Instructions for Use — EU AI Act Glossary
EU AI Act Article 13 requires providers to supply deployers with instructions for use. Learn what they must contain and the deployer duty under Article 26.
Under Regulation (EU) 2024/1689, instructions for use are the information a provider of a high-risk AI system must supply to deployers so they can operate the system within its intended purpose. They are not optional guidance — they are a statutory deliverable, tied to the provider's Article 13 obligations, and the deployer's legal standing depends on having and following them.
The EU AI Act definition
Article 3 of Regulation (EU) 2024/1689 sets out the Act's definitions. Point 15 of that article defines instructions for use as:
the information provided by the provider to inform the deployer of, in particular, an AI system's intended purpose and proper use, including the specific geographical, behavioural or functional setting within which the AI system is intended to be used.
Two features of this definition deserve attention. First, it is tied to the provider-deployer relationship: the provider writes the instructions, the deployer receives them. Second, the phrase "in particular" signals that the definition sets a floor, not a ceiling — the Article 13 requirements that follow specify the minimum content.
Instructions for use sit squarely within the transparency architecture of the Act. Article 13 is titled "Transparency and provision of information to deployers" and its first obligation is that high-risk AI systems must "be accompanied by instructions for use in an appropriate digital or physical format."
What instructions for use must contain (Article 13)
Article 13 specifies the minimum content for instructions for use. The list is detailed enough to function as a drafting checklist.
Provider identity and contact details. The instructions must identify the provider — name, registered trade name, address — and, where applicable, their authorised representative under Article 22. The deployer needs to know who to contact if something goes wrong.
System characteristics, capabilities, and limitations of performance. This is the substantive core. Providers must document:
- The system's intended purpose — the use case the provider designed and validated for.
- The level of accuracy, robustness, and cybersecurity against which the system has been tested, including relevant metrics and their known limitations.
- Any known or reasonably foreseeable circumstances that could lead the system to perform below those stated levels. A credit-scoring model that degrades in accuracy when processing thin-file applicants must say so.
- The system's hardware or software requirements if relevant to performance.
Human oversight measures. Instructions for use must include the technical measures enabling human oversight under Article 14. This means describing the interfaces — pause functions, override mechanisms, output-flagging workflows — that deployers need to keep a natural person meaningfully in the loop. Listing the Article 14 measures in the instructions is how they get operationalised in a real deployment context.
Expected lifetime and maintenance requirements. Providers must state how long the system is expected to perform to specification and what maintenance or updates are necessary to sustain that performance. For high-risk systems, performance drift over time is not an abstract concern — a recruitment screening model that becomes less accurate as hiring patterns shift poses real harm. The instructions should tell deployers when to expect re-validation.
Data requirements, where relevant. Where the system's performance depends on input data quality or format, the instructions should specify this. A medical diagnostic system expecting structured DICOM images is not going to behave as designed if fed unstructured clinical notes.
Mechanisms to interpret outputs, where relevant. For systems whose outputs inform consequential decisions — credit approval, job shortlisting, benefit eligibility — the instructions should explain how to read those outputs. A score of 0.73 means nothing to a case officer unless the instructions explain the scale, what threshold matters, and how the system reached that result.
Instructions for use may be delivered in digital form, and a short-form version is allowed under Article 11 for providers that are natural persons or micro-enterprises, provided it contains the essential elements. That concession is narrow: the content obligation under Article 13 still applies in full.
The deployer's duty to follow them (Article 26)
Receiving instructions for use creates a legal obligation. Article 26 governs deployer duties, and among the most direct is the requirement to use the high-risk AI system in accordance with those instructions.
This is not a soft duty. A deployer who repurposes a system outside its documented intended purpose — say, using a CV-screening tool to assess existing employees for redundancy when the system was validated only for initial recruitment — is not operating in accordance with the instructions and takes on material compliance exposure. Under Article 25, a deployer who substantially modifies a system or changes its intended purpose may become a provider in their own right, with the full provider obligation stack.
Article 26 also requires deployers to implement the human oversight measures specified in the instructions. The instructions are therefore the conduit through which the Article 14 human oversight architecture reaches the deployment environment. A deployer cannot satisfy Article 26's oversight duties without instructions that describe those measures in the first place.
Deployers must also monitor operation and, where relevant, flag risks or serious incidents to the provider. That monitoring makes sense only if the deployer knows what normal performance looks like — which the instructions must establish.
One practical tension: deployers often receive instructions for use as part of a commercial contract and may sign away the right to scrutinise them closely. Treat the instructions as a technical and legal document, not a click-through terms page. If they are incomplete against the Article 13 list — no accuracy figures, no oversight mechanisms, no lifetime information — raise that with the provider before going live.
How they fit the documentation set
Instructions for use do not stand alone. They slot into a broader compliance architecture that providers of high-risk AI systems must assemble before placing a system on the market.
Annex IV technical documentation. Article 11 requires providers to draw up technical documentation before the system goes to market, in the form specified by Annex IV. Annex IV's nine content areas include the system's intended purpose, performance metrics, and the measures taken to ensure accuracy, robustness, and cybersecurity. Instructions for use draw from this material and translate it into deployer-facing form. Think of Annex IV as the full engineering and compliance record; the instructions for use are the operational summary addressed to the person who will actually run the system.
Human oversight (Article 14). The measures providers must design into high-risk systems under Article 14 — the ability for deployers to pause, override, or interpret outputs — need to be communicated to deployers. Instructions for use are the vehicle. Article 14's list of oversight capabilities is the source; the instructions for use are the delivery mechanism.
Conformity assessment (Article 43). Before a high-risk system can be placed on the market, it must undergo a conformity assessment. The content of the instructions for use is part of what the conformity assessment examines, particularly for systems in Annex III point 1 (biometrics) that require a notified-body procedure under Annex VII. For most other Annex III high-risk systems, the internal-control procedure under Annex VI applies, and the adequacy of the instructions forms part of the self-assessment.
EU declaration of conformity (Article 47). The declaration of conformity, drawn up under Annex V, confirms that the system meets the Act's requirements. Signing it without complete, accurate instructions for use undermines the declaration.
The audit trail. Instructions for use are part of the evidence trail an authority or notified body can examine. Providers must keep the technical documentation and other compliance records for ten years after the system is placed on the market (Article 18). Instructions for use are part of that record.
How Confir helps
Confir's AITO module (Transparency and Human Oversight, covering Article 13, Article 14, Article 27, and Article 50) structures the instructions-for-use obligation as a set of explicit controls. The tool's assessment workflow walks providers through each Article 13 content requirement — intended purpose, accuracy metrics, human oversight measures, lifetime and maintenance — and generates the corresponding section of the Annex IV technical documentation pack.
Because Confir's engine is rule-based and deterministic, the same inputs produce the same findings. When your provider documentation changes — updated performance figures, revised oversight procedures — rerunning the assessment produces an updated output that is traceable and audit-defensible. Confir is available from €600/year at confir.eu.
Frequently Asked Questions
Are instructions for use required for every AI system, or only high-risk ones?
The full Article 13 obligation — the statutory minimum-content list, the requirement to supply instructions to deployers — applies to high-risk AI systems under the Act. For limited-risk systems (Article 50, applying from 2 August 2026), the Act imposes transparency duties but does not prescribe instructions-for-use content in the same structured way. For minimal-risk systems, there is no mandatory obligation at all, though good practice still supports documenting intended use.
What is the difference between instructions for use and technical documentation?
Technical documentation under Article 11 and Annex IV is the full engineering and compliance record — it includes training data, architecture details, test results, risk assessments, and more. It is held by the provider and made available to market-surveillance authorities. Instructions for use are addressed to the deployer and contain the operational subset of that information: what the system does, how to run it within specification, what the oversight measures are. One informs the regulator; the other informs the operator.
What happens if a deployer ignores the instructions for use?
Article 26 requires deployers to follow the instructions. Operating outside them — different use case, different input types, different decision environment — means the deployer is no longer protected by the provider's conformity assessment. If that results in harm, the deployer carries the compliance exposure under Article 26. Where the deviation amounts to a substantial modification or a change in intended purpose, Article 25 may reclassify the deployer as a provider, triggering the full provider obligation stack including a new conformity assessment.
Must instructions for use be provided before deployment or can they follow later?
Article 13 requires that high-risk AI systems be "accompanied by" instructions for use when they are placed on the market or put into service. The instructions must be ready before deployment, not supplied after the fact. A deployer going live without them is operating a high-risk system without the information needed to satisfy their own Article 26 duties.
What language must the instructions for use be in?
Regulation (EU) 2024/1689 does not itself specify the language, but market-surveillance authorities in each member state can require documentation in the national official language(s). In practice, providers deploying across multiple EU markets will need localised versions. The commercial contract between provider and deployer typically addresses this — and deployers should confirm the instructions are available in the language of the team actually operating the system.
How do instructions for use connect to the high-risk compliance deadline?
Under the Digital Omnibus agreed in May 2026, obligations for stand-alone high-risk AI systems (the Annex III list) apply from 2 December 2027. High-risk AI embedded in regulated products under Annex I applies from 2 August 2028. Instructions for use are part of the Article 13 obligation stack that applies from those dates. Providers placing new systems on the market before those dates should treat the instructions-for-use requirement as a design constraint, not an afterthought — drafting them retrospectively is significantly harder than building them into the documentation process from the start.
Related terms
- Article 13 — Transparency and provision of information to deployers
- Intended purpose
- Deployer obligations under the EU AI Act
- Reasonably foreseeable misuse
- Annex IV technical documentation
- Human oversight (Article 14)
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →