AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Analysis

Provider or deployer in HR AI: who is what?

Adopted 2026-06-22 ยท ≈ 3 min read ยท Dirk Baaijen

In HR AI the builder of the ATS or HR tech is usually the provider and the employer the deployer. But an employer can become a provider itself through own branding or substantial modification (Art. 25). The role determines which duties apply.

Short answer: In HR AI the party that builds the system and places it on the market โ€” the ATS or HR-tech vendor โ€” is usually the provider. The employer that deploys the system is the deployer. But these roles are not fixed: if you deploy a system under your own brand, or modify it substantially, you become a provider yourself under Article 25 โ€” with all the heavier duties that entails.

Two roles, two sets of duties

The AI Act distributes responsibility across the value chain. The provider develops an AI system, or has it developed, and places it on the market under its own name or brand. The deployer uses an AI system under its own authority for professional purposes. For high-risk, the provider carries the heaviest set โ€” conformity assessment, technical documentation, CE marking, risk management โ€” while the deployer is responsible for correct use in line with the instructions. The high-risk obligations overview sets both sets side by side.

The default split in HR

Take an ATS with AI ranking. The software vendor that builds and sells the system is the provider. The employer that ranks applicants with it is the deployer. The same goes for an assessment platform or a scheduling tool: the builder supplies, the employer uses. For the employer this mainly means: arrange human oversight, inform workers, retain logging and use the system according to the instructions. Exactly what an employer must do in recruitment is set out in AI in recruitment and HR.

The temp agency: a third player

In agency work an extra party enters. If the temp agency itself deploys an AI tool to match or screen candidates, the agency is the deployer for that use. If the agency only supplies people whom the hirer then assesses with its own HR AI, that role sits with the hirer. The rule of thumb: whoever actually operates the system under its own authority is the deployer. Where deployment is shared, both parties may each be responsible for their part โ€” set that out contractually.

When an employer becomes a provider itself

Article 25 shifts the role. You become a provider of a high-risk HR AI system if you: (1) put your own name or brand on it, (2) modify the system substantially so that it performs differently or is used for a different purpose, or (3) change the intended purpose of a non-high-risk system such that it does become high-risk. An employer that fine-tunes an ATS on its own data until it selects materially differently, or relabels a generic tool for selection, can end up in the provider role.

Why determining the role matters

The role determines your entire set of duties and your liability. If you unintentionally become a provider, the heavy requirements suddenly apply โ€” conformity assessment, documentation, registration in the EU database โ€” for which you were not set up. So this is no formality: determine before deployment which role you hold, and reassess it on every modification or own branding. And don't forget transparency towards staff; see informing workers about AI (Art. 26).

Know your role and you know your duties โ€” confuse the two, and you face the regulator with the wrong obligations.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Art. 3 (definitions of provider and deployer), Art. 16 (provider duties).
  2. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    AI Act Art. 25: when a deployer becomes a provider itself; Art. 26: deployer duties.

Share on LinkedIn

Read next

A

AI matching in temporary agency work and secondment: who is responsible for what?

Matching AI in agency work and secondment is high-risk (recruitment). The tool vendor is usually provider, the agency deployer; the hirer can become co-responsible. The GDPR demands a clear allocation of roles.

W

Registering high-risk systems in the EU database (Article 49)

Article 49 of the AI Act requires providers and certain deployers to register high-risk systems in a public EU database before deployment. The registration makes visible which systems are on the market and is a condition for lawful use.

U

When do I, as a user, become the provider of an AI system (Art. 25)?

You become the provider once you put your name or brand on a high-risk system, make a substantial modification, or change its intended purpose so it becomes high-risk. The heavier provider obligations then apply.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.