EU AI Act: Provider or Deployer? Luxembourg 5-Min Test

EU AI Act: Are You a Provider or a Deployer? The 5-Minute Self-Classification Test for Luxembourg Companies

Learn more about AI implementation in Luxembourg in our comprehensive guide.

There are eight weeks to the 2 August 2026 EU AI Act deadline. We have written about the headline deadline itself, about high-risk systems, about Article 4 literacy, about GPAI obligations, and about Article 5 prohibitions. One question has come up in every single Luxembourg compliance call we have run since March, and it is the first question you need to answer before any of the others apply to you: are you a provider or a deployer?

This is a quick reference. Five minutes, four questions, three edge cases, one defensible classification. Print it, send it to your COO, take it to your board. Then come back for the deep dives.

Why the classification matters more than anything else in the AI Act

The AI Act assigns most of its obligations by role, not by industry. The same Luxembourg company can be a provider for one AI system, a deployer for another, both for a third, and neither for a fourth. Until you know which role you hold for each of your AI systems, you cannot:

• Estimate your compliance budget
• Decide whether you need an authorised representative
• Decide whether you need a quality management system
• Decide whether you need to maintain technical documentation, post-market monitoring, or incident reporting
• Decide whether you need to register the system in the EU database

Get the classification wrong and you either over-spend dramatically on obligations that do not apply to you, or — far more dangerously — under-spend and end up unable to defend your compliance posture if a Luxembourg supervisory authority (CNPD, CSSF, ILNAS, or the Commission de surveillance du secteur financier) shows up.

The two roles, in one line each:

• Provider: you put an AI system on the EU market, or put it into service in the EU, under your own name or trademark — whether for payment or for free, and whether you developed it or had it developed.
• Deployer: you use an AI system in the course of a professional activity, under your own authority.

Both definitions are in Article 3 of the Regulation. The hard part is that the same action — wrapping GPT-5 in a chatbot on your website — can put you on either side of the line depending on five specific decisions you may not have noticed making.

The 5-minute test — four questions

Answer in order. The first "yes" wins; do not skip ahead.

Question 1 — Did you train the underlying model?

If your company actually trained the AI model from scratch — own data, own compute, own weights — you are a provider of that model. This is the one most Luxembourg SMEs answer "no" to, because the model layer is dominated by OpenAI, Anthropic, Google, Mistral, Meta, and a handful of European specialists.

If yes, the obligations are heavy: technical documentation, quality management system, conformity assessment (if high-risk), CE marking, post-market monitoring, EU database registration. Most Luxembourg companies in this position already know they are in this position.

If no, proceed to Question 2.

Question 2 — Did you fine-tune, substantially modify, or change the intended purpose of an existing model?

This is where the majority of Luxembourg companies actually live, and where the AI Act has a tightening surprise for many of them.

If you took a foundation model (GPT, Claude, Gemini, Mistral, Llama, etc.) and:

• Fine-tuned it on your proprietary data such that it now performs your specific task; or
• Substantially modified its behaviour through a wrapper that materially changes how it operates; or
• Repurposed it for a use that was not its intended purpose (e.g., took a general-purpose chat model and turned it into a medical triage system) —

then under Article 25, you can be considered a provider of the resulting AI system. Even though you did not train the base model. Even though you are paying OpenAI or Anthropic by the token.

The legal name for this is "substantial modification" or "intended purpose change." It is the single most-missed reclassification in the Luxembourg market today. We covered the model-layer side of this in our GPAI obligations piece; this is its system-layer mirror.

If yes, you are a provider for that system. Proceed no further; your obligations are provider obligations.

If no, proceed to Question 3.

Question 3 — Are you placing the AI system on the EU market under your own name or trademark?

If you are reselling, integrating, branding, or shipping an AI system as part of your own product — even if you did not train it and did not substantially modify it — you can be a provider under the Act.

The classic Luxembourg example: a fintech that ships a customer-facing AI feature inside its own product, even though the underlying chat engine is just a thin wrapper over a foundation model. From the customer's perspective, the AI feature is "the fintech's." From the AI Act's perspective, the fintech is on the market with an AI system under its own name. That is a provider position.

The same logic applies to a SaaS reselling an AI feature, a consultancy productising a workflow assistant, an accounting firm offering a co-branded AI tool to clients, or an integrator who packages an AI service under their own product name.

If yes, you are a provider. Proceed no further.

If no, proceed to Question 4.

Question 4 — Are you using an AI system in the course of your professional activity, under your own authority?

If you got here, you are almost certainly a deployer. You are using AI — you did not train it, you did not substantially modify it, you did not put it on the market under your own name — and you are using it inside your business.

Examples: a Luxembourg law firm using Microsoft Copilot to draft contracts. A wealth manager using a CRM with a built-in AI summariser. A pharmacy using a prescription-OCR product from a supplier. A real estate agency using ChatGPT Enterprise to draft listings. A fund administrator using a third-party NAV-reporting tool that ships AI inside.

Deployer obligations are materially lighter than provider obligations, but they are real: ensuring competent human oversight, monitoring use, keeping logs, conducting a fundamental rights impact assessment if you are deploying a high-risk system, ensuring Article 4 literacy for the staff using it, informing affected individuals where required.

If yes, you are a deployer. Done.

The four edge cases that catch Luxembourg SMEs out

Even with the four-question test above, four specific configurations frequently land in the wrong column. Read these carefully — they are the ones we re-classify most often during compliance scoping calls.

Edge case 1 — The "internal use only" exception that isn't

A Luxembourg company builds an AI workflow for its own internal use only. No external customers. No public-facing exposure. They assume they are a deployer because nothing leaves the building.

If they fine-tuned the model or changed its intended purpose (Question 2), they are still a provider. The "internal only" framing does not exempt you. The Act's "placing on the market" concept does have an internal-use carve-out for certain provider obligations, but the substantial-modification trigger is independent. Get the Question 2 answer right first.

Edge case 2 — The white-labelled SaaS

A Luxembourg SME white-labels a third-party AI tool, brands it as their own, and offers it to clients. The third-party SaaS bears the technical burden — but the white-labeller is the one putting it on the market under their own name or trademark (Question 3). Both companies can be providers of the same system from a regulatory perspective, with overlapping obligations.

Edge case 3 — The "we're just using ChatGPT" assumption

A Luxembourg firm deploys ChatGPT Enterprise across the company, builds a custom GPT (with system prompt, tool integrations, and a knowledge base), and offers it to all staff. They assume they are a deployer.

If the custom GPT changes the intended purpose, or if the system-prompt + tool + knowledge-base wrapper constitutes a substantial modification, they may have crossed into provider territory under Question 2 — even though they are paying OpenAI per token. The European AI Office guidance on this is still maturing, but the cautious posture for now is: a custom GPT with a non-trivial system prompt and tools should be assessed against the substantial-modification test, not waved through as "just a wrapper."

Edge case 4 — The MeluXina-hosted or private deployment

A Luxembourg company deploys an open-weight model (Mistral, Llama, Qwen, DeepSeek) on MeluXina or a private cluster, with their own fine-tuning, their own serving stack, their own API. This is unambiguously a provider position — you have effectively built and shipped an AI system. The private deployment piece covers the architectural side; the regulatory side here is: full provider obligations apply, including conformity assessment if the system is high-risk under Annex III.

What to do with your classification — by Tuesday morning

For every AI system your company uses or ships, write down on one page:

1. System name (the internal name your team uses)
2. Classification (provider, deployer, both, or to be re-assessed)
3. Question that triggered the classification (1, 2, 3, or 4) and a one-line evidence note
4. High-risk? (yes / no / not yet determined — see the high-risk guide)
5. Owner (named person — Article 4 literacy applies to them; Article 26 deployer obligations also assign to a named person)

This page is your AI Act register. With 8 weeks to 2 August, every Luxembourg company should hold this register at board level. If you do not have it, the fastest path is a 2–3 hour internal workshop using the four-question test above, plus this article and the August deadline piece as the reference material.

The four things that will still surprise you

Even after the classification, four practical patterns to keep on your radar:

• Your classification can change. The moment you fine-tune, re-purpose, or rebrand an AI system, you can move from deployer to provider on the same Tuesday. The classification is per-system and per-version, not per-company.
• Both classifications can apply to the same company across systems. A Luxembourg fintech is typically a provider for its customer-facing AI feature and a deployer for the AI tools it uses internally. The compliance register lists both.
• Article 4 literacy applies to both. Whichever side of the line you sit on, the literacy obligation under Article 4 applies. See our literacy implementation piece.
• Article 5 prohibitions apply to both. Whichever side you sit on, the prohibitions in Article 5 are absolute. The Article 5 sweep we published applies to your provider systems and your deployer systems.

What we actually do

We run a 1-week AI Act self-classification engagement: 2 working sessions to build the register, 1 working session to validate against Articles 25, 26, and Annex III, and one written one-page register signed off by the COO and the DPO. The output is the document you take to your board on the Tuesday morning before 2 August, and the document you put in front of a Luxembourg supervisory authority on the day they ask.

If your AI Act register still does not exist with 8 weeks to go, book a 1-week self-classification sprint. You leave with a defensible per-system classification, a list of follow-up obligations sized to your role, and a clear answer to the question "what do we own under the AI Act, and what does our vendor?"

Related reading:

• EU AI Act GPAI rules: your Luxembourg 2026 checklist
• EU AI Act August 2026 deadline: Luxembourg compliance
• EU AI Act high-risk systems: Luxembourg compliance
• EU AI Act Article 4 literacy duty for Luxembourg
• EU AI Act Article 5 prohibited practices in Luxembourg
• AI Knowledge Hub — 20 More Resources