EU AI Act Deployer Obligations: What AI Users Must Do

Who Is a Deployer Under the EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) introduces a distinct legal category for entities that use AI systems. Article 3(4) defines a deployer as any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.

This definition is deliberately broad. A company using an AI-powered recruitment tool is a deployer. A hospital using an AI diagnostic system is a deployer. A government agency using an AI system to process benefit applications is a deployer. The key factor is that the entity exercises authority over how the AI system is used in practice, even though it did not develop the system.

The distinction between provider and deployer is fundamental to the AI Act's compliance architecture. Providers bear obligations related to the design, development, and placing on the market of AI systems. Deployers bear obligations related to the actual use of those systems. Both sets of obligations apply simultaneously, and neither party can contractually transfer its own obligations to the other.

Core Deployer Obligations Under Article 26

Article 26 of the AI Act sets out the primary obligations for deployers of high-risk AI systems. These obligations are designed to ensure that AI systems continue to function safely and in compliance with fundamental rights once they are deployed in real-world settings.

The first obligation is to use high-risk AI systems in accordance with the instructions of use provided by the provider (Art.26(1)). This means deployers must read, understand, and follow the technical documentation that accompanies the AI system. Using a high-risk AI system outside its intended purpose or in a manner inconsistent with provider instructions may trigger additional obligations or create liability.

Article 26(2) requires deployers to assign human oversight to natural persons who have the necessary competence, training, and authority. Human oversight is not a formality. The individuals responsible must be capable of understanding the system's outputs, recognising signs of anomalies or malfunctions, and intervening when necessary. They must also have the practical authority to override or disregard the AI system's output.

Under Article 26(4), deployers must ensure that input data is relevant and sufficiently representative for the intended purpose of the high-risk AI system. Where the deployer exercises control over the input data, this obligation requires active data governance measures. Poor-quality input data can lead to discriminatory or inaccurate outputs, regardless of the quality of the underlying model.

Monitoring, Record-Keeping, and Incident Reporting

Article 26(5) imposes a monitoring obligation on deployers. They must monitor the operation of the high-risk AI system on the basis of the instructions of use and, where relevant, inform providers in accordance with Article 72. If a deployer has reason to consider that the use of the AI system presents a risk, it must suspend use and inform the provider or distributor without undue delay.

Record-keeping is addressed in Article 26(6). Deployers of high-risk AI systems must keep the logs automatically generated by the system, to the extent such logs are under their control. These logs must be kept for a period appropriate to the intended purpose of the high-risk AI system, and at least six months unless otherwise provided by applicable Union or national law.

When a deployer identifies a serious incident, it must report the incident to the relevant market surveillance authority. This reporting obligation operates alongside, not instead of, any existing sectoral reporting requirements. For example, a medical device incident must be reported under both the AI Act and the Medical Device Regulation where applicable.

Worker Information Obligations

Article 26(7) introduces a specific transparency requirement towards workers. Before putting into service or using a high-risk AI system in the workplace, deployers that are employers must inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system.

This obligation applies regardless of whether the AI system is used for recruitment, performance monitoring, task allocation, or any other employment-related decision covered by Annex III. The information must be provided in accordance with Union and national rules and procedures on informing workers and their representatives.

This requirement intersects with existing employment law obligations. In many EU Member States, works councils or trade unions have co-determination rights that may require consultation beyond mere information. Deployers should assess their obligations under both the AI Act and national employment law to determine the full scope of worker engagement required.

Fundamental Rights Impact Assessment for Public Entities

Article 27 imposes an additional obligation on deployers that are bodies governed by public law, or private entities providing public services, and deployers of certain high-risk AI systems listed in Annex III. These deployers must perform a fundamental rights impact assessment (FRIA) before putting a high-risk AI system into use.

The FRIA must include a description of the deployer's processes in which the AI system will be used, a description of the period and frequency of use, the categories of natural persons and groups likely to be affected, the specific risks of harm likely to impact those persons, a description of human oversight measures, and measures to be taken in case those risks materialise.

The FRIA is distinct from a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR, although the two assessments may overlap significantly. Where a DPIA is already required, the FRIA may be conducted alongside it and may incorporate its findings. However, the FRIA covers a broader range of fundamental rights beyond data protection, including non-discrimination, freedom of expression, and the right to an effective remedy.

Cooperation with Authorities and Practical Next Steps

Article 26(8) requires deployers to cooperate with relevant national competent authorities in any action those authorities take in relation to the high-risk AI system. This includes providing access to automatically generated logs and any other information necessary for the authority to assess the AI system's compliance.

Deployers that discover non-compliance with the AI Act must take corrective action. If a deployer identifies that the AI system does not conform to the requirements of the Regulation, it must not use that system until it has been brought into conformity. Where the AI system presents a risk, the deployer must immediately inform the provider and the relevant market surveillance authority.

For organisations preparing to comply with deployer obligations, practical steps include conducting an inventory of all AI systems in use, classifying each system according to the AI Act risk categories, reviewing provider documentation and instructions of use, designating competent human oversight personnel, establishing input data governance procedures, implementing logging and record-keeping processes, developing incident reporting protocols, and conducting fundamental rights impact assessments where required.

The timeline for compliance varies by provision. Obligations relating to prohibited AI practices apply from February 2025. Obligations for general-purpose AI models apply from August 2025. The full set of deployer obligations for high-risk AI systems applies from August 2026. Organisations should use the intervening period to prepare their compliance frameworks systematically.

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.