Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

Procuring an AI model (GPAI): what duties do you have as a deployer?

Adopted 2026-06-16 · ≈ 3 min read · Dirk Baaijen

The heaviest GPAI duties fall on the provider, not on you. As a deployer your obligations centre on AI literacy (Article 4), transparency (Article 50) and — for high-risk use — the deployer duties in Article 26.

Short answer: Procuring a general-purpose AI model (GPAI) makes you a deployer, not the provider. The heaviest GPAI obligations in Chapter V of the AI Act rest on the model provider. Your duties as a deployer depend mainly on how you use the model: AI literacy always applies, transparency applies when you direct it at people or the public, and the heavier deployer duties apply as soon as the use is high-risk.

Who is who: provider versus deployer

The AI Act (Regulation (EU) 2024/1689) distinguishes roles. A provider develops an AI system or model and places it on the market under its own name; a deployer uses it under its own authority in a professional context (Article 3). An organisation that procures and applies an existing GPAI model is, as a rule, a deployer.

That distinction is decisive, because Chapter V — the obligations for general-purpose AI models — addresses the provider of the model. These include technical documentation, information for downstream parties, a copyright policy and, for models with systemic risk, additional requirements. They have applied since 2 August 2025. As a purchaser you do not inherit them; you may, however, rely on them, because the provider is obliged to supply downstream users with information.

Watch one tipping point: if you substantially modify the model, or place it on the market under your own name, you may be treated as a provider yourself, and the provider obligations then apply to you.

Your duties as a deployer, by use

AI literacy (Article 4). This duty has applied since 2 February 2025 and is role-independent: both providers and deployers must ensure a sufficient level of AI literacy among their staff and others who operate the system on their behalf. It is the first duty relevant to almost every GPAI purchaser.

Transparency (Article 50). If you deploy the model in a chatbot or assistant that interacts directly with people, or generate content that appears authentic, transparency obligations apply: people must know they are dealing with AI, and synthetic content must be detectable. Under the Digital Omnibus agreement of 7 May 2026, Article 50 is expected to apply from 2 December 2026; until publication in the Official Journal, 2 August 2026 formally still stands.

High-risk use (Article 26). If you build the GPAI model into an application with a high-risk purpose (Annex III), you become the deployer of a high-risk system, and the heavier duties of Article 26 apply: use according to the instructions, human oversight, monitoring, log keeping and informing affected persons. The application dates for the high-risk regime are expected to shift via the Digital Omnibus; consult the timeline for these.

What this means at procurement

Three sober steps. First, determine your role — do you remain a deployer, or does modification or relabelling turn you into a provider? Second, request the provider information that Chapter V entitles you to, and stipulate in the contract that the provider meets its GPAI obligations and supplies the documentation you need. Third, classify your own use (general, transparency-bound, or high-risk), because that — not the model itself — is where your obligations sit. The definitive dates are only fixed on publication in the Official Journal; account contractually for both timelines.

Read more: AI Act: timeline of obligations.

Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Chapter V (GPAI), Article 3 (definitions), Article 4, Article 26 and Article 50.
  2. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
    European Commission policy page on the AI Act, with the current state of implementation and guidance.

Share on LinkedIn

Read next

W

Registering high-risk systems in the EU database (Article 49)

Article 49 of the AI Act requires providers and certain deployers to register high-risk systems in a public EU database before deployment. The registration makes visible which systems are on the market and is a condition for lawful use.

U

Procuring AI in government: AI Act compliance as a tender requirement

A public body that procures an AI system becomes a deployer under the AI Act, and sometimes a provider itself. Make compliance, documentation and the rights impact assessment hard tender requirements, not loose ends in the contract.

W

AI in contracts: the clauses to set when buying and supplying

There is no separate AI contract law, but the AI Act, product liability and the Data Act together determine what you must set contractually: role allocation, compliance warranties, documentation, liability, data and IP, logging and exit. This guide lays out the core clauses.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.