Does the EU AI Act Apply to Me? Scope, Roles & Exclusions Explained

The EU AI Act's reach is deliberately broad. Regulation (EU) 2024/1689 does not ask where your company is registered — it asks whether your AI system is placed on the EU market or used within the EU. If the answer is yes, you are in scope. The question is which obligations attach to you, and that depends on your role.

This page focuses on the practical decision: are you covered? For the full Article 2 text and its legislative history, see our Article 2 legal reference. For the extraterritorial mechanics in detail, see EU AI Act extraterritorial scope.

---

Who Is In Scope Under Article 2?

Article 2(1) of Regulation (EU) 2024/1689 lists six categories of actor subject to the Act:

1. Providers placing AI systems or general-purpose AI (GPAI) models on the EU market or putting them into service — wherever they are established.
2. Deployers of AI systems who are established or located within the EU.
3. Providers and deployers in third countries whose AI system output is used in the EU — even if both company and system sit outside the Union.
4. Importers and distributors of AI systems.
5. Product manufacturers placing AI systems as safety components on the EU market.
6. Authorised representatives of providers established outside the EU.

The scope is activity-based, not location-based. A US software firm selling a recruitment-screening tool to a German employer is a provider under the Act. The German employer using that tool is a deployer. Both have obligations; they differ in weight.

Affected persons in the EU — individuals whose lives are affected by an AI system's output — also have rights under the Act (information, redress), though they carry no compliance duties.

---

Quick Decision Flow: Are You In Scope?

Work through these questions in order. Stop at the first "out of scope" exit that applies.

1. Does your organisation develop, supply, import, distribute, or use an AI system?

• No → out of scope entirely.
• Yes → continue.

2. Is that AI system placed on the EU market or used within the EU — or does its output reach the EU?

• No (system and output are used only outside the EU) → out of scope.
• Yes → continue.

3. Does one of the Article 2 exclusions apply to your specific use?

• Military/national security/defence use exclusively → excluded (Art 2(3)).
• AI used by public authorities of third countries or international organisations for law enforcement/judicial cooperation with the EU under international agreements → excluded (Art 2(4)).
• Pure scientific R&D, not yet placed on the market → excluded (Art 2(6)).
• Personal non-professional use only → excluded (Art 2(6)).
• Free and open-source model — but not a GPAI model with systemic risk, not a prohibited-practice system, not a high-risk system, not subject to Article 50 transparency duties → excluded (Art 2(12)).
• None of the above → in scope.

4. What is your role?

• You developed the system and place it on the market under your name → Provider (Art 16 obligations apply).
• You use a third-party AI system in a professional context → Deployer (Art 26 obligations apply).
• You bring a non-EU system into the EU market → Importer (Art 23 obligations apply).
• You make an already-placed system available without modification → Distributor (Art 24 obligations apply).
• A single company often holds more than one role simultaneously; obligations stack.

---

The Six Actor Categories in Practice

Provider (Article 16)

A provider is any entity — company, public body, or individual — that develops an AI system and places it on the market or puts it into service under its own name or trademark. Payment is irrelevant: a free-of-charge open-source release that falls outside the Article 2(12) exemption triggers provider obligations.

The provider carries the heaviest obligation set: risk management (Article 9), technical documentation (Article 11 / Annex IV), record-keeping (Article 12), transparency to deployers (Article 13), human oversight by design (Article 14), accuracy and robustness (Article 15), a quality management system (Article 17), and, for high-risk systems, a conformity assessment (Article 43) before market entry.

Most SaaS companies shipping AI features to customers are providers.

Deployer (Article 26)

A deployer is any entity using an AI system under its authority in a professional capacity. Personal non-professional use is excluded. Article 26 sets the deployer's obligations: use the system per the provider's instructions; ensure human oversight; monitor performance in operation; retain logs for at least six months; notify workers before use in the workplace; and — where the Art 27 threshold is met — carry out a Fundamental Rights Impact Assessment (FRIA).

The Art 27 FRIA threshold applies to public bodies deploying high-risk systems and to private deployers of creditworthiness-scoring (Annex III, point 5(b)) or life/health-insurance risk systems (Annex III, point 5(c)). Most private-sector employers deploying HR tools do not automatically owe a FRIA.

In practice, most companies that use third-party AI tools are deployers. The deployer obligations are lighter than most founders assume — but Article 26 is not optional.

Importer (Article 23)

An importer is an EU-established entity that places a system developed outside the EU on the EU market. Importers take on verification duties that largely mirror those of a provider: confirm the provider has completed the conformity assessment, check that CE marking and documentation are in order, and ensure the system will not damage users.

Distributor (Article 24)

A distributor makes an already-placed AI system available in the supply chain without modifying it. Obligations are lighter — primarily checking that the system carries the required CE mark and Annex V declaration of conformity before onward supply.

Role Shifts Under Article 25

A deployer, importer, or distributor becomes a provider — and inherits the full provider obligation set — if it: places the system on the market under its own name or trademark; substantially modifies a high-risk system; or changes the intended purpose of a high-risk system in a way that triggers fresh classification. Substantial modification is defined in Article 3(23).

---

Exclusions Worth Knowing

Military, national security, and defence

AI systems used exclusively for military, national security, or defence purposes are outside the Regulation (Article 2(3)). "Exclusively" is strict: a product sold to a defence ministry but also marketed commercially cannot claim the exemption for its civilian deployments.

Scientific R&D and pre-market testing

AI systems developed and used purely for scientific research are exempt, provided they are not placed on the market or put into service. Pre-market research and testing phases are also excluded — with the specific exception of real-world testing under Article 57 (the regulatory sandboxes). Once a system is commercialised, the exemption ends.

Personal non-professional use

An individual using an AI tool for private, non-professional purposes is not a deployer. A sole trader using a chatbot to write client emails is a deployer. The line is professional context.

Free and open-source AI models

Article 2(12) excludes free and open-source AI systems from most provisions — but not all. The exclusion falls away if the system:

• Is a GPAI model that poses systemic risk (then Chapter V / Articles 51–55 apply);
• Is a high-risk AI system placed on the market or put into service (then the high-risk stack applies);
• Falls under a prohibited practice (Article 5); or
• Is subject to limited-risk transparency duties (Article 50 — e.g. a chatbot, or a deepfake generator).

An open-source image classifier released for research use is likely exempt. An open-source large language model released for commercial integration is not.

---

What "Output Used in the EU" Means

The extraterritorial hook in Article 2(1)(c) is the most frequently missed scope trigger. A company established in Singapore, running its system on servers in Singapore, can still be in scope if the output of that system is used in the EU — for example, by an EU employer relying on the system's hiring recommendation, or by an EU consumer receiving a credit decision.

This is not theoretical. It is the mechanism by which the EU AI Act functions as a market-access condition for non-EU technology companies. For a deeper treatment of the territorial mechanics, see EU AI Act extraterritorial scope and the full Article 2 reference.

---

How Confir Helps

Confir's intake questionnaire translates Article 2 into plain-English scenarios. You answer questions about what your system does, who uses it, and where — and Confir's rule-based classification engine derives your role (Provider / Deployer / Importer / Distributor), flags any Art 25 role-shift conditions, and maps the obligation set that follows. No GRC vocabulary required, no consultant call needed.

For companies with multiple systems or multiple roles, Confir maintains a central AI register so each system is classified independently and the right controls are tracked per system, per role.

---

Frequently Asked Questions

Does the EU AI Act apply if our company is outside the EU?

Yes, if your AI system is placed on the EU market or its output is used in the EU. Article 2(1) is activity-based, not establishment-based. A New York company whose recruitment AI is used by a Dutch employer is a provider under the Act and must comply with Articles 9–17, the conformity assessment under Article 43, and the other provider obligations.

We only sell to businesses, not consumers. Are we still in scope?

Yes. Article 2(1) makes no distinction between B2B and B2C. If you place an AI system on the EU market or it is used within the EU, scope applies regardless of whether the immediate customer is a business or an individual consumer.

Our product is open-source and free. Are we exempt?

Possibly, but not automatically. Article 2(12) exempts free and open-source AI from most provisions — but the exemption does not cover systems that are high-risk, prohibited under Article 5, subject to Article 50 transparency duties, or GPAI models with systemic risk. Check each condition against your system before relying on the exemption.

What is the difference between a provider and a deployer?

A provider develops an AI system and places it on the market under its own name — it owns the system's compliance. A deployer uses a system it did not develop, in a professional context, under its own authority. The deployer's obligations under Article 26 are narrower: follow the provider's instructions, maintain oversight, keep logs for at least six months, and run a FRIA where Article 27 requires it.

What happens if we modify a system we bought from another vendor?

Under Article 25, if you substantially modify a high-risk AI system — meaning the change triggers fresh classification under Article 6 — or if you put the system on the market under your own name, you become the provider for the modified system. The full provider obligation set (Articles 9–17, Article 43, Article 49 registration) then applies to you.

When do scope obligations actually kick in for high-risk systems?

Article 5 (prohibited practices) has been in force since 2 February 2025. GPAI obligations under Chapter V apply from 2 August 2025. For high-risk AI systems: stand-alone Annex III systems must comply from 2 December 2027; high-risk AI embedded as safety components in Annex I regulated products (machinery, medical devices, etc.) from 2 August 2028 — both dates per the Digital Omnibus political agreement of May 2026, which deferred the original 2 August 2026 deadline. Article 50 limited-risk transparency duties apply from 2 August 2026.

---

Related guides

• Article 2 — EU AI Act scope (legal reference)
• EU AI Act extraterritorial scope
• Article 3 definitions
• EU AI Act overview
• AI risk classification — the four tiers
• SaaS provider obligations