Regulation (EU) 2024/1689 distinguishes between providers (Art. 3(3)) — those who develop an AI system and place it on the market — and deployers (Art. 3(4)) — those who use the system under their authority. Each role has its own obligations: Art. 16 lists 12 provider obligations for high-risk AI; Art. 26 lists 11 deployer obligations. Article 25 sets out three cases where a deployer, distributor, importer or third party is considered a provider — and inherits the full Article 16 load. Both roles face the same penalty tier under Art. 99(4): up to €15M or 3% of worldwide turnover.
€249 one-time payment · 12 PDF documents in ZIP · 45 minutes · 100% in your browser
The provider builds and places on the market. The deployer uses under its authority for a professional activity. The distinction is sharp on paper but blurs quickly in practice — especially when you fine-tune, repackage or rebrand.
(a) Section 2 requirements compliance · (b) name/contact identification · (c) QMS under Art. 17 · (d) keep Art. 18 documentation 10 years · (e) keep logs · (f) Art. 43 conformity assessment · (g) Art. 47 EU Declaration of Conformity · (h) Art. 48 CE marking · (i) Art. 49 registration · (j) Art. 20 corrective actions · (k) demonstrate conformity on request · (l) accessibility (Directives (EU) 2016/2102 and 2019/882).
26(1) use as per instructions · 26(2) assign human oversight to competent persons · 26(4) control input data relevance · 26(5) monitor operation + report serious incidents · 26(6) keep logs at least 6 months · 26(7) inform workers' representatives before workplace use · 26(8) public-authority registration · 26(9) reuse Art. 13 info for Art. 35 GDPR DPIA · 26(10) ex-ante authorisation for post-remote biometric ID by law enforcement · 26(11) inform natural persons subject to Annex III decisions.
Article 25 — three cases where a deployer becomes a provider and inherits the full Article 16 load:
Art. 25(2): when any of the three cases occur, the original provider no longer holds Art. 16 obligations for that specific system — but must cooperate with the new provider and make available the necessary information and reasonable technical access to enable conformity assessment, unless the original provider had clearly specified that its system was not to be transformed into a high-risk AI system. Art. 25(3): for Art. 6(1) Annex I systems, the product manufacturer is considered the provider when the AI is placed on the market under its brand.
No — integrating someone else's AI system or GPAI model into your product makes you the provider of the AI system you build, not of the integrated model. Art. 25(1)(c) only flips you to provider of the upstream component if you modify the intended purpose of that component such that it becomes high-risk. Routine integration with a stated, unchanged intended purpose keeps you as deployer of that component.
Art. 26 imposes 11 paragraphs of substantive obligations including human oversight (26.2), log retention of at least 6 months (26.6), incident reporting under Art. 73 (via 26.5), worker information (26.7), and Annex III decision-subject notification (26.11). Breaches sit in the same Art. 99(4) penalty tier as provider obligations: €15M / 3%.
Art. 3(23) defines substantial modification as a change not foreseen in the initial conformity assessment AND either affecting compliance with Section 2 OR modifying intended purpose. Fine-tuning a model on your own customer data, retraining on a new domain, or changing the deployment context to a new Annex III use case can all be substantial modification — without rewriting any code.
Answer these four questions to determine your obligations.
12 PDF documents generated from your inputs. Each cites the article of Regulation (EU) 2024/1689 it fulfils.
Identifies whether your system is prohibited (Art. 5), high-risk (Art. 6 + Annex III) or subject to transparency obligations (Art. 50).
The 9 blocks of Annex IV in full: system description, training data, validation, performance metrics, risk management, human oversight. Art. 11 + Annex IV.
Signable document conforming to Art. 47 and Annex V.
Key application dates: 2 Feb 2025, 2 Aug 2025, 2 Aug 2026, 2 Aug 2027. Art. 113.
Executive summary of compliance status for authorities or commercial buyers. Art. 43 procedure.
QMS structure covering the 13 aspects required by Art. 17.
Document for the entity deploying your system, conforming to Art. 13.
Verifiable evidence list, cross-referenced to every Annex IV block.
Notification protocol conforming to Art. 73 (15 days general / 10 days death / 2 days widespread).
Training plan conforming to Art. 4, in force since 2 February 2025.
Plan structure required by Art. 72 and integrated into the technical documentation under Annex IV(9).
Template under Art. 27 for public bodies, private entities providing public services, and Annex III 5(b)(c) deployers.
See before you buy — Download a sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your inputs, in your browser. No data leaves your machine.
12 documents. 45 minutes. €249. The documentation your system needs before being placed on the market.
If your system falls under Art. 43(1) (Annex III point 1 biometrics with notified-body route, or Annex I products), you will need third-party conformity assessment. That is a separate process. AICheck does not replace it.
We do not sell audits. We do not sell consultancy. We sell the tool that structures your documentation under Annex IV.
Article 99 of Regulation (EU) 2024/1689. Chapter XII (Penalties) applies from 2 August 2025.
Art. 99(3). Up to €35 million or 7% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups: whichever is lower (Art. 99(6)).
Art. 99(4). Includes failure to draw up technical documentation under Art. 11 + Annex IV. Covers obligations of providers (Art. 16), deployers (Art. 26), authorised representatives (Art. 22), importers (Art. 23), distributors (Art. 24), notified bodies (Art. 31, 33, 34) and transparency under Art. 50.
Art. 99(5). Applies when information provided to notified bodies or national competent authorities is wrong or misleading.
If you operate multiple AI systems and need to document them all under Annex IV, contact us for volume pricing at hello@solidwaretools.com.
Request volume pricingAICheck produces a document structured under Article 11 and Annex IV of Regulation (EU) 2024/1689 from the information you provide. The accuracy, truthfulness and completeness of that information is your responsibility as provider of the AI system.
We guarantee that the document structure follows Article 11 and Annex IV of Regulation (EU) 2024/1689 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a given case, nor by a commercial buyer in a procurement process.
AICheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.
Twelve documents. Annex IV fully structured. Regulation (EU) 2024/1689. Your data does not leave your machine. The ZIP you download is yours to keep.