Who does the EU AI Act apply to?
- The Act regulates providers, deployers, importers and distributors, collectively "operators".
- Providers carry the heaviest obligations; deployers, importers and distributors have lighter but real duties.
- It has extraterritorial reach: non-EU companies are in scope if their AI is placed on the EU market or its output is used in the EU.
- Your obligations depend on your role plus the risk tier of each system.
- Current as of June 2026. This is general information, not legal advice.
The roles the Act regulates
The Act assigns obligations based on the role you play:
- Provider: An organisation that develops an AI system (or has one developed) and places it on the market or puts it into service under its own name. Providers carry the heaviest obligations, especially for high-risk systems.
- Deployer: An organisation that uses an AI system in the course of its activities. A bank using an AI tool to screen loan applications is a deployer. Deployers have obligations around human oversight, using systems as instructed, and monitoring.
- Importer: An organisation established in the EU that places an AI system from a non-EU provider on the EU market. Importers must verify the provider has met its obligations.
- Distributor: An organisation in the supply chain, other than the provider or importer, that makes an AI system available on the EU market.
One organisation can hold more than one role, and roles can shift. Notably, a deployer can become a provider in the eyes of the Act if it substantially modifies a high-risk system or puts its own name on it.
Extraterritorial reach
Like the GDPR, the EU AI Act applies beyond the EU's borders. Under Article 2, it applies to providers placing AI systems on the EU market or putting them into service in the EU regardless of where the provider is established, and to providers and deployers outside the EU where the output of the system is used in the EU. In practice this means a startup in the United States or the United Kingdom that sells an AI product to European customers is within scope.
Who is largely out of scope
Some uses fall outside the Act, including AI systems used purely for personal, non-professional activity, and (with conditions) AI developed and used solely for scientific research and development. National security and certain military uses are also treated separately. These carve-outs are narrow, so most commercial AI activity touching the EU is covered.
Why your role matters
Your obligations depend entirely on your role and the risk tier of your system. A provider of a high-risk system has to build a full compliance programme; a deployer of the same system has a lighter but real set of duties. Working out your role for each AI system you build or use is the practical starting point for any EU AI Act assessment.
Key terms
- Operator
- The Act's umbrella term for providers, deployers, importers, distributors, and authorised representatives.
- Provider
- The entity that develops or has an AI system developed and places it on the EU market under its own name.
- Deployer
- The entity using an AI system under its own authority in the course of its activities.
- Importer
- An EU-established entity that places an AI system from a non-EU provider on the EU market.
- Distributor
- An entity in the supply chain, other than the provider or importer, that makes an AI system available in the EU.
- Extraterritorial reach
- Application of the law beyond the EU's borders where the AI or its output is used in the Union.