Article 26 — Obligations of deployers of high-risk AI systems (EU AI Act)

Article 26 of Regulation (EU) 2024/1689 — Obligations of deployers of high-risk AI systems. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 26 of Regulation (EU) 2024/1689 sets out the obligations that fall upon deployers — those who put high-risk AI systems into use — and sits within Title III, Chapter 3 of the Act. The article establishes that deployers must take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use supplied by the provider (Article 26(1)). Deployers are required to assign the task of human oversight to persons who possess the necessary competence, training, and authority to carry it out effectively (Article 26(2)).

Where deployers determine the purpose of use or exercise significant influence over the AI system's operation, they bear enhanced responsibilities commensurate with a provider's role. Deployers must monitor the operation of the high-risk AI system on the basis of the instructions of use and, where relevant, inform the provider of any risks identified (Article 26(5)). They must not use the system in ways that contradict those instructions or place staff under pressure likely to compromise proper oversight.

Article 26(7) requires deployers to keep logs automatically generated by the high-risk AI system to the extent such logs are under their control, retaining them for a period appropriate to the intended purpose and applicable sectoral rules, and no less than six months. Article 26(9) imposes an obligation on public-body deployers and certain private operators to conduct and document a fundamental rights impact assessment prior to deployment, and to register it in the EU database established under Article 71.

What This Means in Practice

Article 26 directly affects any organisation that integrates a high-risk AI system into its operations without being that system's developer or original provider. Typical deployers include hospitals using AI-assisted diagnostic tools, employers using AI for recruitment screening, banks using AI credit-scoring engines, and public authorities using AI for benefit eligibility decisions.

In concrete terms, a deployer must begin by thoroughly reading and implementing the provider's instructions for use — these become a compliance baseline. Before going live, the deployer must identify which staff member or team holds oversight responsibility and ensure they have the training and authority to intervene, pause, or override the system's outputs. Pressure to ignore or work around oversight mechanisms is explicitly prohibited.

During operation, the deployer must retain system-generated logs. For a bank deploying a third-party credit-risk model, this means preserving automated decision logs for at least six months and ensuring they are accessible for audit or regulatory inspection. If the system begins producing unexpected outputs or is involved in an incident causing or potentially causing harm, the deployer must escalate immediately to the provider and, if necessary, to the national supervisory authority.

Public-sector deployers and private companies providing public-facing services face an additional step: a formal fundamental rights impact assessment must be completed and registered in the EU database before the system is activated. This assessment must identify foreseeable impacts on rights such as non-discrimination, privacy, and due process, and document mitigating measures.

Deployers that go beyond their instructions — by repurposing a system for a different use case or materially modifying its configuration — risk being reclassified as providers under Article 25, attracting the full weight of provider obligations including conformity assessment.

Key Obligations

• Follow the instructions for use: Deploy and operate the high-risk AI system strictly in accordance with the provider's instructions; any use outside the intended purpose triggers potential reclassification as a provider.
• Ensure competent human oversight: Designate individuals with the necessary competence, training, and authority to perform effective human oversight; do not instruct or incentivise staff to bypass oversight functions.
• Monitor and report risks and incidents: Continuously monitor the system's performance; promptly notify the provider and, where applicable, the relevant market surveillance authority of any serious risk or incident identified during use.
• Retain automatically generated logs: Preserve logs produced by the AI system for a minimum of six months or longer where required by applicable law or sectoral rules, to the extent those logs are under the deployer's control.
• Conduct and register a fundamental rights impact assessment: Public-body deployers and private operators providing public services must complete a documented fundamental rights impact assessment and register it in the EU database before deployment.
• Inform and protect affected workers: Where the system is used in employment contexts, deployers must inform workers' representatives and the affected individuals in accordance with applicable Union and national law before deployment.

Relationship to Other Articles

Article 26 must be read alongside several interconnected provisions. Article 25 defines when a deployer is reclassified as a provider — a threshold deployers must actively monitor whenever they modify or repurpose a system. Article 13 (Transparency and provision of information to deployers) governs what the provider must communicate via instructions for use, directly shaping what Article 26(1) compliance looks like. Article 14 (Human oversight) elaborates the technical requirements that providers must build into systems to enable deployers to fulfil their oversight duties under Article 26(2).

Article 71 (EU database) underpins the registration requirement imposed on public deployers by Article 26(9). Article 73 (Reporting of serious incidents) complements Article 26(5) by detailing the procedural framework for incident notifications. In employment contexts, Article 26(6) intersects with Directive 2002/14/EC on information and consultation of workers. For deployers in regulated sectors — finance, health, transport — sector-specific Union law may impose additional or overlapping obligations that interact with the Article 26 baseline.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, with obligations applying on a phased schedule. Provisions on prohibited AI practices became applicable on 2 February 2025. Obligations relating to general-purpose AI models became applicable on 2 August 2025.

Article 26, as an obligation applicable to high-risk AI systems listed in Annex III, becomes applicable on 2 August 2026 for most high-risk systems, with an extended deadline of 2 August 2027 for high-risk systems in the areas of employment, education, and access to essential services where existing Union harmonisation legislation applies (those systems listed in Annex I). Deployers should therefore treat 2 August 2026 as the primary compliance deadline for operational readiness, human oversight designation, log retention infrastructure, and fundamental rights impact assessment procedures, while beginning preparatory work immediately to allow sufficient lead time for governance, procurement review, and staff training.