EU AI Act Article 26: deployer obligations for high-risk AI

EU AI Act Article 26: deployer obligations for high-risk AI

Most coverage of the EU AI Act focuses on the companies that build AI systems. But Article 26 places a parallel set of obligations on the companies that deploy those systems, including startups that integrate third-party AI tools into their products and workflows. If your company uses a high-risk AI system, Article 26 applies to you, regardless of whether you wrote a single line of the underlying model.

What the EU AI Act says

Article 26 of the EU AI Act defines the obligations of deployers of high-risk AI systems. It covers six core duties: human oversight, fundamental rights impact assessments (FRIAs), logging and recordkeeping, staff training, post-deployment monitoring, and incident reporting. For systems listed in Annex III, these obligations become enforceable from December 2 2027.

The obligations in Article 26 sit alongside, not instead of, the provider obligations in Article 16. Where a provider has built and CE-marked a high-risk system, the deployer takes on a different but complementary set of responsibilities. The EU AI Act is explicit that the two parties share accountability, and that deployers cannot simply rely on a provider's technical documentation to satisfy their own duties.

Who this applies to: deployers vs providers

The distinction between provider and deployer is foundational to understanding your obligations under the EU AI Act.

A provider is the company or individual that develops an AI system and places it on the market or puts it into service, whether under their own name or a white label. Providers bear the heaviest compliance burden: conformity assessments, CE marking, technical documentation, and registration in the EU AI database.

A deployer is any natural or legal person who uses a high-risk AI system under their own authority, in a professional context, within the EU. This definition captures a very wide range of companies, including startups that:

  • Use an off-the-shelf AI recruitment tool to screen CVs
  • Integrate a third-party creditworthiness or risk-scoring API
  • Deploy a biometric verification solution from a vendor
  • Use an AI system to make or inform decisions about access to essential services

If your company falls into any of these categories and the AI system is listed in Annex III, you are a deployer subject to Article 26.

Note that a company can be both a provider and a deployer simultaneously, for example if you build a general-purpose AI tool but also deploy a third-party high-risk system internally for HR decisions.

What Article 26 requires, concretely

1. Fundamental rights impact assessment (FRIA)

Public authorities and certain private bodies using high-risk AI systems must conduct a FRIA before deployment. The assessment must identify risks to fundamental rights, including discrimination, privacy, and access to justice, and document the measures taken to mitigate those risks. For most private-sector startups, the FRIA obligation applies when deploying AI systems that affect individuals' access to services, employment decisions, or safety-critical functions.

2. Human oversight

Deployers must implement the human oversight measures specified by the provider in the system's instructions for use. This is not optional: if the provider's documentation says a human must review outputs before a decision is made, the deployer is legally required to enforce that workflow. You cannot contractually waive this or configure the system to bypass it.

3. Logging and recordkeeping

Where deployers have control over the logs generated by a high-risk AI system, they must retain those logs for a minimum period set by the relevant sector regulation, or at least six months where no sector-specific rule applies. Logs must be made available to market surveillance authorities on request. This requirement has direct implications for your data infrastructure and retention policies.

4. Staff training

Anyone operating or supervising a high-risk AI system must have sufficient AI literacy and task-specific training. Deployers are responsible for ensuring this. The EU AI Act does not prescribe a specific training format, but you will need to document who has been trained, on what, and when. For CTOs and technical leads, this means building training into onboarding and maintaining records.

5. Post-market monitoring

Deployers are required to monitor the performance of deployed high-risk AI systems over time. This includes watching for drift, unexpected outputs, and changes in the deployment context that could affect system performance. The monitoring obligation links directly to the provider's post-market monitoring plan, which providers must supply as part of their technical documentation. Deployers must follow that plan and report anomalies back to the provider.

6. Registration in the EU database

For certain high-risk AI use cases, deployers must register their use of the system in the EU-wide AI database. The categories requiring deployer registration are defined in Annex III. Registration is a pre-deployment step, not something that can be done retrospectively.

7. Reporting serious incidents

If a high-risk AI system causes or contributes to a serious incident (defined as a risk to health, safety, or fundamental rights, or a significant disruption to critical infrastructure), the deployer must report it to the relevant national market surveillance authority. Timelines for reporting mirror those in product safety law: serious incidents require prompt notification, not end-of-year reporting.

Key deadlines

  • February 2 2025: Article 5 prohibitions already in force. Systems using subliminal manipulation, social scoring, or real-time remote biometric identification in public spaces are banned now.
  • August 2 2026: GPAI model obligations and fines up to EUR 15 million or 3% of global revenue apply. Article 50 transparency obligations for certain AI-generated content also apply from this date.
  • December 2 2027: Annex III high-risk AI system obligations apply in full, including all Article 26 deployer duties. This is the primary deadline for most startups deploying third-party AI tools in high-risk categories.

What to do now

December 2027 may feel distant, but the compliance work takes longer than most teams expect. Here is what to start now:

  1. Inventory your AI use. List every AI system your company uses or integrates, including APIs, embedded models, and vendor tools. Identify which ones fall under Annex III categories.
  2. Classify your role. For each system, determine whether you are the provider, the deployer, or both. Your obligations differ significantly depending on this classification.
  3. Review provider documentation. Request technical documentation and instructions for use from any third-party providers of high-risk systems. You need this to implement human oversight and monitoring correctly.
  4. Conduct a FRIA where required. If you deploy AI in HR, credit, education, or essential services, begin your fundamental rights impact assessment now. It takes time to do properly.
  5. Build logging infrastructure. Ensure your systems can generate, store, and retrieve AI decision logs for at least six months.
  6. Document training. Create records of who on your team is trained to operate each AI system and what that training covered.

Use the free ActComply risk screener to check your obligations under the EU AI Act: https://www.getactcomply.com/check. The screener maps your AI use cases to specific obligations in the regulation and tells you what applies to your situation.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener
EU AI Act Article 26: deployer obligations for high-risk AI | ActComply