Steffen Groß

Jakob Riediger

Before classifying the specific role of your own company, it is important to assess whether it is an AI system within the meaning of the AI Act or just conventional software. This is because the obligations of the AI Regulation only apply in the case of an AI system. 

Determining the definition of an AI system was one of the most controversial issues in the development of the legislation. In the end, the definition in Art. 3 No. 1 of the AIA was chosen: 


- According to this, AI system is *“a machine-based system that is designed to operate autonomously to varying degrees and that can be adaptive once operational and that derives from the inputs received for explicit or implicit goals how to produce outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments”*.

This is criticized for being too broad a definition that does not allow a clear distinction from conventional software. Recital 12 of the AIA should therefore be consulted in addition. This states:  
- *“An essential characteristic of AI systems is their ability to infer.”*

The central demarcation criterion is therefore the ability to “derive”. Simple software therefore obviously falls outside the scope of the AI Regulation. In the case of particularly complex software, however, it still seems difficult to draw a clear boundary. The use of *“hybrid AI systems with deep learning elements”* could be cited as an example.  

In these borderline cases, the specific circumstances of the individual case must be carefully considered and a balancing decision made.

::call-to-action{type="AI_SYSTEM_CLASSIFICATION_TOOL_SERVICE_PAGE"}

AI system or conventional software? 

If an AI system is present, it must be assessed whether the company is to be classified as a provider or deployer. This is because the AI Regulation links different obligations to this. While the term “user” was still used in the draft stage, the term “deployer” was ultimately agreed upon.
In legal terms, the distinction is to be made on the basis of the definitions in Art. 3 AIA.

**Art. 3 No. 3 AIA: Provider**
For companies, the question arises as to whether they already become a provider in the course of implementing an AI system.According to Art. 3 No. 3 AIA, a provider is “a natural or legal person, public authority, agency or other body which develops, or has developed, an AI system or an AI model with a general purpose and markets it under its own name or trademark or puts the AI system into service under its own name or trademark, whether in return for payment or free of charge”. 

The existence of supplier status must therefore be determined on the basis of a 2-step process: the company must (1) develop the AI system or have it developed, and (2) place the AI system on the market or put it into operation (“and”). 

At the first level, classification as a supplier therefore requires that the company has had the AI system developed. In this respect, the question regularly arises as to whether an AI system has already been developed or whether only an existing AI system is used. In abstract terms, this can be based on the definition of an AI system in Art. 3 No. 1 AIA: the development of an AI system is therefore assumed if it is not only based on an existing derivation, but also creates its own derivation function. 

If the system is developed or has been developed, it must be placed on the market or put into service at the second level. 
The term “putting into service” is defined in Art. 3 No. 11 AIA and also includes the personal use of the system. This means that companies that commission third-party development of the system for internal use only also become providers.  The company can therefore only avoid being classified as a provider if the operation of the system is also left to a third party. 

Similarly, in the case of placing a system on the market (Art. 3 No. 9 AIA), it is sufficient to have an AI developed by a third party and to place it on the market under its own name. 
As the providers are the main addressees of the requirements of the AI Regulation, it may be advantageous to commission the third party to operate the system in addition to developing it.  In this respect, contractual and corporate structuring options become relevant. 

**Art. 3 No. 4 AIA: Deployer**
If the company is not a provider, the question of deployer obligations arises. 
According to Art. 3 No. 4 AIA, an deployer is “a natural or legal person, public authority, agency or other body which uses an AI system under its own responsibility, unless the AI system is used in the course of a personal and non-professional activity”.

According to the wording of the definition (“own responsibility”), employees are not included. 
Private individuals who do not use the system for professional purposes are also excluded from the scope of application. An example of this would be the private use of ChatGPT.  

In addition, companies, unless they are providers, generally become deployers by using the system under their own responsibility. 

Provider or deployer? 

As the AI Regulation follows a risk-based approach, the type of AI system must be assessed following the classification of the personal role (provider or deployer). This is because the higher the degree of criticality of the system used or its deployment scenario, the more comprehensive the obligations set out in the regulation. 
In this respect, the regulation differentiates between: Prohibited practices; High-risk AI systems; Specific AI systems and general-purpose systems.  

[See in detail in this article.](https://simpliant.eu/insights/the-ai-act-is-here-the-european-approach-to-regulating-artificial-intelligence)


Degree of criticality

**Case study**
Y-GmbH uses a GPT chatbot to communicate with customers on its own website. It uses a GPT wrapper to implement the chatbot on its website. What role does Y-GmbH play? 

**Step 1: AI-System or standard software?**
The GPT chatbot is an AI system within the meaning of Art. 3 No. 1 AIA. It is a machine-aided system that is designed for autonomous operation, can be adaptable and can derive outputs from received inputs based on explicit goals. In contrast, it is not conventional software. This opens up the material scope of application of the AI Regulation. 

**Step 2: provider or deployer?**
It is questionable whether Y-GmbH is the provider or deployer of the AI system. Classification as a provider would require that Y-GmbH (1) has developed the system or has it developed and (2) places it on the market or puts it into operation in its own name. Even if the system could be put into operation, a supplier status is ruled out in the present case because the company did not develop the system itself and the development was not commissioned. 
In particular, it is not sufficient for the development of the AI system to integrate the GPT chatbot on its own website by using a GPT wrapper. This is because Art. 3 No. 3 AIA is linked to the development of the AI system itself. This is the GPT chatbot as such.
As a result, Y-GmbH has the status of an deployer in that it uses the AI system under its own responsibility. 

**Step 3: Degree of criticality**
The third step would be to classify the degree of criticality in order to derive the specific duties to act. 



Case study: Use of a company chatbot 

(1)	Chibanguza/Steege NJW 2024, 1769.

(2)	Steege/Chibanguza Metaverse-HdB § 8 Rn. 27 f.

(3)	Steege MMR 2022, 926.


Sources

Provider or deployer? On the correct classification of a company's role under the AI-Act 

Anbieter oder Betreiber? KI-VO

Data protection basics for employees

Introduction

Basic terminology

GDPR applicability and key actors

Principles

Data subject rights

Quick action in the event of data breaches is critical.

Data breaches

Learn how to transfer data securely to third parties.

Data transfer to third parties and international data transfers

How companies organize data protection with a RoPA.

Record of Processing Activities (RoPA)

How confident are you in dealing with data protection?

Final test

The 'Data protection basics for employees' training offers you an overview of the essential aspects of the GDPR. From the identification of personal data to your responsibilities in everyday work, the course prepares you for data protection compliant actions.

In addition to theoretical basics, there are practical exercises and a final test. This training is ideal for all employees who want to handle personal data safely and in compliance with the law.

Information security for employees

Basic terms

Information worth protecting and risks

Organization of IT security

Secure data, whether organizationally or technically.

IT security measures

Protect data, on-premise and in the cloud.

Physical security

Password security

Mobile work

From digital to analog: Information risks lurk everywhere.

Safe handling of storage media and information

Links and attachments? Check first, then click.

Social engineering and phishing

True or False? Test your security knowledge.

In 'Information security for employees', you'll deepen your understanding of how to protect information in an increasingly connected world.

From the basics of data security, whether on-premise or in the cloud, to practical tips for securely handling links and attachments.

This training provides a comprehensive look at IT security challenges and solutions in the work environment.

We simplify
Data Protection

Provider or deployer? On the correct classification of a company's role under the AI-Act

360° Data Protection Consulting

We simplify Data Protection

Provider or deployer? On the correct classification of a company's role under the AI-Act

360° Data Protection Consulting

We simplify
Data Protection