EU AI Act Provider vs Deployer: Which One Are You?
Last updated: 25 June 2026
Guidance only, not legal advice. Based on EU AI Act Regulation (EU) 2024/1689 and the Commission's draft Article 50 guidelines (May 2026).
The single most common question from small business owners reading about Article 50 is some version of this: "My chatbot is from Tidio / Intercom / Gorgias / Drift. They say they're compliant. Does that mean I'm covered?"
The answer is almost always no — and the reason comes down to one distinction the EU AI Act makes from the very first page: the difference between a provider and a deployer.
This article explains exactly what that difference means for a small business running a chatbot, why your vendor's compliance label doesn't automatically protect you, and what you actually need to do.
The two roles Article 50 creates
EU AI Act Article 3 defines two distinct roles in the AI supply chain. Both have obligations under Article 50, but different ones.
| Role | Who they are | Article 50 obligation |
|---|---|---|
| Provider (Aanbieder / Anbieter / Fournisseur) | The company that builds the AI system and places it on the market. Tidio, Intercom, Gorgias, Drift, ChatGPT — these are providers. | Must design and build the system so that disclosure is technically possible — e.g., first-message disclosure can be configured, or badge elements can be embedded. |
| Deployer (Gebruiksverantwoordelijke / Betreiber / Déployeur) | The business that uses the AI system on its own website, under its own authority, to interact with its own customers. This is you. The shop owner. The SaaS founder. The agency running a client's chatbot. | Must ensure that a clear, distinguishable disclosure is actually shown to your users at first interaction — and maintain proof that it fired. |
Why your vendor's compliance doesn't cover you
This is the part that surprises most people. Your chatbot vendor (the provider) may have done everything right on their side. They may have built a system that technically can show a disclosure. They may even show a generic "Powered by AI" label somewhere in their interface.
But Article 50 places a specific obligation on you as the deployer to ensure the disclosure is:
- Clear and distinguishable — not buried or styled to be invisible
- Shown at the latest at the very first interaction — not after the first message, not on a settings page, not in your privacy policy
- Actually firing on your specific site — not just configured in your vendor's dashboard
- Documented — you must be able to produce evidence that it fired, when it fired, and what it said
A generic "Powered by AI" badge from your vendor doesn't give you a timestamped record of every time that disclosure appeared to one of your visitors. Your vendor's compliance documentation doesn't prove your site was compliant on a specific date. That evidence gap is entirely your problem.
The three-way split: provider, deployer, or out of scope?
The EU Commission's draft guidelines on Article 50 recognise a third category: businesses that are genuinely out of scope. Here's how to identify which bucket you're in.
You are a Provider if:
- You built the AI chatbot or assistant yourself (even if it wraps OpenAI or another model)
- You white-label an AI product and sell it under your own brand to other businesses
- You substantially modify a third-party AI system and place it on the market under your name
Provider obligations go beyond disclosure — they include technical documentation and ensuring the system can be configured for compliance by deployers. Most small businesses are not providers.
You are a Deployer if:
- You've added a third-party chatbot (Tidio, Intercom, Gorgias, Re:amaze, Drift, HubSpot chat, Zendesk, etc.) to your website
- You're using an AI assistant tool (Zapier AI, Make AI, custom GPT widget) on your site
- You're running any AI system that your customers or visitors interact with — even if you didn't build it
This covers the vast majority of Shopify stores, WordPress sites, SaaS products, and agency-built sites. Your Article 50 obligation as a deployer: show a clear AI disclosure at first interaction, and keep proof that it fired.
You may be Out of Scope if:
- You use AI only internally — for your own staff, with no public-facing AI interaction
- You have no EU customers or users (rare for most online businesses)
- Your AI tools are purely back-office (email drafting, internal analytics) with no customer-facing output
Even here, be careful. The "obvious from context" exception in Article 50(1) has a high bar — and purely internal AI use can still be caught if it produces customer-facing output. If you're unsure, the free Article 50 Validator takes two minutes.
The "obvious from context" trap
Article 50(1) includes one exception: disclosure is not required "where it is obvious from the circumstances and context of use" that the user is interacting with AI. Many business owners read this and assume their chatbot qualifies. Almost none do.
The EU Commission's draft guidelines adopt an "average consumer" standard. Concrete examples from the guidelines:
- May qualify: AI coding assistance tools available only to professional developers; AI-enabled NPCs in video games
- Does not qualify: Customer service chatbots on websites; e-commerce support bots; AI assistants on helpdesks
If your chatbot uses natural language and could plausibly be mistaken for a human — even momentarily — the exception does not apply. Disclose.
What deployers actually need to do before 2 August 2026
As a deployer, your checklist is straightforward:
- Add a clear AI disclosure text — at the very start of your chatbot's first message, or in a persistent label visible before the user types anything. "You're chatting with an AI assistant" is sufficient. It must be in clear language, not buried.
- Ensure it fires at first interaction — not after the user sends a message, not on page load if the chat is closed. The disclosure must appear before or at the start of the conversation.
- Keep a record that it fired — this is the evidence gap most businesses miss. Your vendor's settings are not a timestamped log of disclosures shown to your visitors. You need your own record: when the badge appeared, how many times, on which pages.
- Be able to produce that record on request — if a national authority opens a review, you need to export a timestamped compliance report showing the disclosure was in place and firing, not just a screenshot of your settings.
What happens if you're also a provider?
If you've built your own chatbot (wrapping OpenAI or another model) and you're using it on your own site, you may carry both sets of obligations. As a provider, you must design the system to be disclosure-capable. As a deployer, you must actually disclose to your users.
If you've built an AI tool and sell it or white-label it to other businesses, those businesses become deployers under Article 50 — but you as the provider remain responsible for ensuring the technical disclosure mechanism exists and works.
The deadline and what's at stake
Article 50 obligations become enforceable on 2 August 2026. This was not affected by the EU Omnibus agreement of May 2026, which postponed high-risk AI obligations only.
Non-compliance with Article 50 falls in the second penalty tier under Article 99: fines up to €15 million or 3% of global annual turnover, whichever is higher. Enforcement authorities are expected to calibrate fines based on company size and cooperation — but the obligation is the same for a one-person Shopify store as for a multinational. What varies is the fine amount, not the requirement.
Documented good-faith compliance — including a timestamped evidence log — is an explicit mitigating factor under Article 99(7)(f). Having the record matters even if the disclosure wasn't perfect.