1. Who is a deployer
Article 3(4) defines a deployer as any natural or legal person, public authority, agency or other body that uses an AI system under its own authority in a professional or commercial context — except where use is for personal non-professional purposes.
In plain terms: if your business uses any AI tool in your operations, you are a deployer. This covers:
- A retailer using an AI-powered customer service chatbot
- An HR department using AI to screen job applications
- A bank using AI for credit scoring
- A hospital using AI-assisted diagnostic software
- A law firm using AI to review contracts
Being a deployer does not mean you built the AI or trained the model. It means you are using it. Your obligations are separate from and in addition to your vendor's obligations as a provider.
2. Which AI systems trigger obligations
The obligations in Article 26 apply specifically to deployers of high-risk AI systems as defined in Annex III. The eight Annex III categories cover:
- Biometric identification and categorisation
- Critical infrastructure management
- Education and vocational training
- Employment and HR (CV screening, performance monitoring, hiring decisions)
- Essential services (credit scoring, insurance, public benefits)
- Law enforcement
- Migration and asylum
- Administration of justice
If none of your AI use cases fall into these categories, you are still subject to Article 4 (AI literacy) and potentially Article 50 (transparency), but not the full Article 26 obligations. Use the free risk checker to confirm your classification in 5 minutes.
3. The six Article 26 obligations
Obligation 1 — Use the system per provider instructions
Article 26(1) requires deployers to use high-risk AI systems in accordance with the provider's instructions for use. This sounds obvious but has real compliance teeth: using a CV screening tool for a purpose it was not designed for, or feeding it data types the provider did not intend, puts you outside the intended use boundary.
What this means in practice:
- Obtain and read the provider's instructions for use — this is a regulatory document, not just product documentation
- Ensure the system is used only for the described use cases
- Document any deviations and assess whether they constitute substantial modification
Obligation 2 — Assign human oversight
Article 26(2) requires deployers to assign the task of human oversight to natural persons with the necessary competence, authority, and resources to perform oversight. They must be able to understand the AI system's capabilities and limitations, detect anomalies and failures, and be empowered to intervene, suspend, or override the system.
This is not a nominal role. A human oversight owner who rubber-stamps AI outputs without review is not compliant. The person must actually have the time and access to review outputs meaningfully.
Obligation 3 — Monitor operation
Article 26(3) requires deployers to monitor the AI system's operation based on the provider's instructions and report any serious incidents to the provider and — in some cases — to national market surveillance authorities. Monitoring means tracking whether the system is behaving as intended, not just watching for uptime.
Obligation 4 — Ensure relevant input data
Article 26(4) requires that input data used with the high-risk AI system is relevant and sufficiently representative for the intended purpose. If you feed a credit scoring model data from a demographic it was not trained on, or use a hiring AI with job descriptions outside its training domain, you carry responsibility for that mismatch.
Obligation 5 — Retain logs
Article 26(5) requires deployers to retain the automatically generated logs of the high-risk AI system for at least six months, unless a longer retention period is required by other applicable law. These logs are the audit trail that national authorities will request in the event of an incident or compliance review.
Obligation 6 — Inform workers
Article 26(7) requires deployers to inform workers and their representatives before deploying high-risk AI systems intended to be used in the workplace. This is a pre-deployment obligation — you cannot inform workers after the system is already in use. In member states with strong works council regimes (Germany, France, Netherlands, Austria, Belgium), national co-determination law may require formal consultation before deployment, which takes additional time.
| Obligation | Article | Deadline |
|---|---|---|
| Use per provider instructions | Art. 26(1) | 2 Aug 2026 |
| Assign human oversight (competent, authorised) | Art. 26(2) | 2 Aug 2026 |
| Monitor operation; report serious incidents | Art. 26(3) | 2 Aug 2026 |
| Ensure relevant and representative input data | Art. 26(4) | 2 Aug 2026 |
| Retain logs ≥ 6 months | Art. 26(5) | 2 Aug 2026 |
| Inform workers before deployment | Art. 26(7) | 2 Aug 2026 |
4. Article 4 — AI literacy (already in force)
Article 4 has applied since 2 February 2025. It requires deployers to take measures to ensure a sufficient level of AI literacy among their staff who operate AI systems. This obligation does not wait for 2026 — it is already law.
AI literacy training must be proportionate to the person's role and the AI system being used. Staff making hiring decisions informed by AI need deeper training than staff who use an AI spelling checker. At minimum, document that training has occurred, what was covered, and who attended.
5. Article 50 — transparency obligations
Article 50 applies separately from Article 26 and covers AI systems that interact directly with people. If you deploy any of the following, Article 50 applies:
- Chatbots or AI assistants — users must be told they are interacting with AI at the start of each session (Art. 50(1))
- AI-generated content intended to inform, entertain, or persuade — must be labelled as machine-generated (Art. 50(2))
- Deepfakes or synthetic media — must be disclosed as AI-generated (Art. 50(4))
Use the free Article 50 disclosure generator to produce compliant disclosure text for your chatbot or AI assistant.
6. When a deployer becomes a provider
Article 25(1) sets out the conditions under which a deployer inherits provider obligations. This happens when:
- The deployer places a high-risk AI system on the market or puts it into service under their own name or trademark
- The deployer makes a substantial modification to a high-risk AI system already on the market
- The deployer changes the intended purpose of a non-high-risk AI system, making it high-risk
Once a deployer becomes a provider, they must comply with the full provider obligations: Annex IV technical documentation, conformity assessment, CE marking, and registration in the EU AI database. See the Annex IV technical documentation guide for what that entails.
7. Fines
Market surveillance and enforcement begins in August 2026 alongside the obligations themselves. Fines for deployers who fail to comply with Article 26:
| Violation type | Maximum fine |
|---|---|
| Non-compliance with Article 26 deployer obligations | €15 million or 3% of worldwide annual turnover |
| Providing incorrect or incomplete information to authorities | €7.5 million or 1% of worldwide annual turnover |
SMEs and micro-enterprises receive the lower of the percentage-based and absolute caps. National authorities have discretion to apply proportionate sanctions, but cross-border incidents and high-profile cases are likely to attract higher penalties.
8. Action plan
- Classify your AI systems. List every AI tool your organisation uses. Use the free risk checker to determine whether each is high-risk under Annex III.
- Start AI literacy training now. Article 4 is already in force. Schedule training, document attendance, and ensure staff using high-risk AI have sufficient understanding of the system's capabilities and limitations.
- Review vendor contracts. Check that each high-risk AI vendor provides instructions for use, a Declaration of Conformity, and log access. Flag gaps for renegotiation.
- Name your oversight owners. For each high-risk AI system, assign a named person with the competence, authority, and time to actually perform oversight. Document this in writing.
- Set up log retention. Confirm logs are being generated, that you have access to them, and that your retention policy specifies at least six months.
- Draft worker notifications. Prepare pre-deployment notifications for any AI system used in the workplace. If you have works councils, begin consultation now.
- Add Article 50 disclosures. If any AI system interacts directly with customers, candidates, or the public, add compliant disclosure text to those touchpoints.
FAQ
Does Article 26 apply to AI tools used only internally?
Yes, if those internal tools fall under Annex III. AI used for employee performance monitoring, HR decisions, or critical infrastructure management is high-risk regardless of whether it is customer-facing. Internal use does not reduce the risk classification.
Our AI vendor says the tool is compliant. Are we covered?
No. A vendor's compliance certificate covers their provider obligations. Your Article 26 deployer obligations are entirely separate — they cannot be delegated to or fulfilled by your vendor. You remain responsible for human oversight, log retention, worker notification, and AI literacy regardless of your vendor's compliance status.
What if we use a general-purpose AI like ChatGPT or Copilot?
General-purpose AI models (GPAI) are subject to their own obligations under Articles 53–55. As a deployer of GPAI, your obligations depend on how you use it. If you deploy ChatGPT in a customer-facing chatbot, Article 50 transparency obligations apply. If you use it to automate high-risk decisions (hiring, credit), Article 26 applies. If you use it purely as an internal productivity tool, only Article 4 AI literacy applies.
We are a non-EU company. Does Article 26 apply to us?
If you deploy AI systems whose outputs are used by people in the EU, the regulation applies regardless of where your company is headquartered. See the guide for non-EU companies for the territorial scope rules and the authorised representative requirement.