Importer, Distributor, and Role-Switching Obligations
Understanding the supply chain obligations under Articles 23-25 for importers, distributors, and when actors become providers.
Importer, Distributor, and Role-Switching Obligations (Articles 23-25)
Learning Objectives
By the end of this chapter, you will be able to:
- Identify all importer obligations under Article 23
- Identify all distributor obligations under Article 24
- Understand when importers, distributors, or deployers become providers under Article 25
- Implement supply chain compliance measures for AI systems entering the EU market
The EU AI Act extends compliance obligations beyond providers and deployers to cover the entire AI supply chain. Importers (Article 23) and distributors (Article 24) play critical gatekeeping roles, while Article 25 ensures no actor can escape provider-level obligations by restructuring their role.
Importer Obligations (Article 23)
Who is an Importer?
Article 3(6): An importer is any natural or legal person located or established in the Union that places on the market a high-risk AI system that bears the name or trademark of a natural or legal person established in a third country (outside the EU).
The Gatekeeper Role
Importers are the EU's first line of defence against non-compliant AI entering the market. Before placing a high-risk AI system on the EU market, importers must verify the provider has done their job.
Complete Importer Obligations
| Obligation | Article | Requirements |
|---|---|---|
| Verify conformity assessment | Article 23(1) | Ensure the appropriate conformity assessment procedure has been carried out by the provider |
| Verify technical documentation | Article 23(1) | Ensure the provider has drawn up technical documentation per Annex IV |
| Verify CE marking | Article 23(1) | Ensure the AI system bears CE marking |
| Verify EU Declaration of Conformity | Article 23(1) | Ensure the provider has drawn up the EU declaration of conformity |
| Verify authorised representative | Article 23(1) | Ensure the provider has appointed an authorised representative per Article 22 |
| Non-compliance refusal | Article 23(2) | Do NOT place the system on the market if there are reasons to believe it does not comply |
| Inform provider and authorities | Article 23(2) | If non-compliant, inform the provider and market surveillance authorities |
| Own identification | Article 23(3) | Indicate name, registered trade name or trademark, and contact address on the AI system or packaging |
| Storage conditions | Article 23(4) | Ensure storage and transport conditions do not jeopardise compliance |
| Record keeping | Article 23(5) | Keep a copy of the EU Declaration of Conformity for 10 years after the AI system has been placed on the market |
| Provide information on request | Article 23(6) | Provide all necessary information and documentation to demonstrate conformity when requested by competent authorities |
| Cooperate with authorities | Article 23(7) | Cooperate with competent authorities on any action taken to address risks |
Importer Due Diligence Checklist
Before placing any high-risk AI system on the EU market:
- Conformity assessment procedure completed by provider
- Technical documentation (Annex IV) prepared by provider
- CE marking affixed to AI system
- EU Declaration of Conformity obtained from provider
- Authorised representative appointed by provider (Article 22)
- Own name and contact details on system or packaging
- Storage and transport conditions verified
- Copy of EU Declaration of Conformity filed (10-year retention)
Compliance Note
If at any point after placing on the market, the importer considers or has reason to consider the AI system **not in conformity**, they must immediately take corrective action (bring into conformity, withdraw, or recall) and inform the provider and market surveillance authorities.
Distributor Obligations (Article 24)
Who is a Distributor?
Article 3(7): A distributor is any natural or legal person in the supply chain, other than the provider or the importer, that makes a high-risk AI system available on the Union market.
Complete Distributor Obligations
| Obligation | Article | Requirements |
|---|---|---|
| Verify CE marking | Article 24(1) | Before making available, verify the system bears CE marking |
| Verify EU Declaration | Article 24(1) | Verify it is accompanied by the EU Declaration of Conformity |
| Verify provider identification | Article 24(1) | Verify the provider has complied with Article 16, points (b) and (c) (name/address and quality management system) |
| Verify importer identification | Article 24(1) | Where applicable, verify the importer has complied with Article 23(3) |
| Non-compliance action | Article 24(2) | If system appears non-compliant, do NOT make available until brought into conformity; inform provider/importer and market surveillance authorities |
| Storage conditions | Article 24(3) | Ensure storage and transport do not jeopardise compliance while under responsibility |
| Corrective action | Article 24(4) | If system is non-compliant after making available, take corrective action to bring into conformity, withdraw, or recall; inform provider, importer, and authorities |
| Provide information | Article 24(5) | Provide all information and documentation needed to demonstrate conformity on request |
| Cooperate with authorities | Article 24(6) | Cooperate with competent authorities on any risk-addressing actions |
Distributor Verification Checklist
Before making any high-risk AI system available:
- CE marking present on the system
- EU Declaration of Conformity accompanies the system
- Provider name, trade name, and contact information visible
- Importer identification visible (if applicable)
- Storage and transport conditions appropriate
💡 Note: Distributors have lighter obligations than importers — they primarily verify documentation rather than conducting deep due diligence. However, they must still halt distribution if non-compliance is suspected.
Role-Switching: When Others Become Providers (Article 25)
The Most Critical Provision for Supply Chain Actors
Article 25 ensures that any actor who effectively takes on provider-like responsibilities cannot escape provider obligations simply by being classified as an importer, distributor, or deployer.
Triggers for Becoming a Provider
| Trigger | Article | What Happens |
|---|---|---|
| Putting own name/trademark | Article 25(1)(a) | Importer, distributor, or deployer who places their name or trademark on a high-risk AI system already on the market becomes provider for that system |
| Substantial modification | Article 25(1)(b) | Any actor who makes a substantial modification to a high-risk AI system already on the market becomes provider for that system |
| Changing intended purpose | Article 25(1)(c) | Any actor who modifies the intended purpose of an AI system (including a GPAI system) that is not already high-risk, causing it to become high-risk, becomes provider |
What "Substantial Modification" Means
Article 3(23) defines substantial modification as a change to an AI system after its placing on the market or putting into service, which:
- Is not foreseen or planned by the provider, AND
- Affects compliance with the requirements of the AI Act, OR
- Results in a modification to the intended purpose
| Example Modification | Substantial? | Reasoning |
|---|---|---|
| Retraining a model on entirely new data | Likely yes | Affects accuracy, robustness, bias profile |
| Minor parameter tuning per provider instructions | No | Foreseen by provider |
| Changing the AI from HR screening to credit scoring | Yes | Changes intended purpose and risk category |
| Updating software per provider maintenance schedule | No | Foreseen and planned by provider |
| Adding new decision categories not in original design | Likely yes | Not foreseen, affects compliance |
Consequences of Becoming a Provider
When Article 25 is triggered, the new provider must:
- Assume all provider obligations under Articles 16-22
- The original provider is released from provider obligations for that specific system
- The original provider must provide all necessary information and technical access to enable the new provider to comply
- The new provider must conduct a new conformity assessment if the modification affects compliance
Information Obligations (Article 25(2))
When role-switching occurs under Article 25(1), the original provider must cooperate with the new provider by providing:
| Obligation | Scope |
|---|---|
| Provide information | Necessary information, technical access, and other assistance |
| Enable compliance | Allow the new provider to meet its obligations |
Written Agreements (Article 25(4))
Article 25(4) requires written agreements between providers and third-party suppliers of components, tools, services, or processes used in high-risk AI systems:
| Obligation | Scope |
|---|---|
| Supply chain agreements | Written agreements covering provision of necessary information, capabilities, and technical access |
| Contractual terms | Agreements enabling the provider to comply with its obligations under the AI Act |
Compliance Note
This provision is frequently underestimated. Customising a vendor's AI system — even with good intentions — can trigger full provider obligations. Always assess modifications against Article 25 before implementation.
Practical Implications for Supply Chain Management
Supply Chain Compliance Matrix
| Role | Key Pre-Market Checks | Ongoing Obligations | Record Retention |
|---|---|---|---|
| Importer | Conformity assessment, CE marking, tech docs, authorised rep | Corrective action, authority cooperation | 10 years |
| Distributor | CE marking, EU Declaration, provider/importer identification | Halt if non-compliant, authority cooperation | As required |
| Deployer (standard) | Use per instructions, human oversight | Monitoring, log retention (6 months min) | 6 months min |
| Deployer→Provider | Full conformity assessment if Art. 25 triggered | All provider obligations (Art. 16-22) | 10 years |
Contractual Framework
When engaging with the AI supply chain, ensure contracts address:
- Role clarity (who is provider, importer, distributor, deployer)
- Information flow obligations (Art. 25(2)-(3))
- Modification notification requirements
- Access to technical documentation
- Corrective action responsibilities
- Liability allocation for non-compliance
- Cooperation with authorities
What You Learned
Key concepts from this chapter
**Importers** are gatekeepers — they must verify provider compliance before EU market placement
**Distributors** have lighter but still mandatory verification duties
**Article 25** is the "role-switching" provision — modifying, rebranding, or repurposing AI can trigger full provider obligations
Record retention for importers is **10 years** after market placement
Non-compliance at any point triggers obligation to halt distribution and inform authorities
Chapter Complete
High-Risk AI Compliance
11/14
chapters