Quick answer

The EU AI Act defines its vocabulary precisely in Article 3, and most compliance confusion traces back to terms like provider, deployer, intended purpose, placing on the market, and substantial modification. This glossary explains the terms that matter most, in plain English, grouped by theme.

Updated June 2026 · MmowW AI Compliance

EU AI Act Glossary: Key Terms Explained in Plain English

Why the EU AI Act's Definitions Matter

Regulation (EU) 2024/1689 opens with a long catalogue of definitions in Article 3, and they are not decoration: every obligation in the Act is built from these defined words, and using them loosely is how organisations misjudge their duties. A company that thinks user when the Act says deployer, or thinks sold when the Act says placing on the market, will draw the wrong compliance map. This glossary translates the terms a business actually meets, grouped so related concepts sit together. It is a working aid, not a substitute for the text: when a decision turns on a single word, read the official definition itself.

The Actors

Provider: whoever develops an AI system or general-purpose AI model, or has one developed, and places it on the market or puts it into service under its own name or trademark, paid or free. The role with the heaviest duties. Deployer: whoever uses an AI system under its own authority in a professional context. Most businesses are mainly deployers. Importer: an EU-established entity placing on the market an AI system bearing a non-EU entity's name. Distributor: anyone else in the supply chain making a system available on the EU market. Authorised representative: the EU-established contact a non-EU provider must appoint by written mandate for high-risk systems and GPAI models. Operator: the umbrella word covering all of the above. Affected person: not formally one of the operator roles, but the person on the receiving end of an AI-assisted decision, holder of the right to explanation for high-risk decisions.

The Systems

AI system: a machine-based system operating with some autonomy, possibly adapting after deployment, that infers from inputs how to generate predictions, content, recommendations, or decisions influencing environments. Inference is the gatekeeping concept. General-purpose AI model, GPAI: a model trained on broad data at scale, displaying significant generality, competent across many tasks, integrable into many downstream systems; regulated through its provider. GPAI with systemic risk: a general-purpose model with high-impact capabilities, presumed when training compute exceeds ten to the twenty-fifth floating point operations, attracting extra evaluation, mitigation, incident, and cybersecurity duties. General-purpose AI system: an AI system built on a GPAI model that can serve many purposes. Biometric data: personal data from technical processing of physical, physiological, or behavioural characteristics, face images, fingerprints, voice. Emotion recognition system: AI identifying or inferring emotions or intentions from biometric data; banned in workplaces and schools outside medical and safety uses.

The Market Concepts

TermPlain meaning
Placing on the marketFirst making a system or model available on the EU market
Making availableAny supply for distribution or use in the EU in the course of commercial activity, paid or free
Putting into serviceSupplying for first use directly to a deployer, or using it yourself, for its intended purpose in the EU; building for your own use counts
Intended purposeThe use the provider declares in instructions, marketing, and documentation; the anchor of risk classification
Reasonably foreseeable misuseUse not intended but predictable from human behaviour; providers must consider it in risk management
Substantial modificationA change not foreseen in the provider's assessment that affects compliance or alters intended purpose; can transfer provider duties to whoever made the change

The Compliance Machinery

Risk: the combination of the probability of harm and its severity, the quantity the whole Act manages. Risk management system: the continuous, lifecycle-spanning process providers of high-risk systems must run to identify, evaluate, and mitigate risks. Technical documentation: the engineering dossier, specified in Annex IV, proving a high-risk system meets the requirements, prepared before market placement. Conformity assessment: the procedure verifying a high-risk system's compliance, by internal control or with a notified body depending on the case. Notified body: an independent organisation designated by a member state to perform third-party conformity assessments. CE marking: the affixed mark declaring a high-risk system conforms, the same mark used across EU product law. EU declaration of conformity: the signed document in which the provider takes responsibility for compliance. Harmonised standard: a European standard whose use creates a presumption of conformity with the requirements it covers. EU database: the public register in which high-risk systems are recorded before placement. Post-market monitoring: the provider's systematic collection of in-use experience to keep the system compliant after launch. Quality management system: the documented organisational system, policies, procedures, responsibilities, ensuring compliance is repeatable rather than heroic.

The Oversight and Incident Vocabulary

Human oversight: the designed-in capability for competent people to understand, monitor, and intervene in a high-risk system, including overriding or stopping it; deployers must staff it with trained individuals holding real authority. Transparency: in the Act, mainly the Article 50 duties, disclosing chatbots, marking synthetic content, labelling deepfakes, plus the provider's duty to make high-risk systems interpretable enough for deployers to use them properly. Fundamental rights impact assessment, FRIA: the pre-use analysis certain deployers, public bodies, essential-services providers, credit and life and health insurance pricing users, must complete, covering context, affected persons, risks, oversight, and complaints. Serious incident: an incident or malfunction leading, directly or indirectly, to death or serious harm to health, serious and irreversible disruption of critical infrastructure, infringement of fundamental rights protections, or serious damage to property or the environment; providers of high-risk systems report to authorities, as a rule within 15 days of awareness, faster for the gravest cases. AI literacy: the skills and understanding staff need to use AI with awareness of its risks and limits; required of providers and deployers since February 2, 2025. AI regulatory sandbox: a supervised environment, at least one per member state by August 2026, for developing and testing AI under regulatory guidance, with priority access for SMEs.

Reading the Definitions Like a Compliance Map

The fastest way to use this vocabulary is to recognise that it encodes the Act's whole logic. The actor terms decide whose checklist you hold. The system terms decide whether the Act is engaged at all. The market terms decide when duties crystallise, at first making available, not at contract signature. Intended purpose and its companions decide which risk tier a system occupies, which is why purpose statements deserve careful drafting and careful reading. The machinery terms describe the provider's burden of proof, and the oversight terms describe everyone's running duties. When a compliance question stalls, the productive move is almost always to ask which defined term the disagreement is hiding inside, and then read that definition slowly. Most apparent disputes about the EU AI Act are actually disputes about one word in Article 3.

Terms People Mix Up: Quick Disambiguations

Some pairs of defined terms sound interchangeable and are not, and a large share of misreadings of the Act trace back to one of them.

PairThe difference in one line
Provider vs deployerThe provider builds and markets the system; the deployer uses it under its own authority. Modifying a bought tool deeply enough can turn a deployer into a provider.
Placing on the market vs putting into servicePlacing on the market is first supply to the EU market; putting into service covers first use for the intended purpose, including a system built only for your own use.
AI system vs GPAI modelThe model is the underlying trained asset; the system is the usable product around it. Different chapters, different duties, often different companies.
Transparency vs human oversightTransparency is what people are told; oversight is what trained humans can see and stop. One is communication, the other is control.
DPIA vs FRIAThe DPIA comes from GDPR and centres on personal data; the FRIA comes from the AI Act and centres on the deployment's effect on fundamental rights. They complement each other rather than substituting.
CE marking vs registrationCE marking is the conformity mark affixed to the system; registration records the system in the EU database. A high-risk provider needs both.
Serious incident vs data breachThe serious incident is an AI Act event reported by providers, as a rule within 15 days; the personal data breach is a GDPR event notified by controllers within 72 hours.

Which Dates Attach to Which Terms

The vocabulary arrives in waves that match Article 113's staged calendar. The prohibited-practices language and AI literacy have been live since February 2, 2025. The general-purpose model vocabulary, GPAI, systemic risk, and the training-content summary, gained legal force on August 2, 2025, when the AI Office and the national authority structures also switched on. The bulk of the machinery words, conformity assessment, CE marking, EU database, FRIA, post-market monitoring, and serious incident reporting, bind for Annex III high-risk systems from August 2, 2026, alongside the Article 50 transparency duties and the requirement for each member state to run at least one regulatory sandbox. The same machinery reaches AI used as safety components in Annex I products on August 2, 2027, and models placed on the market before August 2025 must comply by that date too. When you meet a term, it is worth asking which wave it belongs to, because the answer tells you when it can be enforced against you.

Three Short Scenarios That Put the Vocabulary to Work

Scenario one: a software company adds a customer-support chatbot built on a licensed general-purpose model. In the Act's words, it becomes the provider of an AI system built on a GPAI model; the model's maker owes it downstream documentation, and the chatbot triggers the transparency duty to disclose that customers are interacting with a machine. Scenario two: an HR department buys a screening tool and asks the vendor to retune it on the company's own historical hiring data. If the change amounts to a substantial modification, or the tool is offered under the company's own name, provider duties can shift to the company; if not, it remains a deployer of a high-risk system, holding human oversight, log retention, worker information, and the affected candidates' right to an explanation. Scenario three: a non-EU analytics firm sells forecasts to EU clients. If its system's output is used in the EU, the Act reaches it despite the location, and providing a high-risk system would require an authorised representative established in the EU. In all three cases the entire analysis was performed by the defined terms themselves; that is what it means to read the definitions as a compliance map.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.