Provider obligations for SMEs: what you need to know as an AI builder

Updated: June 2026

Introduction: provider vs deployer

The EU AI Act creates two distinct primary roles: providers (those who develop and place AI systems on the market) and deployers (those who use AI systems in their operations). Most Dutch SMEs are primarily deployers, but an increasing number also develop AI systems, whether as their core product or as internal tools they share with third parties.

If your organisation develops an AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → and makes it available to others, even free of charge, even as part of a service contract, you are likely a providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → under the EU AI Act and face a substantially heavier compliance burden than a deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →.

When are you a provider?

Art. 3.3 defines a provider as "a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI modelgeneral-purpose AI modelEU AI Act term for a model displaying significant generality and capable of many distinct tasks, typically integrated into downstream systems; carries its own obligation set, with extra duties for models posing systemic risk.Open full entry → and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge."

You are a provider if:

• You build an AI system and offer it to customers (even a single customer)
• You develop a custom AI tool for internal use and then commercialise it
• You fine-tune or significantly modify an existing AI model and offer the result to others
• You use a third-party model API to build an AI system that you deploy for others

You are NOT a provider (you remain a deployer) if you:

• Use AI systems built and marketed by others, even with significant configuration
• Use a GPAI API for internal purposes only, without making the resulting system available to others

Key provider obligations for high-risk AI

1. risk management system (Art. 9)

Providers must establish a risk management system that identifies, analyses, and mitigates risks throughout the AI system's lifecycle. For SMEs: a simplified, proportionate risk management framework is permitted. A well-structured risk registerrisk registerThe living record of an AI system's identified risks, ratings, responses, owners and review dates — kept current from design through retirement.Open full entry → covering the key risk dimensions is sufficient.

2. data governance (Art. 10)

Training and validation data must meet quality standards: relevant, representative, free from errors, complete, appropriate. Data governance documentation must show how data quality was achieved and maintained.

3. technical documentation (Annex IV)

Providers must compile technical documentation before market placement. For SMEs and micro-enterprises, simplified documentation is permitted. Core elements: system description, intended purpose, architecture overview, training methodology, performance metrics, and risk assessment.

4. conformity assessment (Art. 43)

For most Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → high-risk AI systems, providers may conduct a self-assessment (internal conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry →). The assessment must be documented and result in a EU declaration of conformity. Some categories (biometric systems, AI used in critical infrastructure) require third-party assessment by a notified body.

5. CE marking (Art. 48)

High-risk AI systems placed on the EU market must bear the CE markingCE markingThe mark affixed to products (including high-risk AI systems) indicating conformity with applicable EU requirements.Open full entry →, indicating conformity with EU requirements. The CE marking may only be affixed after successful conformity assessment.

6. EU database registration (Art. 49)

Register your AI system in the EU database before market placement.

7. post-market monitoring plan (Art. 72)

Establish a plan for monitoring system performance after deployment and communicate performance issues to deployers.

Provider compliance timeline for SMEs

The deadline for Annex III high-risk AI systems (including many AI products sold to deployers) is 2 December 2027. For AI systems embedded in regulated products (Annex I), the deadline is 2 August 2028. Start compliance work now, Annex IV technical documentation for a complex system takes months to compile.

Compliance checklist

1. Have you determined your role for each AI system (provider or deployer)?
2. For AI systems where you are the provider: have you completed the Annex IV technical documentation?
3. Have you conducted a conformity assessment?
4. Have you drawn up the EU declaration of conformity?
5. Have you registered the system in the EU database?
6. Is the CE marking affixed to your AI system documentation?
7. Is a post-market monitoringpost-market monitoringProvider-side duty to systematically collect and act on experience from systems in use — the product-regulation half of continuous monitoring.Open full entry → plan in place?