EU AI Act deployer obligations: what changed and what to do — 2026-06-26
EU AI Act Deployer Obligations: What Changed and What to Do — 2026-06-26
TL;DR — Under the EU AI Act (Regulation 2024/1689), deployers are users of AI systems who must ensure compliance with transparency, risk management, and monitoring requirements. Key obligations include providing disclosures to end-users, implementing safeguards for high-risk systems, maintaining documentation, and reporting serious incidents. Deployers must act from the systems' entry into service and remain liable for violations even if they use third-party AI systems.
What are deployer obligations under the EU AI Act?
Deployers are individuals or organizations that use AI systems in a professional or commercial capacity. Under the EU AI Act, deployers hold significant responsibility for ensuring their AI deployments comply with the regulation. Unlike providers (who develop AI), deployers must monitor performance, ensure user transparency, manage risks in real-world deployment contexts, and maintain records of compliance. These obligations apply regardless of whether the deployer also developed the system themselves.
Which AI systems trigger deployer obligations?
The EU AI Act imposes graduated obligations based on risk level. High-risk AI systems (those used in critical domains like employment, education, law enforcement, and essential services) carry the strictest requirements. General-purpose AI systems also carry obligations around transparency and incident reporting. Deployers must classify their systems and apply appropriate safeguards; using an unclassified or misclassified system does not exempt a deployer from liability.
What transparency requirements apply to deployers?
Deployers must inform end-users when they are interacting with AI systems, unless it is obvious from context. For high-risk systems, this means disclosing how the system works, its limitations, and the categories of personal data used. Deployers must also ensure users can understand and challenge automated decisions. These obligations aim to prevent deceptive or manipulative AI use and to maintain human oversight in sensitive contexts.
What are the monitoring and incident reporting duties?
Deployers must continuously monitor high-risk AI systems for malfunction, performance degradation, and bias. They must maintain logs and performance metrics and report serious incidents—those causing injury, property damage, or fundamental rights violations—to relevant authorities. This includes documenting how systems are used and whether their real-world performance aligns with training data and provider claims.
What documentation must deployers keep?
The EU AI Act requires deployers to maintain records of AI system use, monitoring results, and any incidents or complaints. Documentation should include the system's instructions for use, a summary of human review processes, and evidence of compliance assessments. These records must be kept for the entire lifecycle of the deployment and made available to competent authorities upon request.
When do deployer obligations begin?
Obligations commence when an AI system enters into service—the moment it is first used in its intended context. Deployers cannot defer responsibility by claiming they are "testing" or "piloting" a system; use in any professional or commercial setting triggers compliance duties. This applies even to systems deployed before the EU AI Act's enforcement dates if they remain in use after those dates.
What liability do deployers face?
Deployers can be held liable for violations of deployer obligations, and this liability exists independently of provider liability. If a deployer misuses a compliant AI system—or fails to monitor, report incidents, or maintain transparency—they bear responsibility. Conversely, deployers are not liable for provider-side violations (e.g., a provider's failure to conduct conformity assessment) if the deployer has no knowledge and no reasonable grounds to suspect non-compliance.
How do deployer obligations interact with data protection law?
The EU AI Act complements the General Data Protection Regulation (GDPR). Deployer transparency and monitoring obligations intersect with GDPR's data subject rights. For instance, notifying users about AI use overlaps with GDPR's transparency requirements. Deployers must comply with both frameworks simultaneously; the AI Act does not override GDPR rights, but rather extends accountability to the deployment phase.
What steps should deployers take now?
- Audit your AI systems. Classify each system by risk level using the EU AI Act criteria.
- Map compliance gaps. For high-risk systems, ensure monitoring infrastructure, incident-reporting processes, and documentation practices are in place.
- Update user communications. Draft transparent disclosures about AI use, compliant with the regulation's transparency requirements.
- Train your teams. Ensure staff understand deployer obligations and can recognize and report incidents.
- Engage legal counsel. Work with qualified AI compliance advisors to tailor your compliance program to your specific deployment contexts.
Frequently Asked Questions
Q: Does the EU AI Act apply to my organization if we use AI but didn't develop it?
A: Yes. The EU AI Act imposes obligations on deployers—users of AI systems—regardless of whether they also developed the system. You are responsible for compliant deployment.
Q: What counts as a "serious incident" that I must report?
A: Serious incidents are those that cause or could cause injury, property damage, or violations of fundamental rights. Each deployment context defines this; a deployer must assess and report proportionately.
Q: If a provider says their AI system is compliant, can I assume I have no obligations?
A: No. Provider compliance statements are a starting point, but deployers remain liable for their own monitoring, transparency, and incident-reporting duties. You cannot outsource deployer obligations.
Q: When do the enforcement dates take effect?
A: The EU AI Act entered force on 1 January 2025, with phased enforcement: high-risk AI system rules apply from 1 July 2026; general-purpose AI rules apply from 2 August 2025. Some obligations (e.g., prohibited AI) apply immediately.
Q: Can I be held liable if I use a third-party AI system and it violates the Act?
A: You are liable for deployer obligations (monitoring, transparency, incident reporting). You are not liable for the provider's pre-deployment conformity assessment unless you knew or reasonably should have known of non-compliance and continued use anyway.
Sources
- Regulation (EU) 2024/1689 (EU AI Act)
- European Parliament Press Release – Combating child sexual abuse: agreement on updated rules (22 June 2026)
This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.