GovCompass
Knowledge base
Guide

Provider Obligations for SMEs: What You Need to Know as an AI Builder

Updated: June 2026 — full revision to Validai quality standard

Introduction: Provider vs Deployer

The EU AI Act creates two distinct primary roles: providers (those who develop and place AI systems on the market) and deployers (those who use AI systems in their operations). Most Dutch SMEs are primarily deployers — but an increasing number also develop AI systems, whether as their core product or as internal tools they share with third parties.

If your organisation develops an AI system and makes it available to others — even free of charge, even as part of a service contract — you are likely a provider under the EU AI Act and face a substantially heavier compliance burden than a deployer.

When Are You a Provider?

Art. 3.3 defines a provider as "a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge."

You are a provider if:

  • You build an AI system and offer it to customers (even a single customer)
  • You develop a custom AI tool for internal use and then commercialise it
  • You fine-tune or significantly modify an existing AI model and offer the result to others
  • You use a third-party model API to build an AI system that you deploy for others

You are NOT a provider (you remain a deployer) if you:

  • Use AI systems built and marketed by others, even with significant configuration
  • Use a GPAI API for internal purposes only, without making the resulting system available to others

Key Provider Obligations for High-Risk AI

1. Risk Management System (Art. 9)

Providers must establish a risk management system that identifies, analyses, and mitigates risks throughout the AI system's lifecycle. For SMEs: a simplified, proportionate risk management framework is permitted. A well-structured risk register covering the key risk dimensions is sufficient.

2. Data Governance (Art. 10)

Training and validation data must meet quality standards: relevant, representative, free from errors, complete, appropriate. Data governance documentation must show how data quality was achieved and maintained.

3. Technical Documentation (Annex IV)

Providers must compile technical documentation before market placement. For SMEs and micro-enterprises, simplified documentation is permitted. Core elements: system description, intended purpose, architecture overview, training methodology, performance metrics, and risk assessment.

4. Conformity Assessment (Art. 43)

For most Annex III high-risk AI systems, providers may conduct a self-assessment (internal conformity assessment). The assessment must be documented and result in a EU declaration of conformity. Some categories (biometric systems, AI used in critical infrastructure) require third-party assessment by a notified body.

5. CE Marking (Art. 48)

High-risk AI systems placed on the EU market must bear the CE marking — indicating conformity with EU requirements. The CE marking may only be affixed after successful conformity assessment.

6. EU Database Registration (Art. 49)

Register your AI system in the EU database before market placement.

7. Post-Market Monitoring Plan (Art. 72)

Establish a plan for monitoring system performance after deployment and communicate performance issues to deployers.

Provider Compliance Timeline for SMEs

The deadline for Annex III high-risk AI systems (including many AI products sold to deployers) is 2 December 2027. For AI systems embedded in regulated products (Annex I), the deadline is 2 August 2028. Start compliance work now — Annex IV technical documentation for a complex system takes months to compile.

Compliance Checklist

  1. Have you determined your role for each AI system (provider or deployer)?
  2. For AI systems where you are the provider: have you completed the Annex IV technical documentation?
  3. Have you conducted a conformity assessment?
  4. Have you drawn up the EU declaration of conformity?
  5. Have you registered the system in the EU database?
  6. Is the CE marking affixed to your AI system documentation?
  7. Is a post-market monitoring plan in place?