anywhere and the output produced by your AI system is used in the EU. Which duties you owe then depends on your role: providers (who build the system, or offer it under their own name) owe the machine-readable marking and chatbot-transparency duties of Article 50, while deployers (who use a system under their authority in a professional context) owe the deepfake and public-interest text disclosure duties. The same company is often both.

This page is the qualifier: work through it to determine whether the Article 50 obligations attach to you, and as which role.

The two roles: provider and deployer

The AI Act hangs almost every obligation on two defined roles in Article 3.

A provider (Article 3(3)) is a natural or legal person, public authority, agency, or other body that develops an AI system or general-purpose AI model, or has one developed, and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.

A deployer (Article 3(4)) is a natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal, non-professional activity.

Three consequences of these definitions catch companies off guard.

“Under its own name or trademark” makes integrators into providers. You did not train the model. You call a general-purpose model through an API, wrap it in your product, and sell the product under your brand. To your users and to the regulator, the AI system they interact with is yours: you are its provider. The upstream model provider has its own obligations at the model level, but that does not discharge yours at the system level. Recital 133 explicitly anticipates this stack, noting that marking techniques “can be implemented at the level of the AI system or at the level of the AI model,” so a model-level watermark you inherit can help you fulfil the duty; verifying that it is actually present and preserved in your pipeline remains your job (see what watermarking compliance requires).

“Free of charge” closes the free-tier loophole. Offering the system gratis, in beta, or as open access is still placing it on the market.

“Personal, non-professional” is the only use carve-out. Article 2(10) excludes individuals using AI privately. Any business use, by any size of business, is deployment.

The decision tree

Work through four questions for each product or use of AI in your organization.

1. Does an AI system generate synthetic content, interact with people, or read people, anywhere in your operation? If no system generates audio, image, video, or text, none converses with users, and none does emotion recognition or biometric categorisation, Article 50 does not attach (other parts of the Act may). If yes, continue.

2. Do you offer that system to others under your name, or only use it? Offer it (sell it, license it, expose it as a product or feature, even free): you are a provider. Use a third party’s system inside your business (marketing team generates campaign video, support runs a vendor’s chatbot): you are a deployer. Build your own tool and use it internally only: putting it into service for own use under your own name still makes you a provider, and you may simultaneously be its deployer.

3. Is there an EU nexus? Any one suffices:

  • You place the system on the market or put it into service in the Union, wherever you are established (Article 2(1)(a)).
  • You are a deployer with a place of establishment or location in the Union (Article 2(1)(b)).
  • You are a provider or deployer in a third country, and the output produced by the AI system is used in the Union (Article 2(1)(c)).

4. Which duties follow?

Your roleYour Article 50 duties
Provider of a system that interacts with peopleDesign it so people know it is AI (Art. 50(1))
Provider of a system generating audio, image, video, or textMachine-readable marking of all synthetic output (Art. 50(2)); see the engineering requirements
Deployer of emotion recognition or biometric categorisationInform exposed persons (Art. 50(3))
Deployer generating or manipulating deepfake contentVisible disclosure that it is artificially generated or manipulated (Art. 50(4)); see label patterns
Deployer publishing AI text to inform the public on matters of public interestDisclosure, unless human review plus editorial responsibility (Art. 50(4))

The extraterritorial reach, concretely

The scope article, Article 2, is built to prevent exactly the arbitrage a non-EU company might hope for. Two of its limbs do the work.

Article 2(1)(a): market access, not establishment. Providers placing AI systems on the market in the Union are covered “irrespective of whether those providers are established or located within the Union or in a third country.” If EU users can sign up for your generative SaaS, you have placed it on the Union market. This is the same regulatory architecture as the GDPR’s, and it is why “we have no EU entity” has not been a defense in EU digital regulation for years.

Article 2(1)(c): output used in the Union. Providers and deployers located in a third country are covered “where the output produced by the AI system is used in the Union.” This limb reaches arrangements where the system itself never touches Europe. A Canadian agency that generates a synthetic video which its client then runs in an EU ad campaign; a US analytics firm whose AI-written market reports are distributed to EU subscribers: in both cases the output crosses into the Union, and the Act follows it.

Worked examples

ScenarioRoleIn scope?Why
US SaaS offering an AI image generator, EU users can subscribeProviderYesPlacing on the Union market, Art. 2(1)(a)
Canadian company using a US AI tool to make videos shown to EU audiencesDeployerYesOutput used in the Union, Art. 2(1)(c)
French retailer running a vendor’s support chatbotDeployer (vendor is provider)YesEstablished in the Union, Art. 2(1)(b)
German startup wrapping a general-purpose model API in its own branded writing appProviderYesOwn name or trademark, Art. 3(3)
US publisher whose AI-generated newsletter has no EU distribution and blocks EU signupsEitherGenerally noNo placing on the EU market and no output used in the Union; the position holds only as long as the geofence does
Individual making an AI meme for friendsNeitherNoPersonal, non-professional activity, Art. 2(10)

The last “no” deserves its caveat spelled out: scope turns on where output is used, not on your intentions. Distribution has a way of leaking across borders, which is why most global products choose to comply once, everywhere, rather than maintain an EU-specific content pipeline.

Both roles at once, and role flipping

Real organizations rarely sit cleanly on one side. A media company that builds an in-house article generator (provider, marking duty) and publishes its output (deployer, disclosure duty for public-interest text) owes both sets. A software vendor is a provider of its product and a deployer of the AI tools its own staff use.

Note also that under Article 25, a deployer or distributor can become the provider of a high-risk system by rebranding or substantially modifying it. Article 25 is written for the high-risk chapter, but the commercial lesson generalizes to transparency duties: putting your trademark on an AI system moves you up the responsibility chain, because under Article 3(3) offering a system under your own name is what makes a provider.

What being in scope actually requires

For most companies reading this, the answer resolves to one of three postures:

  1. Provider of generative features: implement machine-readable marking across every output modality by your applicable date (2 August 2026, or 2 December 2026 for systems on the market before 2 August 2026), plus chatbot transparency if the system converses. The build is specified in EU AI Act watermarking.
  2. Deployer of generative content: stand up the labeling workflow for deepfakes and public-interest text, per the disclosure requirements.
  3. Both: run the two workstreams together, with the provenance data the marking layer creates feeding the labels the disclosure layer shows.

Getting the role determination wrong is not a technicality: Article 50 breaches carry fines up to EUR 15 million or 3 percent of total worldwide annual turnover under Article 99(4), and the full obligation map, timeline, and penalty structure are on the Article 50 reference page.

The usual disclaimer applies with extra force on a scoping question: this is orientation, not legal advice, and borderline cases (co-branding, white-labeling, intra-group tool sharing) turn on contractual and factual detail that belongs with qualified EU counsel.

Once you know which side of the line you are on, Webisoft builds the compliance machinery itself: the watermarking, provenance, and labeling infrastructure that providers and deployers need in production before the deadlines.

eu-ai-actcomplianceproviderdeployerextraterritorialarticle-50

Frequently asked questions

We are a US company with no EU office. Does the EU AI Act apply to us?

It can, on two independent grounds. If you offer your AI system to users in the EU, you are placing it on the Union market and are covered as a provider irrespective of where you are established (Article 2(1)(a)). And even without offering it there, if the output your system produces is used in the EU, Article 2(1)(c) brings you in scope. Physical presence is not the test.

We only call the OpenAI or Anthropic API. Are we a provider or a deployer?

Using a model through an API inside your own product typically makes you the provider of the resulting AI system if you offer that product under your own name or trademark: your customers interact with your system, not the upstream model. If you merely use an AI tool internally in your operations, you are a deployer. Many companies are both, for different products.

Does personal, non-professional use count?

No. The AI Act does not apply to natural persons using AI systems in the course of a purely personal, non-professional activity (Article 2(10)). An individual making a deepfake meme for a group chat is outside the Act, though platform rules and other laws still apply.