Article 26 of the EU AI Act: Deployer Obligations
Article 26 is the duty set for deployers — the companies that use high-risk AI they didn't build. 'It's the vendor's problem' is a myth: deployers have independent, enforceable obligations.
What Article 26 requires
Deployers must use the system according to its instructions; assign competent human oversight; ensure input data they control is relevant; monitor operation and suspend use if it poses a risk; keep the automatically generated logs; inform workers and their representatives before workplace deployment; and, where they make decisions about individuals, inform affected persons.
Who it binds
Deployers of high-risk AI systems. Certain deployers (public bodies, essential-service providers) must also complete a Fundamental Rights Impact Assessment (Article 27).
Key points
- Independent of the provider's duties — buying a compliant tool doesn't discharge them.
- Includes human oversight, monitoring, logs and worker information.
- May trigger a FRIA (Article 27).
FAQ
We just use an AI tool — do Article 26 duties apply?
Yes, if it's a high-risk system used professionally under your authority. Article 26 places independent duties on you as the deployer, separate from the vendor's provider duties.
Related articles
Run the free 2-minute checker — deterministic, no sign-up.