EU AI Act Article 26: Deployer Obligations for High-Risk AI
Article 26 sets out what deployers — the organisations that use a high-risk AI system under their own authority — must do. Unlike the provider obligations, these duties land on the operator running the system in the real world: follow the instructions, assign competent human oversight, monitor operation, keep the logs, and act when something goes wrong. This page breaks down each duty.
EU AI Act Article 26: Deployer Obligations for High-Risk AI
Article 26 sets out what deployers — the organisations that use a high-risk AI system under their own authority — must do. Unlike the provider obligations, these duties land on the operator running the system in the real world: follow the instructions, assign competent human oversight, monitor operation, keep the logs, and act when something goes wrong. This page breaks down each duty.
Đã cập nhật lần cuối: 4 tháng 7, 2026
Who Is a Deployer?
A deployer is any natural or legal person using an AI system under its own authority in the course of a professional activity (individuals using AI for purely personal, non-professional reasons are excluded).
Deployer obligations sit alongside, not instead of, the provider's obligations. The provider builds and documents the system; the deployer is responsible for how it is actually used. If a deployer substantially modifies a high-risk system or puts its own name on it, it can also take on provider obligations under Article 25.
The Core Deployer Duties
Article 26 imposes a defined set of operational obligations on deployers of high-risk AI systems:
- Use per instructions — take appropriate technical and organisational measures to use the system in accordance with the provider's instructions for use
- Assign competent human oversight — entrust oversight to natural persons who have the necessary competence, training, authority and support to carry it out under Article 14
- Control input data — where the deployer controls the input data, ensure it is relevant and sufficiently representative in view of the system's intended purpose
- Monitor operation — monitor the system's operation against the instructions for use and inform the provider or distributor where a risk arises
- Keep automatically generated logs — retain the logs the system generates automatically, to the extent they are under the deployer's control, for at least six months (unless a longer period is set by other Union or national law)
- Inform workers and representatives — before putting a high-risk system into service in the workplace, inform affected workers and their representatives that they will be subject to it
- Data protection impact assessment — where relevant, use the information provided under Article 13 to carry out a data protection impact assessment under the GDPR
- Suspend and inform on serious risk — where the system presents a risk to health, safety or fundamental rights, or a serious incident occurs, suspend use, inform the provider, distributor and relevant authorities, and cooperate
The Six-Month Log Retention Floor
Deployers must keep the logs automatically generated by the high-risk AI system for a period appropriate to the intended purpose, and in any case for at least six months — unless a longer retention period is required by applicable Union or national law.
This applies to the logs that are under the deployer's control. It is the deployer-side counterpart to the provider's logging design under Articles 12 and 19: the provider builds the logging capability, and the deployer is responsible for actually retaining and being able to produce the resulting records. Sector rules (for example in finance or health) frequently set a longer floor, so treat six months as the minimum, not the target.
Public authorities acting as deployers have additional transparency and registration duties under Articles 26 and 49.
How AIAgentree helps
AIAgentree gives deployers a running system of record for exactly the duties Article 26 imposes — the log retention, the oversight workflow, and the monitoring evidence:
- Audit-fit retention holds the automatically generated decision records well beyond the six-month floor, with tamper-evident storage and EU data residency in Germany, so you can produce logs on request
- Human-oversight and approval workflows capture who reviewed, approved, overrode or escalated a decision — the evidence that competent oversight was actually exercised under Article 14
- Outcome tracking, precedent search and low-latency async capture (under 10ms) provide the monitoring signal to spot when a system is drifting from its instructions for use, available through REST, MCP, A2A, OpenTelemetry and the Python and TypeScript SDKs — start free with 25 traces
Frequently Asked Questions
What is the difference between a provider and a deployer?
The provider develops the AI system and places it on the market or puts it into service under its own name; the deployer uses that system under its own authority in a professional context. Article 26 governs deployers, while Articles 8 to 21 govern providers. One organisation can be both.
How long must deployers keep the logs?
At least six months. Article 26(6) requires deployers to keep the automatically generated logs that are under their control for a period appropriate to the intended purpose, and in any event for a minimum of six months, unless Union or national law requires longer.
Do deployers have to tell employees an AI system is being used?
Yes, where the system is used in the workplace. Before putting a high-risk AI system into service or use in the workplace, deployers must inform workers' representatives and the affected workers that they will be subject to the system, in line with information and consultation rules.
When does a deployer become a provider?
Under Article 25, a deployer takes on provider obligations if it puts its name or trademark on a high-risk system already on the market, makes a substantial modification to it, or modifies the intended purpose of a system in a way that makes it high-risk.
What must a deployer do if the system poses a serious risk?
Suspend use, and inform the provider or distributor and the relevant market surveillance authority without undue delay. Where a serious incident occurs, the deployer must report it and cooperate with the authorities and the provider on corrective measures.
Continue exploring the EU AI Act guide
EU AI Act Compliance Guide
The complete guide to EU AI Act compliance for AI agents — start here.
Article 12 — Record-Keeping & Logging
What every high-risk AI system must log, and how to capture it.
Article 14 — Human Oversight
Designing effective human-in-the-loop controls for AI decisions.
Annex III — High-Risk AI Systems
Which AI use cases the Act classifies as high-risk.
EU AI Act Compliance Checklist
A step-by-step checklist to reach and document compliance.
Compliance Cost Calculator
Estimate your EU AI Act compliance effort and cost.
Deadlines & Timeline
Key enforcement dates, including the August 2, 2026 deadline.
Fines & Penalties
Penalty tiers up to €35M or 7% of global annual turnover.
Transparency Obligations (Art. 13 & 50)
Disclosure duties for AI systems and their outputs.
Risk Management & Conformity Assessment
Build a risk management system and assess conformity.
GPAI Obligations
Rules for providers of general-purpose AI models.
EU AI Act for US Companies
Extraterritorial scope and what US providers must do.
Omnibus Update
The latest changes to the EU AI Act timeline and rules.
Penalty Calculator
Estimate your maximum fine under the Article 99 tiers.
Article 11 + Annex IV
What technical documentation the EU AI Act requires.
Article 17: Quality Management
The QMS providers of high-risk AI must document.
Article 10: Data Governance
Data quality, bias mitigation, and governance duties.
Article 4: AI Literacy
The staff AI-literacy duty in force since February 2025.
Deployer vs Provider
Who bears which obligation — and when a deployer becomes a provider.
FRIA (Article 27)
Who must run a Fundamental Rights Impact Assessment, and how.
Who Does It Apply To?
Scope, operators, and the extraterritorial reach of the EU AI Act.
Post-Market Monitoring
Articles 72–73: ongoing monitoring and incident reporting.
ISO 42001 vs EU AI Act
How the voluntary standard and the binding law fit together.
NIST AI RMF vs EU AI Act
A practical crosswalk between the framework and the law.
EU AI Act for Healthcare
High-risk medical AI, MDR/IVDR interplay, and clinician oversight.
EU AI Act for Financial Services
Credit scoring, insurance pricing, and existing financial regulation.
EU AI Act for HR & Employment
Hiring AI as high-risk, plus NYC LL144 and EEOC overlap.