EU AI Act Deployer Obligations: What Article 26 Actually Requires
Article 26 EU AI Act: deployer duties for high-risk AI. Follow instructions, assign oversight, keep 6-month logs, notify workers. Deadline 2 Dec 2027.
If your company uses a high-risk AI system bought from a vendor — an applicant-screening tool, a credit-scoring model, an insurance-underwriting engine — you are a deployer under Regulation (EU) 2024/1689. That role comes with its own set of obligations under Article 26. They are lighter than the provider's obligations, but they are not optional, and some of them bite in ways that are easy to miss.
This article walks through each Article 26 duty in practical terms, flags the role-shift trap in Article 25, explains who actually owes a Fundamental Rights Impact Assessment under Article 27, and sets out the correct penalty exposure and deadline.
What "deployer" means under the EU AI Act
Article 3(4) defines a deployer as any natural or legal person using an AI system under its authority in a professional context. The key words are using and under its authority. A recruitment firm that runs a vendor's CV-screening model on its own systems is a deployer. So is a public benefit office using a third-party eligibility-scoring tool.
Most companies are deployers, not providers. If you bought or licensed the AI system rather than building it yourself, you almost certainly sit in the deployer role. That matters because Article 26 — not the heavier provider stack of Articles 9–17 — governs what you must do.
One important exception: Article 25 creates a role-shift trap. If you put your own name or trademark on a third-party high-risk system, substantially modify it, or change its intended purpose, you become a provider and inherit the full provider obligations (conformity assessment under Article 43, technical documentation under Article 11, a quality management system under Article 17). Before you customise a vendor model or brand it as your own product, check whether the modification is substantial enough to trigger Article 25.
The Article 26 obligations, one by one
Follow the instructions for use
Article 26 requires deployers to use a high-risk AI system in accordance with the provider's instructions for use. This is not bureaucratic box-ticking. The instructions define the scope of the system's validated performance — the data types, use cases, and populations the provider tested against. Deploying a model outside those boundaries means the provider's conformity assessment no longer covers what you are doing, and the risk shifts to you.
A regional lender that buys a creditworthiness model validated on consumer loans and then applies it to commercial loan applications is no longer operating within the provider's instructions. If the model produces discriminatory outputs in that new context, the lender cannot point to the provider's Declaration of Conformity as a defence.
Assign human oversight to competent persons (Article 14)
Article 26 cross-references Article 14, which requires deployers to assign human-oversight tasks to natural persons who have the competence, authority, and resources to carry them out. "Competence" is not satisfied by handing the job to whoever happens to manage the system. The person must understand the system's capabilities and limitations, be able to interpret its outputs critically, and have genuine authority to suspend or override.
For a 60-person HR team using an automated shortlisting tool: the oversight function should rest with someone who understands what the model was trained on, which demographic patterns it may replicate, and how to spot an output that warrants rejection. A hiring manager under pressure to fill roles quickly is not automatically a competent oversight person under Article 14 — your internal designation needs to reflect that honestly.
Ensure input data is relevant and representative
Where deployers control the input data fed to the system, Article 26 requires them to ensure that data is relevant and representative for the intended purpose. Providers govern training data under Article 10; deployers govern operational inputs. If your organisation feeds the model stale, skewed, or unrepresentative data, the obligation is yours.
Monitor operation and report risks
Article 26 requires deployers to monitor the operation of the system. If monitoring reveals a risk to health, safety, or fundamental rights — or a serious incident — Article 26 obliges the deployer to inform the provider and, where applicable, the market surveillance authority under Article 79(1). Suspension of use is required if the risk is serious and cannot be mitigated.
"Serious incident" is defined in Article 3(49): an incident that directly or indirectly causes or risks causing death, serious health damage, or serious infringement of fundamental rights. Do not wait for a regulator to tell you the threshold has been crossed — establish an internal incident-review process now.
Keep logs for at least six months
Article 26 requires deployers to keep the logs automatically generated by the system for at least six months, unless EU or national law sets a longer period. Six months — not three years. The old article on this page said three years; that figure does not appear in the Act.
Deployers do not generate the logs themselves; high-risk systems are required by Article 12 to produce logs automatically. Your obligation is to retain them and make them available to competent authorities on request.
Inform workers and their representatives before workplace deployment
Article 26 applies where a deployer uses a high-risk AI system in the workplace. Before deployment, you must inform workers' representatives — and, to the extent required by national law, the workers themselves — about the deployment. This obligation is separate from any GDPR transparency requirement. It applies at the point of deployment, not only if the system changes.
A distribution company that plans to use an AI-based task-allocation system for warehouse staff must notify worker representatives before the system goes live. The notification must be meaningful enough to allow genuine engagement, not a three-line email issued on the day of launch.
Public-authority registration (Article 49)
If you are a public body or a body exercising public powers deploying a high-risk AI system, Article 49 requires registration in the EU database for high-risk AI systems before or at the point of use. This is a separate requirement from the provider's registration obligation. Private-sector deployers do not owe this, but any public authority or publicly mandated body does.
Transparency under Article 50
Where a deployer uses an AI system that interacts with natural persons — for example a chatbot that handles citizen queries — Article 50 requires the deployer to ensure affected persons are informed they are interacting with an AI system, unless it is obvious from context. Article 50 transparency duties apply from 2 August 2026 and are distinct from the high-risk Article 26 obligations.
GDPR DPIAs: use the Article 13 information
Article 26 provides that deployers who are also data controllers must use the information provided by the provider under Article 13 to conduct any GDPR Data Protection Impact Assessment (DPIA) required by Article 35 of the GDPR. The Article 13 documentation — covering the system's logic, training data characteristics, and risk indicators — is designed to feed directly into a DPIA. If your procurement process does not include obtaining Article 13 documentation from the provider, you cannot discharge this cross-regulatory obligation.
Cooperate with authorities
Deployers must cooperate with market surveillance authorities on request: providing access to logs, documentation, and information about how the system is used. Article 26 sets out this duty. It is not discretionary.
Who owes a Fundamental Rights Impact Assessment (Article 27)?
Article 27 is frequently misread as a general deployer obligation. It is not. The FRIA applies to two specific categories:
- Public bodies and bodies exercising public powers deploying high-risk AI systems.
- Deployers of systems in Annex III point 5(b) (creditworthiness scoring / credit scoring, excluding fraud detection) and point 5(c) (life and health insurance risk assessment and pricing).
Private employers using recruitment or workforce-management AI — even systems that are high-risk under Annex III point 4 — do not automatically owe a FRIA under Article 27. The FRIA is specifically for contexts where the combination of public authority or essential financial services creates elevated fundamental-rights exposure.
If you are a public-sector employer or a lender or insurer falling within 5(b) or 5(c), the FRIA must be conducted before deployment and made available to the competent authority on request. The assessment must identify the systems and their purpose, the geographic and time scope, the relevant persons and groups likely to be affected, and specific risks to fundamental rights — with concrete mitigation measures documented.
The deadline and penalty exposure
Under the Digital Omnibus agreed in May 2026, the application date for stand-alone high-risk Annex III systems is 2 December 2027. The original August 2026 date has been deferred. High-risk AI embedded in regulated products (Annex I) follows on 2 August 2028.
Article 50 transparency obligations (limited-risk / chatbots / synthetic content) apply from 2 August 2026 and were not deferred.
For deployers who fail to meet Article 26 obligations, the penalty ceiling under Article 99(4) is €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For companies that qualify as SMEs or start-ups, Article 99(6) caps the fine at the lower of the fixed amount or the percentage — a meaningful protection for smaller companies, but not a reason to deprioritise compliance.
The December 2027 deadline gives you time to build a proper programme. It does not give you time to start late. A six-month log retention obligation, worker notification procedures, and a functioning human-oversight structure all require preparation that runs ahead of the deadline, not behind it.
How Confir helps
Confir's rule-based engine classifies each system you deploy against Articles 5 and 6 (with Annex III logic), derives your role as deployer (or flags an Article 25 role-shift), and generates a structured compliance task list that maps to your specific obligations under Article 26. For deployers that owe a FRIA under Article 27, Confir runs the full assessment workflow. The system registers deployed systems in your organisation's AI inventory, tracks log-retention obligations, and produces an audit trail of oversight decisions — all without AI inference: the same intake produces the same finding every time.
Frequently Asked Questions
Who qualifies as a deployer under the EU AI Act?
Any organisation — private company, public body, non-profit — that uses a high-risk AI system in a professional context under its own authority is a deployer under Article 3(4). If you licensed or purchased the system rather than building it from scratch, and you have not substantially modified it or put your own name on it, you are almost certainly a deployer. The deployer role carries the Article 26 obligations rather than the heavier provider stack.
What is the Article 25 role-shift trap, and how do I avoid it?
Article 25 converts a deployer into a provider if you place your own name or trademark on a third-party high-risk system, substantially modify it, or change its intended purpose after deployment. If that happens, you inherit the full provider obligations: conformity assessment (Article 43), technical documentation (Article 11), a quality management system (Article 17), and registration (Article 49). Avoid the trap by keeping vendor systems within their validated scope and not rebranding them as your own product without a legal review of whether the change is substantial.
Does every deployer need a Fundamental Rights Impact Assessment?
No. Article 27 requires a FRIA from two specific groups: public bodies and bodies exercising public powers deploying any high-risk system, and private-sector deployers of creditworthiness-scoring (Annex III point 5(b)) or life/health-insurance risk-assessment systems (Annex III point 5(c)). Private employers using AI for recruitment or workforce management — Annex III point 4 systems — do not automatically owe a FRIA under Article 27, though they remain subject to all other Article 26 obligations.
How long must deployers keep system logs?
Article 26 requires a minimum retention period of six months for logs automatically generated by the high-risk AI system, unless EU or national law requires a longer period. The logs are produced by the system itself under Article 12; the deployer's obligation is to retain them and make them available to competent authorities on request.
When must we notify workers before deploying a workplace AI system?
Article 26 requires informing workers' representatives — and where national labour law requires, the workers themselves — before the deployment of a high-risk AI system in the workplace. This is a pre-deployment obligation. It applies to each deployment, not only when the system changes or a new system is introduced. National law in some Member States imposes additional consultation requirements beyond the Act's baseline.
What is the correct penalty for a deployer that breaches Article 26?
Breaches of Article 26 fall under Article 99(4) of the Regulation: a maximum fine of €15,000,000 or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the two figures. There is no €20 million or 4% tier — those figures do not exist in the Act.
When do Article 26 obligations actually apply?
For stand-alone high-risk Annex III systems, the application date is 2 December 2027 under the Digital Omnibus agreed in May 2026. For high-risk AI embedded in regulated products (Annex I), it is 2 August 2028. Article 50 transparency obligations (chatbots, synthetic content) are not deferred and apply from 2 August 2026. Article 5 prohibitions have been in force since 2 February 2025.
Related guides
- Article 26 deployer obligations
- Article 13 transparency requirements
- SaaS compliance framework
- risk management tools comparison
- Article 27 implementation guide
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →