Provider Obligations Under the EU AI Act

Under Article 3(3) of the EU AI Act, a 'provider' is any natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark — whether for payment or free of charge. This definition is broader than it first appears. You are a provider if you develop an AI system and use it in your own operations under your own brand. You are also a provider if you substantially modify a third-party AI system before deploying it — making you responsible for the modified system as if you built it from scratch. Being a provider does not require selling to external customers.

Article 9 is the central technical obligation for providers of high-risk AI systems. It requires establishing, implementing, documenting, and maintaining a risk management system — not a static document, but an iterative process running throughout the entire AI system lifecycle. The risk management system must identify and analyse the known and foreseeable risks associated with the AI system, estimate and evaluate the risks that may emerge during intended use and reasonably foreseeable misuse, evaluate potential impacts, and adopt appropriate risk mitigation measures. This must be documented and the documentation must be kept up to date.

Annex IV of the EU AI Act specifies the required content of the technical documentation that providers must maintain for high-risk AI systems. This documentation must be drawn up before the AI system is placed on the market or put into service, and must be kept up to date for the entire period the system remains on the market — and for at least 10 years thereafter. The Annex IV technical file is the primary document that supervisory authorities will review in an audit. It must be comprehensive, accurate, and current. Incomplete or inaccurate technical documentation is itself a compliance violation, independent of whether the underlying system is compliant.

Before a high-risk AI system can be placed on the market or put into service, it must undergo a conformity assessment — a formal evaluation that the system meets all applicable EU AI Act requirements. For most high-risk AI systems, providers can conduct this assessment internally (self-declaration). For AI systems in specific domains — including biometric identification and AI in safety components of regulated products — third-party notified body assessment is required. The outcome of the conformity assessment is the EU Declaration of Conformity and the right to affix the CE marking to the AI system. The CE marking signals to deployers and market surveillance authorities that the system has been assessed and found compliant.

Article 72 requires providers of high-risk AI systems to proactively collect and review experience gained from deployers' use of their systems. The post-market monitoring plan must be part of your technical documentation and must be actively implemented — not just documented. This is where many providers underestimate their obligations. Post-market monitoring is not simply reading your support tickets. It requires a systematic process for collecting performance data, analysing it for indications of risk, and acting on findings — including updating your risk management system and technical documentation, or initiating corrective actions.