Chapter III, Section 3 — Obligations of providers and deployers of high-risk AI systemsArticle 25

Article 25: Responsibilities Along the AI Value Chain

Applies from 2 Aug 20266 min readEUR-Lex verified Apr 2026

Article 25 is the re-qualification trigger: it defines when a distributor, importer, deployer, or third party becomes a provider of a high-risk AI system and inherits the full provider obligations under Article 16. This happens when they: (a) put their name or trademark on a system already placed on the market; (b) make a substantial modification; or (c) modify the system's intended purpose so it becomes high-risk. The original provider is released from Article 16 duties once the new provider is properly identified. Critical for deployer due diligence — any modification beyond normal use may shift obligations.

Start free assessment All articles

Who does this apply to?

-Deployers considering modifications to high-risk AI systems
-Distributors and importers re-branding or modifying AI systems
-Third parties integrating or customising high-risk AI for new purposes
-Original providers assessing when their Article 16 duties transfer
-Legal teams advising on value-chain allocation of compliance obligations

Scenarios

A consulting firm takes a vendor's HR screening AI, rebrands it under its own name, and sells it to clients.

Article 25(a): placing your name on a system already on the market makes you the provider — full Article 16 obligations apply.

Ref. Art. 25(1)(a)

A deployer fine-tunes a high-risk credit scoring AI with new training data, materially changing its behaviour.

Article 25(b): substantial modification — the deployer becomes the provider and must carry out conformity assessment.

Ref. Art. 25(1)(b)

A company takes a general-purpose AI tool and deploys it for Annex III law enforcement purposes not covered in the original intended purpose.

Article 25(c): modifying the intended purpose to make it high-risk — the modifier becomes the provider.

Ref. Art. 25(1)(c)

Three triggers for re-qualification (plain terms)

You are treated as the provider of a high-risk AI system (with **full Article 16 obligations**) if you:

(a) Put your name or trademark on a high-risk AI system already placed on the market or put into service — unless there is a written agreement assigning provider obligations to the original party

(b) Make a substantial modification to a high-risk AI system already placed on the market or put into service, in such a way that it remains a high-risk system

(c) Modify the intended purpose of an AI system (including a general-purpose system) that was not classified as high-risk, in such a way that the system becomes high-risk

In cases (b) and (c), the original provider is no longer the provider for the purposes of Article 16 — obligations transfer to the modifier.

What counts as a 'substantial modification'?

The Act does not provide an exhaustive definition, but a substantial modification generally means a change that: - Affects the system's compliance with Chapter III, Section 2 requirements - Alters performance characteristics beyond what was foreseen in the original conformity assessment - Changes the intended purpose or adds new use cases

Examples: retraining with significantly different data, changing model architecture, adding new input modalities, or altering decision thresholds in safety-critical ways.

Minor updates (bug fixes, UI adjustments, parameter tuning within documented ranges) are generally not substantial modifications — but document your reasoning.

Implications for deployers

This article is a due diligence checkpoint for every deployer of high-risk AI:

1. Before modifying: assess whether the change is substantial — if yes, you become the provider 2. Before re-branding: any white-labelling triggers Article 25(a) unless a written agreement assigns duties back 3. Before repurposing: using a system for a new Annex III use case triggers Article 25(c)

Deployers should include Article 25 analysis in change control procedures and procurement due diligence.

How Article 25 connects to the rest of the Act

Article 16 — The full provider obligation set that applies to the new provider.
Article 3(3) — Definition of provider.
Article 6 — High-risk classification that determines when Article 25(c) triggers.
Article 26 — Deployer obligations that apply until the deployer crosses into provider territory.
Article 43 — Conformity assessment the new provider must perform.
Article 99 — Penalties for non-compliance with provider obligations.
Annex III — The high-risk use cases that trigger Article 25(c) when a system is repurposed.

Recitals (preamble) on EUR-Lex

The recitals in the same consolidated AI Act on EUR-Lex contextualise the value chain allocation of responsibilities, the substantial modification concept, and the shift of obligations upon re-qualification. Use the official preamble on EUR-Lex.

Compliance checklist

Include Article 25 analysis in all change control and modification approval workflows.
Define 'substantial modification' thresholds in internal SOPs — covering data changes, model changes, and purpose changes.
Before re-branding or white-labelling: confirm whether written agreements allocate provider obligations.
Before repurposing a general-purpose system for Annex III uses: assess Article 25(c) triggers.
Document all modification decisions with reasoning on whether they are substantial.
If re-qualified as provider: immediately initiate Article 16 compliance (QMS, conformity, registration, post-market monitoring).
Notify the original provider when you trigger Article 25 re-qualification.

Read the official text on EUR-Lex

Check if your modifications trigger Article 25—free assessment.

Start Free Assessment

Article 3: Definitions

Article 6: Classification Rules for High-Risk Systems

Article 16: Obligations of Providers of High-Risk AI Systems

Article 26: Obligations of Deployers of High-Risk AI Systems

Article 43: Conformity Assessment for High-Risk AI Systems

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Annex III: High-Risk AI System Areas

Related annexes

Annex III — High-risk AI system areas (triggers for Article 25(c) repurposing)

Frequently asked questions

Does fine-tuning always trigger Article 25?

Not necessarily. Fine-tuning within the provider's documented parameters and intended purpose is generally not a substantial modification. But fine-tuning that materially changes behaviour, accuracy, or use case may be. Document your analysis.

Can we contractually avoid Article 25 re-qualification?

Article 25(1)(a) allows written agreements for name/trademark scenarios. For substantial modifications (b) and intended purpose changes (c), the re-qualification is functional — contracts cannot override regulatory classification, but they can allocate internal responsibilities.

What happens to the original provider's obligations?

The original provider is released from Article 16 duties for the modified system. They must provide the new provider with necessary information and cooperation (Article 25(2)).

Does using a GPAI model for an Annex III purpose trigger Article 25?

Yes — Article 25(1)(c) covers modifying a non-high-risk system's intended purpose to make it high-risk. Building an Annex III application on top of a general-purpose model likely makes you the provider of that high-risk system.

On this page

Key terms

Substantial modification: A change to a high-risk AI system that affects compliance with Chapter III Section 2 requirements or changes its intended purpose — triggers re-qualification under Article 25.
Re-qualification: The process by which a non-provider (deployer, distributor, importer, third party) becomes the provider of a high-risk system by triggering Article 25 conditions.
Intended purpose: The use for which the AI system is designed according to the provider's documentation and instructions — changing it can trigger Article 25(c) if the new purpose is high-risk.

Maximum penalties (Art. 99)

3% of turnover / Up to EUR 15 million or 3% of global annual turnover under Article 99(4) for failing to comply with provider obligations after re-qualification
SMEs / start-ups: Lower caps for SMEs and start-ups under Article 99(6)
Entities that trigger Article 25 without recognising their provider status face full enforcement exposure.

Timeline

2 Aug 2026
Article 25 re-qualification rules apply for most high-risk systems.

At a glance

Article: 25
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now