Deployer Obligations Checklist (Article 26, EU AI Act)
A deployer obligations checklist is the short list for companies that USE high-risk AI rather than build it. Article 26 of the EU AI Act is your article: you bought the hiring screener or the credit model, and the law now expects you to run it responsibly. Eight rows, far lighter than the provider's twelve, but with real operational teeth.
The 8-point deployer checklist
| # | Obligation | Where it lives |
|---|---|---|
| 1 | Use the system according to the provider's instructions for use | Art. 26(1) |
| 2 | Assign human oversight to people with competence, training, and authority | Art. 26(2) |
| 3 | Ensure input data under your control is relevant and sufficiently representative | Art. 26(4) |
| 4 | Monitor operation and tell the provider or authority when something looks wrong | Art. 26(5) |
| 5 | Keep the automatically generated logs at least six months | Art. 26(6) |
| 6 | Tell workers and their representatives before using it on them at work | Art. 26(7) |
| 7 | Inform people subject to its decisions, where the Act requires | Art. 26(11) |
| 8 | Run a fundamental rights impact assessment first, if Article 27 covers you | Art. 27 |
Row 8 applies to public bodies, private entities providing public services, and deployers of certain credit-scoring and insurance-pricing systems. If that is you, the FRIA comes before first use, not after.
The two rows that bite operationally
Log retention (row 5) needs someone to actually own storage and deletion windows. And worker notification (row 6) has a date attached to a meeting, not a document: works councils want to hear about the system before it goes live. Both rows produce evidence that AI Comply HQ generates and tracks for you, alongside the oversight-assignment record from row 2.
Wait, are you sure you're only a deployer?
Rebrand a vendor's system under your own name, or substantially modify it, and you can become the provider, with the 12-row provider checklist instead. The free risk check asks the role questions and tells you which list is yours.
FAQ
When do deployer duties start?
For Annex III systems, 2 August 2026 under the current text, the same date as the provider-side regime.
The provider says the system is compliant. Are we done?
No. Their conformity covers their duties. Rows 1 through 8 above stay yours.
Check which obligations hit you, free
Sources
This page is informational content, not legal advice. Talk to a qualified lawyer about your specific situation.