Article 25 of the EU AI Act makes any distributor, importer, deployer or other third party count as the provider of a high-risk AI system if they put their name or trademark on it, substantially modify it, or change an AI system's intended purpose so it becomes high-risk. The initial provider must then cooperate and hand over information, and component suppliers must conclude written information agreements.
EU AI Act Article 25: Responsibilities Along the AI Value Chain
What Article 25 Covers
Article 25 of Regulation (EU) 2024/1689 answers a question that classic product law has long had to solve and that AI supply chains make acute: who carries the provider obligations when a system passes through many hands, gets rebranded, modified, fine-tuned or repurposed? The article reallocates the provider role along the value chain and organises the flow of information that the new provider needs.
The Three Triggers: Becoming a Provider
Under Article 25(1), any distributor, importer, deployer or other third party shall be considered to be a provider of a high-risk AI system for the purposes of the regulation, and shall be subject to the provider obligations under Article 16, in any of the following circumstances:
- They put their name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements stipulating that the obligations are otherwise allocated.
- They make a substantial modification to a high-risk AI system that has already been placed on the market or put into service in such a way that it remains a high-risk AI system pursuant to Article 6.
- They modify the intended purpose of an AI system, including a general-purpose AI system, which has not been classified as high-risk and has already been placed on the market or put into service, in such a way that the AI system concerned becomes a high-risk AI system in accordance with Article 6.
The third trigger deserves emphasis. An organisation that takes a general-purpose model or a benign AI tool and deploys it for, say, recruitment scoring or credit decisions can become the provider of a newly high-risk system, with the full Article 16 programme: risk management, documentation, conformity assessment, CE marking, registration and more.
What Happens to the Original Provider
Article 25(2) provides that where those circumstances occur, the provider that initially placed the system on the market or put it into service shall no longer be considered a provider of that specific AI system. But it is not released into silence: that initial provider shall closely cooperate with the new provider, make available the necessary information and provide the reasonably expected technical access and other assistance required for the new provider to fulfil its obligations, in particular regarding conformity assessment. There is an exception: the cooperation duty does not apply where the initial provider has clearly specified that its AI system is not to be changed into a high-risk AI system and therefore does not fall under the information handover obligation.
Written Agreements with Component and Tool Suppliers
Article 25(4) tackles the upstream side. The provider of a high-risk AI system and third parties that supply an AI system, tools, services, components or processes that are used or integrated in the high-risk AI system shall, by written agreement, specify the necessary information, capabilities, technical access and other assistance, based on the generally acknowledged state of the art, to enable the provider of the high-risk system to fully comply with its obligations. The duty does not extend to third parties making accessible to the public tools, services, processes or components, other than general-purpose AI models, under a free and open-source licence. The AI Office may develop and recommend voluntary model contractual terms for such agreements.
Article 25(3) adds that for high-risk AI systems that are safety components of products covered by the Annex I Section A harmonisation legislation, the product manufacturer is considered the provider in defined situations, namely where the system is placed on the market together with the product under the manufacturer's name or trademark, or put into service under that name or trademark after the product is placed on the market.
How to Manage Article 25 in Practice
- Know which side of the line you are on. Before rebranding, modifying or repurposing any AI system, run an Article 25 assessment: would this make us the provider? Treat white-labelling negotiations as compliance decisions, not just commercial ones.
- Control modifications. Define internally what counts as a substantial modification, aligned with Article 3(23): a change not foreseen in the provider's initial conformity assessment that affects compliance or the intended purpose.
- If you intend to repurpose a general-purpose system into a high-risk use, budget for the full provider programme before deployment, not after.
- As an upstream supplier, decide your posture: either sign Article 25(4) information agreements with your high-risk customers, or, where the open-source exemption genuinely applies, document that licensing position.
- As an initial provider, decide whether to clearly specify that your system is not to be changed into a high-risk system, and reflect that in licences and instructions for use, since this affects your cooperation duties.
- Paper the handover. When the provider role shifts, the transfer of technical documentation, test evidence and data information should follow a written protocol, because the new provider must pass a conformity assessment with that material.
A Concrete Example
A consultancy licenses a general-purpose language model, fine-tunes it on a client's historical hiring data and deploys it to rank applicants for the client. Ranking applicants falls under Annex III point 4(a), so the resulting system is high-risk, and because the consultancy modified the intended purpose of a system that was not high-risk, it is now the provider under Article 25(1)(c). It must build the technical documentation, risk management, logging and oversight design, run the conformity assessment, draw up the EU declaration of conformity, affix the CE marking and register the system. The model supplier must, under its written agreement, provide the information and technical access the consultancy reasonably needs, unless it distributed the model freely under an open-source licence within the exemption's limits, noting that the exemption carve-out does not cover general-purpose AI models.
How Article 25 Connects to Other Provisions
Article 25 redistributes the Article 16 obligations and therefore everything they reference: Articles 8 to 15, conformity assessment under Article 43, the declaration under Article 47, CE marking under Article 48 and registration under Article 49. It interacts with the GPAI chapter, since fine-tuning or integrating general-purpose models into high-risk uses is the typical modern path into trigger three. The definition of substantial modification in Article 3(23) and the classification rules of Article 6 determine when the triggers fire, and the importer and distributor duties of Articles 23 and 24 apply only so long as those actors do not cross into provider territory.
Actions to Take Before August 2, 2026
Every organisation in an AI supply chain should map its products and projects against the three triggers before the high-risk obligations apply on August 2, 2026. Buyers repurposing AI tools should identify hidden provider roles now, suppliers should prepare standard information agreements, and initial providers should review their licence terms on permitted uses and modification. This article provides general information about Regulation (EU) 2024/1689 and is not advice on any specific value-chain arrangement.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.