EU AI Act Roles & Responsibilities Cheat Sheet

Who does what under the EU AI Act? Quick reference for Provider, Importer, Distributor, and Deployer obligations for high-risk AI systems.

Area Provider Importer Distributor Deployer
</> Builds AI Yes No No No / sometimes
📦 Brings to EU market No Yes No No
👥 Makes available in EU (supply chain) No No Yes No
👤 Uses AI Sometimes No No Yes
⚠ Risk management Art.9 Yes No No No
📄 Documentation creation Art.11 Yes Verify only Verify only No
CE marking Art.48 Yes (create) Yes (verify) Yes (verify) No
📋 Logging capability Art.12 Yes (must build) No No Monitor & retain
🕐 Log retention (6 months) Art.19 & Art.26 Yes No No Yes
⚖ Compliance responsibility
🔴 Full
Full responsibility for compliance with the EU AI Act.
🟠 Gatekeeper
Ensures only compliant AI systems enter the EU market.
🟠 Gatekeeper+
Verifies compliance before making AI systems available in the EU.
🟡 Usage-level
Responsible for compliant and safe use of AI systems in their organization.

Role in the Supply Chain

PROVIDER Creates
IMPORTER Brings into EU
DISTRIBUTOR Passes it along
DEPLOYER Uses it

Key Takeaways

Provider builds and is fully responsible. Must enable logging and retain logs for 6+ months (Art. 19).
Importer brings the AI system into the EU and verifies compliance. Must be established in the EU (Art. 3(6)).
Distributor makes the system available in the EU and verifies compliance before passing it along.
Deployer uses the system, ensures compliant use, monitors operation, and retains logs for 6+ months (Art. 26).
Yes / Responsible
Verify / Check
No / Not applicable
Corrected from original
Based on Regulation (EU) 2024/1689 (EU AI Act), Official Journal version of 13 June 2024.
Applies to high-risk AI systems. General-purpose AI models have separate obligations under Title VIII.
This is a simplified reference. Always consult the full legal text for compliance decisions.