EU AI Act Article 25: deployer obligations and value chain liability
EU AI Act Article 25: deployer obligations and value chain liability
Most discussions of EU AI Act compliance focus on the companies that build AI systems. Article 25 is critical for a different but equally important group: the businesses that deploy AI systems built by others, and particularly those that modify, rebrand, or integrate third-party AI into their own products. For EU startups that build on top of foundation models, use AI APIs to power core product features, or white-label AI capabilities to their own customers, Article 25 defines exactly when a deployer becomes legally responsible as a provider and what obligations that triggers.
What the EU AI Act requires
Article 25(1) establishes that a deployer takes on the obligations of a provider in four specific scenarios: where the deployer places a high-risk AI system on the market or puts it into service under their own name or trademark; where the deployer makes a substantial modification to the system; where the deployer changes the intended purpose of the system in a way that moves it into a high-risk category; or where the deployer integrates a non-high-risk general-purpose AI model into a system and operates it in a way that makes the combined system high-risk. Article 25(2) allows providers and deployers to allocate compliance obligations between them by written agreement, but this allocation does not affect the liability of either party toward the authorities. Article 25(3) requires deployers who cannot identify the provider of a high-risk AI system to take on provider obligations themselves.
What this means for your business
If your startup uses an AI API from a foundation model provider and fine-tunes it on your own data for a credit, employment, or healthcare use case, you are very likely triggering Article 25(1)(b) or (c) and becoming a provider for compliance purposes. You cannot rely on your API provider's conformity declaration to cover your adapted system. This is one of the most common misconceptions among B2B AI startups in Europe. Similarly, if you build a product on top of a GPAI model (covered by Article 53) and that product is deployed in an Annex III use case, you inherit the full high-risk provider obligations under Articles 9 through 17. The compliance deadline for Annex III high-risk systems is December 2, 2027.
Steps to get compliant
1. Audit every third-party AI component in your product stack, identifying the provider, the scope of their conformity assessment, and whether any modification, fine-tuning, or rebranding you apply could trigger Article 25 provider obligations.
2. For each third-party AI component where provider obligations may apply to you, initiate a written agreement with the upstream provider clarifying the allocation of compliance responsibilities under Article 25(2).
3. Where your own organisation carries provider obligations for a system built on a third-party base, ensure your Article 11 technical documentation covers your specific modifications and their risk implications rather than relying solely on the base provider's documentation.
4. Brief your sales and partnership teams on the Article 25 implications so that customer contracts accurately reflect the compliance obligations both parties carry when your product is deployed.
Free EU AI Act risk assessment
Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.