All articles
Provider or Deployer? AI Act Roles for Medical AI (MDR Manufacturers)
AI Act

Provider or Deployer? AI Act Roles for Medical AI (MDR Manufacturers)

Under the EU AI Act, the medtech company that makes the AI is the provider (the MDR manufacturer) and carries the heavy obligations; the clinic that uses it is the deployer. Learn which role you hold, the full value-chain cast, the non-EU authorised-representative rule, and how you can become a provider under Article 25. Cited.

Pedram Madani9 min read
Share

Provider or Deployer? AI Act Roles for Medical AI

TL;DR

The EU AI Act splits obligations between roles, and almost all of the weight sits on the provider:

  • If you build or make the medical AI, you are the provider. For medical devices, the Commission's MDCG 2025-6 guidance says the MDR/IVDR manufacturer is the AI Act provider. You carry the full high-risk obligations (Article 16).
  • If you only use someone else's medical AI, you are the deployer (for example a clinic). Your duties are lighter (Article 26). The AI Act "deployer" is not the MDR "user".
  • If you are established outside the EU, you must also appoint an EU authorised representative before placing the system on the market (Article 22).
  • You can flip from deployer to provider without meaning to if you rebrand, substantially modify, or repurpose a system (Article 25).

If you are a medtech startup shipping Software as a Medical Device, you are almost certainly the provider. Get that straight first, because it decides who owns the obligations.

Every legal claim below is cited. See Sources.

Why the role decides everything

The AI Act does not spread its obligations evenly. The provider of a high-risk AI system carries the risk-management system, data governance, technical documentation, logging, conformity assessment, CE marking and registration. The deployer mostly has to use the system correctly and keep an eye on it. So the first question in any medical-AI compliance conversation is not "what do we do" but "which role are we in", because the answer reassigns most of the work.

For a startup, this is usually simple: you make the product, so you are the provider. It gets subtle when hospitals, distributors, or platform partners enter the picture, and when you build on top of someone else's model.

Is your AI system high-risk?

Find out in 2 minutes, free, no signup required.

Take the free assessment

The full cast: who is who in the AI value chain

The AI Act names several roles, each with its own article:

  • Provider (Article 16): develops the high-risk AI system (or has it developed) and places it on the market under its own name. This is you, the medtech maker, and the MDR/IVDR manufacturer.
  • Deployer (Article 26): uses the system under its own authority in a professional capacity. The hospital or clinic.
  • Importer (Article 23) and distributor (Article 24): parties that bring a non-EU provider's system into, or move it through, the EU market, with verification duties.
  • Authorised representative (Article 22): the EU-based party a non-EU provider must appoint to act for it.

Most of these mirror roles you already know from the MDR (manufacturer, importer, distributor, EU authorised representative). The AI Act largely reuses that structure, which is part of why the two regimes integrate.

You are the provider if you make the system

A provider is the party that develops a high-risk AI system, or has it developed, and places it on the market or puts it into service under its own name or trademark. For medical AI, MDCG 2025-6 draws the line cleanly: the MDR/IVDR manufacturer is the AI Act provider. If your name is on the CE-marked device, you are both.

As the provider, Article 16 makes you responsible for:

  • Ensuring the system meets the high-risk requirements (Articles 9 to 15).
  • A quality management system (Article 17), which for medical AI is your ISO 13485 QMS extended for AI.
  • Technical documentation and automatic logging (Articles 18 and 19).
  • Conformity assessment, the EU declaration of conformity, CE marking and registration (Articles 43, 47, 48 and 49), which for a medical device run through your existing MDR/IVDR route under Article 43(3).
  • Corrective actions and incident reporting (Article 20), and cooperation with authorities.

The practical point: for a medical device, these are not a second stack of work. They are folded into the MDR/IVDR obligations you already carry. See our medical-AI high-risk guide for how the two frameworks integrate.

You are the deployer if you only use it

A deployer is anyone using a high-risk AI system under their own authority in a professional capacity, for example a hospital or clinic running a diagnostic model built by someone else. Deployer duties under Article 26 are real but lighter:

  • Use the system in line with the instructions for use.
  • Assign competent human oversight with the authority to intervene.
  • Where the deployer controls the input data, keep it relevant and representative.
  • Monitor operation, inform the provider and market surveillance authority of serious risks or incidents, and suspend use where needed.
  • Keep the automatically generated logs (at least six months, where under their control).
  • Inform affected workers and, where relevant, affected patients that the system is in use.

A wording trap worth flagging: the AI Act "deployer" is not the MDR "user". MDCG 2025-6 makes that distinction explicitly, so do not assume the two regimes label the roles the same way.

Non-EU? You also need an EU authorised representative

If your company is established outside the EU (a US, UK, Swiss or other third-country medtech), Article 22 requires you, before making a high-risk AI system available on the EU market, to appoint by written mandate an authorised representative established in the Union. That representative verifies your declaration of conformity and technical documentation exist, keeps records available to authorities for ten years, handles registration, and serves as the contact point for market surveillance. This is a separate appointment from your MDR EU authorised representative, though the same partner may sometimes cover both. Non-EU teams selling medical AI into Europe should plan for it early.

The trap: how a deployer becomes a provider (Article 25)

This is where medical-AI teams get caught. Under Article 25(1), a deployer, distributor, importer or other third party takes on the full provider obligations if they:

  • (a) put their own name or trademark on a high-risk system already on the market (white-labelling or rebranding);
  • (b) make a substantial modification to a high-risk system that keeps it high-risk; or
  • (c) modify the intended purpose of a system (including a general-purpose AI system) so that it becomes high-risk.

When this happens, the party that was the provider before hands over the necessary information and the original provider is expected to cooperate, and responsibilities can be allocated by written agreement between the parties. But the default is clear: the modifier inherits Article 16.

For medtech, the live scenarios are: a hospital that fine-tunes or materially changes a vendor's model on its own patient data; a distributor that re-brands a device under its own name; or a platform that repurposes a general tool into a clinical one. Any of these can silently convert a "deployer" into a "provider", and, if the change is substantial enough under the MDR, trigger a new conformity assessment too. Treat model changes as a regulatory event, not just an engineering one.

Worked examples

SituationAI Act roleWhy
You build SaMD and sell it under your nameProvider (and MDR manufacturer)You develop and place it on the market (Art 16)
A hospital runs your tool per the instructionsDeployerUses it under its own authority (Art 26)
A hospital fine-tunes your model on its patient dataHospital becomes a providerSubstantial modification (Art 25(1)(b))
A distributor white-labels your deviceDistributor becomes a providerPuts its name on it (Art 25(1)(a))
A US startup sells SaMD into the EUProvider, plus an EU authorised representativeNon-EU provider (Art 22)

Common mistakes

  • Assuming "user" and "deployer" are the same. They are defined differently across the MDR and the AI Act.
  • Fine-tuning a vendor model without checking Article 25. A substantial modification can make you the provider, with the full obligation stack and possibly a fresh MDR assessment.
  • Forgetting the non-EU authorised representative. For third-country providers it is a precondition to market access, not a nice-to-have.
  • Thinking a contract can offload provider duties entirely. Parties can allocate responsibilities by agreement, but the role attaches by law to what you actually do.

Decision recap

  1. Do you develop the medical AI and place it on the market under your name? You are the provider (and the MDR/IVDR manufacturer). Full Article 16 obligations, folded into your MDR/IVDR route.
  2. Do you only use someone else's medical AI in practice? You are the deployer. Article 26 duties: correct use, oversight, monitoring, logs.
  3. Established outside the EU? Appoint an EU authorised representative (Article 22) before you place the system on the market.
  4. Do you rebrand, substantially modify, or repurpose a system? Article 25 may make you a provider regardless of what you were before. Check before you touch the model.

Not sure how your system classifies in the first place? Run the free assessment, try the interactive medical AI risk check, or read Is my medical AI high-risk?. If you build on a general-purpose model, read building medical AI on LLMs next.

FAQ

Is a hospital that uses a diagnostic AI a provider or a deployer?

A deployer, as long as it only uses the system per the instructions for use. Its duties fall under Article 26: correct use, human oversight, monitoring, informing the provider of incidents, and log retention. It only becomes a provider if it rebrands, substantially modifies, or repurposes the system under Article 25.

Is the MDR manufacturer the same as the AI Act provider?

Yes. MDCG 2025-6 confirms that the manufacturer under the MDR or IVDR is the provider under the AI Act. If your name is on the CE-marked medical device, you hold both roles and the provider obligations under Article 16.

If we fine-tune a vendor's model on our own clinical data, do we become the provider?

Potentially. If that counts as a substantial modification that keeps the system high-risk, Article 25(1)(b) makes you a provider with full Article 16 obligations, and under the MDR a substantial change can also trigger a fresh conformity assessment. Treat model changes as a regulatory event.

We are a US company. Do we need anyone in the EU?

Yes. As a non-EU provider you must appoint an EU authorised representative under Article 22 before making your high-risk AI system available on the EU market. This is separate from, though sometimes combined with, your MDR EU authorised representative.

Are deployer obligations lighter than provider obligations?

Yes, substantially. Deployers under Article 26 mainly have to use the system correctly, ensure human oversight, monitor it, keep logs, and report problems. Providers under Article 16 carry the design-time requirements, technical documentation, conformity assessment, CE marking and registration.

Sources (official)

  • EU AI Act, Regulation (EU) 2024/1689: per-article on the European Commission AI Act Service Desk. Cited: Article 3 (definitions of provider and deployer), Article 16 (provider obligations), Article 22 (authorised representatives of non-EU providers), Articles 23 and 24 (importers and distributors), Article 25 (responsibilities along the value chain), Article 26 (deployer obligations); official text on EUR-Lex.
  • MDCG 2025-6, FAQ on the interplay between the MDR/IVDR and the AI Act (19 June 2025): Commission page. Cited for: MDR/IVDR manufacturer maps to AI Act provider; deployer is not the MDR user.

Legalithm provides compliance information and tooling, not legal advice. Role qualification depends on your specific arrangements; confirm with qualified regulatory counsel. Article references are to Regulation (EU) 2024/1689 (the AI Act).

AI Act
MDR
Provider
Deployer
Medical Devices
Healthcare
Roles