Article 25 — Responsibilities along the AI value chain (EU AI Act)

Article 25 of Regulation (EU) 2024/1689 — Responsibilities along the AI value chain. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 25 of Regulation (EU) 2024/1689 (the EU AI Act) establishes the conditions under which parties other than the original provider assume provider-level responsibilities for a high-risk AI system. The article sits within Title III, Chapter 3, which governs obligations of providers and deployers throughout the lifecycle of high-risk AI systems.

The article specifies three triggering scenarios. First, a distributor, importer, deployer, or other third party becomes a provider — with all associated obligations under Chapter 2 of Title III — when they place a high-risk AI system on the market or put it into service under their own name or trademark. Second, provider status is assumed when a third party makes a substantial modification to a high-risk AI system. Third, a change to the intended purpose of a high-risk AI system — even without physical alteration — can trigger re-classification and re-assessment requirements.

When such a transition of responsibility occurs, the original provider is not automatically freed from liability. The Regulation requires that contractual arrangements among supply chain parties clearly delineate who holds which obligations at each stage. This ensures regulatory accountability follows the entity that exercises effective control over the system's deployment or modification. The article reinforces the broader principle that the EU AI Act assigns obligations based on the actual role and influence of each actor in the value chain, not merely on formal contractual labels.

What This Means in Practice

Article 25 has direct compliance implications for any organisation that integrates, rebrands, substantially modifies, or redeploys a third-party high-risk AI system. It prevents the common commercial practice of assuming that compliance responsibility rests exclusively with the upstream vendor.

System integrators and resellers who place a high-risk AI system on the EU market under their own brand — for example, a software company embedding a third-party AI-based credit scoring engine into its own product and marketing it under its own name — become providers under the Act. They must fulfil all obligations set out in Article 16, including conformity assessments, technical documentation, registration in the EU database, and affixing CE marking.

Companies that modify AI systems must assess whether their changes constitute a substantial modification. Retraining a model on a new dataset, altering decision thresholds in a way that changes risk profiles, or extending the system's functionality into a new domain are examples likely to trigger re-assessment. Even a purely software-level change that affects outputs in a regulated context can qualify.

Deployers who repurpose systems beyond the original intended use — for instance, using a general workplace analytics tool to make employment decisions — must evaluate whether the new use case falls under a high-risk category and, if so, whether they have effectively become the system's provider.

Practically, organisations should audit all AI systems in their stack, map the original provider's documented intended purpose, and establish internal governance processes to flag when proposed changes or new use cases approach Article 25 thresholds.

Key Obligations

• Assume provider obligations when rebranding: Any distributor, importer, or third party that markets or deploys a high-risk AI system under its own name or trademark must fulfil all provider obligations under Article 16, including technical documentation, conformity assessment, and EU database registration.
• Re-assess after substantial modification: Any party that makes a substantial modification to a high-risk AI system must treat the modified system as a new high-risk AI system, repeat the relevant conformity assessment procedure, and update all documentation accordingly.
• Re-register the system: Where provider status is assumed or a substantial modification is made, the new provider must register the system (or its modified version) in the EU database for high-risk AI systems established under Article 71.
• Review intended purpose before deployment: Deployers must verify that their use of a high-risk AI system remains within the intended purpose documented by the original provider; any material deviation must be assessed for compliance implications under Article 25.
• Maintain clear contractual allocation of responsibilities: All parties in the AI value chain — original providers, importers, distributors, and deployers — must ensure their agreements clearly allocate compliance responsibilities, especially where modifications or rebranding are anticipated.
• Retain the original provider's information: Where a third party assumes provider status, they must have access to — and maintain — all technical documentation and conformity information originally produced by the upstream provider, as this underpins their own compliance obligations.

Relationship to Other Articles

Article 25 functions as a bridge between the provider obligations defined in Article 16 (obligations of providers of high-risk AI systems) and the deployer obligations in Article 26. It ensures that the responsibilities catalogued in Article 16 — technical documentation, conformity assessment, quality management, post-market monitoring — cannot be circumvented by contractual arrangement or corporate structuring.

It must be read alongside Article 6 (classification rules for high-risk AI systems) and Annex III, which define when a system is high-risk and therefore subject to the full provider obligation regime. Article 47 (EU declaration of conformity) and Article 48 (CE marking) are directly implicated when a new provider must re-certify a modified system.

Article 71 (EU database of high-risk AI systems) is relevant because re-registration is required when provider status changes. Recital 79 provides interpretive guidance on what constitutes a substantial modification. For supply chains involving GPAI models, Articles 51–56 govern the upstream model provider's obligations, but Article 25 determines when a system integrator building on that model becomes a high-risk AI system provider in their own right.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024 (twenty days after publication in the Official Journal of the EU on 12 July 2024). Application is phased:

• 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Title II) began applying. Article 25 did not yet apply.
• 2 August 2025 — Obligations for general-purpose AI models (Title VIII, Articles 51–56) and governance provisions (Title III, Chapter 4; Title V) began applying. Article 25 did not yet apply to high-risk AI systems listed in Annex III.
• 2 August 2026 — Article 25 and the full Chapter 3 provider and deployer obligation regime apply to high-risk AI systems listed in Annex III (including biometric systems, critical infrastructure, employment, education, access to essential services, and law enforcement use cases). Organisations operating in these sectors must have governance processes, contractual frameworks, and modification-assessment procedures in place by this date.
• 2 August 2027 — Article 25 obligations extend to high-risk AI systems covered by Annex I (product safety legislation, such as medical devices and machinery), where those systems were already on the market before August 2026 and are subject to a transitional period.

Organisations should begin Article 25 compliance mapping — particularly supply chain audits and modification governance protocols — well in advance of the August 2026 deadline.