Distributor under the EU AI Act: Definition, Duties, and the Article 25 Role-Shift

A distributor is any person or company in the AI supply chain — other than the provider or importer — that makes an AI system available on the EU market. The category exists in Regulation (EU) 2024/1689 to ensure accountability at every step between manufacturer and end use: if you sell, resell, or otherwise make an AI product available without placing it on the market yourself and without importing it from outside the EU, you are almost certainly a distributor.

The role carries real verification duties under Article 24. Get them wrong, and the same penalty ceiling applies as for provider or deployer non-compliance: up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher (Article 99(4)).

---

The EU AI Act definition

Article 3, point 7 of Regulation (EU) 2024/1689 defines a distributor as:

"a natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market."

Three elements matter in this definition. First, the distributor is a supply-chain actor — placed downstream of the provider and, where one exists, the importer. Second, it is specifically not the provider (who placed the system on the market or put it into service under their own name) and not the importer (who brought the system into the EU from a third country). Third, the act in question is making the system available — offering it for distribution, consumption, or use on the EU market, whether for payment or free of charge.

A software reseller who bundles a third-party AI module into their catalogue fits the definition. A marketplace that lists AI tools developed elsewhere does too. The distributor need not touch the system technically; commercial availability is sufficient.

---

What a distributor must do

Article 24 sets out the distributor's obligations before making a high-risk AI system available. The obligations are verification-focused: your role is to check that others upstream have done their job, not to repeat the conformity assessment yourself.

Before making a high-risk AI system available, verify three things:

1. The system bears the CE marking required under Article 48. If the CE marking is absent, the system has not completed the required conformity assessment under Article 43 and must not be made available.

2. The system is accompanied by the EU Declaration of Conformity (Article 47) and by instructions for use. The declaration is the provider's formal attestation that the system meets the Act's requirements. Instructions for use are the provider's mandatory guidance to deployers on correct and safe operation. Both documents must travel with the system.

3. The provider and, where applicable, the importer have fulfilled their obligations under Articles 16 and 23 respectively. You are not performing a full audit, but you must satisfy yourself — by reviewing the CE marking, the declaration, and the instructions — that the upstream chain has done what the law requires.

Do not make a non-conforming system available. If any of the three checks fails, or if you have reason to believe the system presents a risk, you must not distribute it (Article 24(2)).

Take corrective action if problems emerge post-distribution. If you have reason to believe that a system you are already distributing is not in conformity, Article 24(3) requires you to take the corrective measures necessary to bring it into conformity, withdraw it, or recall it. You must also immediately inform the relevant national competent authorities and the provider, giving details of the non-conformity and of any corrective action taken.

Preserve conformity during handling. Article 24(4) requires distributors to ensure that storage and transport conditions during their period of responsibility do not jeopardise compliance with the high-risk requirements. A system that meets the rules when it leaves the provider can lose conformity if storage conditions degrade it.

Provide identifying information on request. Competent authorities may ask distributors to identify themselves and to provide information about the systems they have made available. Article 24(5) requires cooperation.

These duties are proportionate by design. A distributor is not building the system, training it, or deploying it in a professional context. The law asks for verification and care in handling — not the full provider stack of risk management, technical documentation, and conformity assessment. That distinction holds right up to the point where you step into the provider's shoes under Article 25.

---

Distributor vs importer vs provider: the Article 25 role-shift

The supply-chain roles can blur. The EU AI Act anticipates this and sets a hard rule: certain acts by a distributor (or importer, or deployer) trigger a reclassification as a provider under Article 25, with all the obligations that come with that.

Distributor vs importer (Articles 23 and 24)

The importer and distributor obligations are closely parallel, but the positions in the chain differ. An importer (Article 23) brings an AI system into the EU from a third country under their own name or trademark, or places a third-country provider's system on the EU market. A distributor (Article 24) is everyone else in the commercial chain who makes the system available — a domestic reseller, a catalogue aggregator, a value-added retailer. If a company outside the EU develops an AI system and your firm brings it into the EU market, you are the importer. If that importer then sells through a retail network, the retailers in that network are distributors.

The practical difference: importers bear somewhat heavier responsibilities because they are the first in-EU party for a system whose provider sits outside the EU. They must verify conformity documentation, ensure the provider has an authorised representative in the EU (or act as one themselves), and affix their own contact details to the system. Distributors verify conformity but do not carry the authorised-representative obligation.

When a distributor becomes a provider (Article 25)

A distributor crosses into provider status — and takes on the full Article 16 obligation stack — in three situations under Article 25:

1. Rebranding. The distributor puts its own name or trademark on a high-risk AI system. Labelling an AI tool as your own product makes you the provider of that product, regardless of who built it.

2. Substantial modification. The distributor makes a substantial modification to a high-risk AI system. "Substantial modification" is defined in Article 3(23): a change that affects the system's compliance with the high-risk requirements, or a change to the intended purpose not anticipated by the original conformity assessment. Retaining a system's software but altering its decision logic, adding a new use case not covered by the original technical documentation, or retraining the model on new data in a way that materially changes its outputs — these are the kinds of changes that trigger the reclassification.

3. Modifying intended purpose. Where the modification alters the system's intended purpose such that it now qualifies as high-risk under Article 6 and Annex III (when it previously did not), or changes its risk classification, the distributor becomes the provider.

The consequences are significant. Provider obligations under Article 16 include: establishing a quality management system (Article 17); drawing up full technical documentation per Annex IV (Article 11); ensuring data governance requirements are met (Article 10); implementing a risk management system (Article 9); ensuring human oversight (Article 14); completing the conformity assessment (Article 43); registering the system in the EU database (Article 49); affixing the CE marking (Article 48); and signing the EU Declaration of Conformity (Article 47). A reseller who adds their logo to a high-risk AI tool without realising the Article 25 implication faces the entire provider stack from that point forward.

---

Examples

Reseller of a high-risk HR screening tool. A German HR software company sources a CV-screening AI system from a US provider (whose EU-based authorised representative has handled the formal conformity steps). The German firm resells the tool under the US provider's name through its own sales channel. Before making it available to German customers, it checks that the CE marking is present, that the EU Declaration of Conformity is included in the package, and that instructions for use accompany the system. That is its Article 24 obligation satisfied. It does not rebrand the tool and makes no functional changes — so it remains a distributor throughout.

Marketplace listing a high-risk AI product. An EU-based B2B software marketplace lists dozens of AI tools, including a recruitment screening system. The marketplace does not import the tools (they are sourced from EU providers) and does not develop them. Before listing the high-risk tool, the marketplace verifies the CE marking and documentation. When a customer later reports that the system's CE marking was affixed without a completed conformity assessment, the marketplace removes the listing and notifies the relevant national authority — correctly executing its Article 24(3) corrective-action duty.

Distributor who rebrands: a role-shift scenario. A French IT services company licences a high-risk credit-scoring AI from an Estonian provider, wraps it in a custom front-end, and resells it under its own brand name to French banks. The moment it affixes its own brand, it becomes the provider under Article 25. It must now complete the full Article 16 stack — including a new conformity assessment under Article 43 and registration under Article 49 — before those bank customers can lawfully deploy the system.

---

Frequently Asked Questions

Q: Does a distributor need to run its own conformity assessment before selling a high-risk AI system?

No. The conformity assessment under Article 43 is the provider's obligation. A distributor's duty under Article 24 is to verify that the CE marking is present and that the required documentation — the EU Declaration of Conformity and instructions for use — accompanies the system. If those checks pass, the distributor may proceed. Running its own conformity assessment would duplicate work the provider is already legally required to do and is not mandated by the Act.

Q: What should a distributor do if it discovers a high-risk AI system it has already sold is non-compliant?

Under Article 24(3), the distributor must take corrective measures immediately — which may mean withdrawing or recalling the system. It must inform the competent national authority of the member state where the non-conformity was found, and notify the provider (and importer, if one is involved), giving details of the problem and the corrective action taken. Acting quickly reduces both legal exposure and the risk of the system continuing to operate in breach of the Act's requirements.

Q: At what penalty level does a distributor breach fall?

Non-compliance with Article 24 obligations is captured by Article 99(4): up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For companies qualifying as SMEs or start-ups, Article 99(6) caps the fine at the lower of the fixed amount or the percentage — a genuine proportionality protection, though not a reason to treat verification duties lightly.

Q: How does a distributor avoid becoming a provider under Article 25?

Three actions trigger the reclassification: affixing your own name or trademark to the system, making a substantial modification (as defined in Article 3(23)), and changing the system's intended purpose in a way that alters its high-risk classification. Avoid all three and you remain a distributor. If any commercial decision — adding a logo, adjusting an algorithm, expanding the use case — starts to approach these lines, take legal advice before proceeding. The practical bright line: if the system you sell is functionally and legally the same system the provider declared conformity on, and it carries their name, you are distributing, not providing.

Q: Do distributor obligations apply to low-risk or minimal-risk AI systems?

The Article 24 verification duties are framed around high-risk AI systems. A distributor handling minimal-risk or limited-risk AI (those falling under Article 50's transparency rules rather than the full high-risk stack) does not face the same pre-distribution verification checklist — there is no CE marking or EU Declaration of Conformity to check for those systems. The general Article 25 role-shift logic still applies, however: rebranding or substantially modifying any AI system, regardless of risk tier, can shift your position in the supply chain.

Q: The high-risk deadline has been extended — does that change distributor obligations?

The Digital Omnibus, agreed in May 2026, defers the application of high-risk obligations: 2 December 2027 for stand-alone high-risk systems (Annex III) and 2 August 2028 for AI embedded in regulated products (Annex I). This changes when the Article 24 duties become enforceable for high-risk systems, not what those duties are. Distributors who are already active in high-risk AI supply chains have additional time to build verification processes, but the framework they are building toward is unchanged. Note that the prohibitions under Article 5 are already in force (since 2 February 2025) — no extension applies to those.

---

How Confir helps

Confir's rule-based compliance engine derives your role — provider, deployer, importer, or distributor — from a plain-English intake questionnaire about your position in the supply chain. If the assessment places you as a distributor, Confir maps your Article 24 obligations and flags the Article 25 triggers that could reclassify you as a provider. The same assessment can be run for each AI system you distribute, producing an auditable record of the verification steps taken before distribution. Pricing starts at €600/year. More at confir.eu.

---

Related terms

• Importer obligations under the EU AI Act
• Importer (EU AI Act glossary)
• Article 23: Obligations of importers
• Provider (EU AI Act glossary)
• Substantial modification (EU AI Act glossary)
• Operator / Deployer (EU AI Act glossary)