TLDR: The EU AI Act establishes a comprehensive regulatory framework for AI systems, defining six key ‘operator’ roles: providers, deployers, authorized representatives, importers, distributors, and product manufacturers. This paper by Nicola Fabiano maps out the specific obligations for each role, from development and market placement to operational use and post-market monitoring. It highlights dynamic role transformations, mandatory information flows, and enforcement mechanisms, emphasizing how accountability follows control across the AI value chain. The analysis provides essential guidance for stakeholders implementing the Act’s requirements, despite some ambiguities introduced by the broad ‘operator’ concept.
The European Union has taken a monumental step in regulating artificial intelligence with the adoption of its AI Act (Regulation (EU) 2024/1689). This landmark legislation, the first of its kind globally, establishes a comprehensive framework for AI systems by defining a sophisticated ecosystem of interconnected roles, collectively known as “operators.” A recent paper, “Subject Roles in the EU AI Act: Mapping and Regulatory Implications” by Nicola Fabiano, delves deep into these definitions and their practical implications, offering crucial guidance for anyone navigating the new AI landscape.
Understanding the EU AI Act’s Key Players
The AI Act identifies six primary categories of actors, all falling under the umbrella term “operators” as defined in Article 3(8). These are: providers, deployers, authorized representatives, importers, distributors, and product manufacturers. The paper meticulously maps out how the Act regulates each of these subjects across its 113 articles, 180 recitals, and 13 annexes, revealing a distributed yet coordinated governance system.
The Provider: At the Helm of AI Development
The provider is defined as the entity that develops an AI system or general-purpose AI model, or has one developed, and then places it on the market or puts it into service. This role carries the most extensive responsibilities, acting as the primary accountability point. Providers must ensure their high-risk AI systems comply with all requirements, including establishing robust risk management and quality management systems, preparing detailed technical documentation, implementing logging capabilities, and actively monitoring systems post-market. They are also responsible for reporting serious incidents and providing comprehensive information to downstream operators, especially for general-purpose AI models.
The Deployer: Managing AI in Practice
Deployers are individuals or organizations using an AI system under their authority, excluding personal non-professional activities. This role is critical because the risks and impacts of AI systems often depend on how they are used in real-world contexts. Deployers of high-risk AI systems have significant duties, such as using systems according to instructions, ensuring human oversight, implementing data governance, monitoring system operations, retaining logs, and providing transparency to affected individuals. They are also mandated to conduct fundamental rights impact assessments for specific high-risk systems and provide explanations to individuals affected by AI decisions.
Bridging Jurisdictional Gaps: The Authorized Representative
For non-EU providers, the authorized representative is a crucial link. This Union-based entity receives a written mandate from a provider to perform and carry out obligations and procedures established by the regulation on their behalf. They maintain technical documentation, cooperate with authorities, and, importantly, must terminate their mandate if they suspect the provider is violating the Act, effectively blocking market access for non-compliant systems.
The Importer: First Line of Defense for Market Entry
Importers are Union-based entities that place AI systems from third countries onto the EU market. They act as gatekeepers, responsible for verifying that the AI system has undergone the necessary conformity assessments, bears the CE marking, is accompanied by required documentation, and that a non-EU provider has appointed an authorized representative. Importers must refrain from placing non-compliant systems on the market and immediately inform authorities and providers of any risks.
Maintaining Compliance: The Distributor
Distributors are any entities in the supply chain, other than the provider or importer, that make an AI system available on the Union market. Their role involves maintaining the integrity of AI systems as they move through the distribution network. Distributors must verify that systems bear the CE marking, are accompanied by documentation, and that providers and importers have met their identification and documentation obligations. Like importers, they must not make non-compliant systems available and must cooperate with authorities.
Dynamic Responsibilities: Role Transformations
One of the most sophisticated aspects of the AI Act is Article 25, which outlines mechanisms for role transformation. This ensures accountability follows control. For instance, a distributor, importer, or deployer can become a provider if they place an AI system on the market under their own name, make substantial modifications to a high-risk system, or change a non-high-risk system’s intended purpose to make it high-risk. Product manufacturers integrating high-risk AI systems into their products are also automatically designated as providers of those AI systems.
Information Flows and Enforcement
The Act mandates comprehensive information flows between operators, ensuring transparency and accountability across complex value chains. Providers must supply detailed instructions and documentation, while deployers are required to provide feedback on operational risks and incidents. The regulation also establishes differentiated enforcement mechanisms, with administrative fines varying based on the severity of infringements and the specific operator’s role. Market surveillance authorities have broad powers to require information, conduct inspections, and mandate corrective actions.
Phased Implementation and International Reach
The AI Act’s provisions are being implemented in phases. Prohibited practices took effect in February 2025, general-purpose AI model rules in August 2025, and most operator obligations, including those for providers and deployers, will become fully enforceable in August 2026. The Act also has extraterritorial reach, applying to providers and deployers outside the Union if their AI system outputs are used within the EU, further emphasizing the critical role of authorized representatives and importers in ensuring global compliance with EU standards.
Also Read:
- Unpacking the Black Box: How Argumentation Can Make Legal AI Transparent and Accountable
- Building Secure AI Agents: Understanding the Trust, Risk, and Liability Framework
A Unified Yet Complex Framework
While the overarching “operator” concept aims to unify key participants, the paper critically notes that it can introduce semantic ambiguity and potentially dilute accountability. Despite this, the AI Act’s framework demonstrates a sophisticated understanding of modern AI ecosystems, distributing responsibilities based on each actor’s position and control. This approach balances innovation with the protection of fundamental rights, setting a precedent for global AI governance.
