T335 · EU AI Act · Art. 25 · Provider/Deployer Split · AP2 Export
EU AI Act Provider vs Deployer Obligations Splitter
Resolve the Article 25 provider/deployer obligations split for financial institutions using third-party AI systems. Many banks deploy AI models from vendors — this tool determines which Article 6/9/10/11/12/13/14 obligations sit with the provider and which with the deployer, and generates the required contract clauses and vendor due diligence checklist. Effective August 2 2026.
Effective 2 August 2026EU AI Act Art. 25–27Contract Clauses · Vendor DDClient-Side · Zero PII · CC BY 4.0
2 August 2026High-risk AI obligations effective — Art. 25 split applies to all Annex III systems● Critical deadline
NowGDPR controller/processor analogy informs Art. 25 structuring● Already live
Scope & Reliance — All inputs are processed locally in your browser. No data is transmitted. Static regulatory thresholds as of 2026-06-01. Contract clause templates are starting-point guidance — obtain legal review before use in binding agreements. Deterministic logic · zero PII · CC BY 4.0.
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Step 01Organisation Role & AI System Source
Art. 25: Substantial modification triggers provider obligations for the deployer. Art. 3(9): "provider" means any person placing a high-risk AI system on the market.
Source determines whether Art. 25 obligations shift — fine-tuning and substantial modifications can trigger provider obligations.
Art. 25(2): If provider is not established in EU and has no representative, the deployer steps into the provider's obligations.
Step 02Modifications, Oversight & Current Compliance Status
Art. 25(1)(b): Substantial modification triggers full provider obligations for the deployer. Fine-tuning is likely to constitute substantial modification.
Art. 26(2): Deployers must ensure human oversight measures specified in instructions for use are implemented.
Art. 25 obligations split should be documented in a written agreement between provider and deployer.
Art. 26(1)(b): Deployers must ensure the AI system is registered in EU database if required, and must have access to technical documentation.
Art. 73: Providers must report serious incidents. Art. 26(5): Deployers must inform providers of incidents affecting AI system performance.
Art. 27: Deployers that are bodies governed by public law or operate under Art. 27 scope must conduct a fundamental rights impact assessment before deployment.
Provider/Deployer Obligations Split
—
Obligations Split — Art. 25 Analysis
Provider Obligations (Art. 16)
Deployer Obligations (Art. 26)
Required Contract Clauses (Art. 25)
Vendor Due Diligence Checklist (Art. 26)
AP2 v1.0 · @ainumbers.co/eu-ai-act-art25-split-v1
Regulatory Sources
[1]EU AI Act (EU) 2024/1689 Art. 6 — Classification rules for high-risk AI systems subject to Art. 25 split
[2]EU AI Act Art. 16 — Obligations of providers of high-risk AI systems (risk mgmt, technical docs, conformity assessment, registration)
[3]EU AI Act Art. 25 — Responsibilities along the AI value chain: obligation allocation between providers and deployers
[4]EU AI Act Art. 26 — Obligations of deployers of high-risk AI systems (human oversight, monitoring, incident reporting, DPIA)
[5]EU AI Act Art. 27 — Fundamental rights impact assessment for deployers of certain high-risk AI systems
[6]EU AI Act Art. 72 — Post-market monitoring; Art. 73 — Reporting of serious incidents to market surveillance authorities
[7]GDPR controller/processor analogy — Art. 28 GDPR data processing agreements as structural precedent for Art. 25 AI Act contracts