The organization should establish and maintain a documented assessment procedure to determine whether it qualifies as a provider of a high-risk AI system under Article 25 of the AI Act. This assessment should be conducted whenever the organization places its name or trademark on a high-risk AI system developed by another entity, performs a substantial modification to an existing high-risk AI system that remains high-risk pursuant to Article 6, or modifies the intended purpose of an AI system in a manner that results in its classification as high-risk.

The procedure should also cover cases where the organization manufactures a product incorporating a high-risk AI system that qualifies as a safety component under EU harmonisation legislation listed in Section A of Annex I.

In such cases, the product manufacturer should be treated as the provider where:

• The high-risk AI system is placed on the market together with the product under the name or trademark of the product manufacturer, or
• The high-risk AI system is put into service under the name or trademark of the product manufacturer after the product has been placed on the market.

Where provider status is triggered, the organization should implement the full set of provider obligations under Article 16, including conformity assessment, technical documentation, risk management, and post-market monitoring. The allocation and transfer of responsibilities should be formally documented whenever such a change occurs.

If the organization becomes the provider of a high-risk AI system previously placed on the market, it should establish cooperation arrangements with the initial provider to obtain all necessary technical documentation, technical access, and other reasonably required assistance to ensure compliance with the Regulation. It should be verified whether the initial provider has explicitly restricted modification of the AI system into a high-risk system. All determinations, contractual arrangements, and supporting evidence should be retained.