August 2:
what attaches for deployers

What Article 26 actually is

Article 27 Fundamental Rights Impact Assessment scope is narrow. It attaches to public bodies, private entities providing public services, and deployers of creditworthiness or insurance pricing AI. (We covered the precise scope and what fills the gap in Article 27 FRIA: who it actually applies to.)

Article 26 is different. It applies to every deployer of a high risk AI system. Every deployer means every natural or legal person using a high risk system under their authority in the course of professional activity. Public body or private company, in-house or via SaaS, transport or e-commerce, the obligations apply.

Article 26 is twelve paragraphs of obligations. Some operational. Some procedural. Some narrow. This article unpacks all twelve, grouped by what they actually require you to do.

Who is a deployer

The Regulation distinguishes two main roles along the AI value chain: provider and deployer.

A provider places an AI system on the market or puts it into service under its own name or trademark, whether free of charge or for payment. OpenAI is a provider of GPT-4. Microsoft is a provider of Copilot.

A deployeris “a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity” (Article 3(4) definition). A law firm using Copilot to draft contract first drafts is a deployer. A hospital using a radiology classifier is a deployer. A ride hailing platform using driver allocation AI is a deployer.

One organisation can be both. If you take a provider’s high risk system and substantially modify it (within the meaning of Article 25(1)(b)), you become a provider of the modified system and inherit provider obligations on top of deployer ones.

The operational five

Paragraphs 1, 2, 4, 5, and 6 are the operational core: how you actually use the system day to day.

The transparency two

Paragraphs 7 and 11 are the human-facing transparency obligations.

Together, paragraphs 7 and 11 create a two-layer transparency stack: workers when AI is used in the workplace, and any affected individual when AI is used to make decisions about them. Both layers run independently of any GDPR transparency obligations (Articles 13, 14 GDPR), although the documentation can often be combined.

The compliance interfaces

Paragraphs 9 and 12 govern how Article 26 interacts with other rules.

The narrower obligations

Paragraphs 8 and 10 are scope-specific.

The savings clause

Paragraph 3is a procedural clarifier rather than a substantive obligation. The obligations in paragraphs 1 (instructions for use compliance) and 2 (human oversight) do not exclude other obligations under Union or Member State law and shall not affect the deployer’s freedom to organise its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.

In practical terms: Article 26 is a floor, not a ceiling. Other rules can layer on top. And the way you implement human oversight in particular is for you to organise, provided the substance meets the Article 26(2) competence/training/authority requirements.

How national rules layer

Article 26 sets the floor. Member State workforce law, sector regulation, and other Union instruments can impose additional obligations that operate alongside it.

Spain’s Ley Rider(Royal Decree-Law 9/2021, amending Article 64.4(d) of the Workers’ Statute) requires platforms to inform worker representatives of the parameters, rules, and instructions on which algorithms or AI systems are based when they influence working conditions, access to or maintenance of employment, and profiling. The Ley Rider obligation overlaps with Article 26(7) on worker notification but goes further on substantive content (parameters and rules, not just notification of use).

Germany’s Works Constitution Act (BetrVG)gives works councils co-determination rights over technical equipment intended to monitor employee behaviour or performance under § 87(1)(6). The Federal Labour Court has interpreted this broadly enough to cover AI based monitoring. The 2021 Works Council Modernization Act (Betriebsrätemodernisierungsgesetz) added explicit AI provisions at § 80(3) (expert consultation), § 90(1) (planning information), and § 95(2a) (AI in personnel selection guidelines). Co-determination obligations under BetrVG go further than Article 26(7) on procedural rights.

The Platform Work Directive (Directive (EU) 2024/2831, transposition deadline 2 December 2026) will harmonise much of the platform-specific workforce regime across the EU. It introduces a presumption of employment for platform workers and mandatory transparency obligations for algorithmic management. Once transposed, the Directive will overlap substantially with both Article 26 deployer obligations and Article 27 FRIA (for those it applies to).

The implication for a deployer running workforce AI in multiple Member States: Article 26 is the universal baseline, but national workforce rules and the Platform Work Directive transposition add layers that vary by jurisdiction. The compliance work is to identify the union of obligations across your operating footprint, not just the Article 26 baseline.

Practical implementation before August 2

The deliverable structure for an Article 26 readiness programme.

Each item is a discrete artefact your supervisory authority can ask you to produce after 2 August.

What FRIA adds for those it applies to

For the subset of deployers in scope of Article 27 FRIA (public bodies, private entities providing public services, deployers of creditworthiness or insurance pricing AI), the FRIA layers on top of Article 26 with six structured inputs and a notification to the market surveillance authority. The Article 27 FRIA scope guide covers who’s in, who’s out, and the working template. For everyone else, Article 26 alone is the operational target for 2 August.

Related guides

More EU AI Act compliance pieces from ActComply.