EU AI Act Deployer Obligations: What Companies Using AI Must Do
Most companies are deployers — they don't build AI, they use it: an AI hiring tool, a credit-scoring model, a customer chatbot. Deployers of high-risk AI carry real, enforceable duties under Article 26, and certain deployers must also complete a Fundamental Rights Impact Assessment (Art. 27). This page explains exactly what a deployer must do.
Are you a deployer?
You are a deployer if you use an AI system under your own authority in the course of a professional activity — for example, an HR team running a CV-screening tool, a bank using an automated credit-scoring model, or a hospital using diagnostic AI. Purely personal, non-professional use is excluded. You can be a deployer of a high-risk system even though you didn't build it — the provider's duties and yours run in parallel.
The mistake teams make
Teams assume 'we just bought the tool, compliance is the vendor's problem.' It isn't. Art. 26 puts independent duties on the deployer — human oversight, using the system per its instructions, monitoring it, keeping logs and informing affected people. And under Art. 25, if you put your own brand on it or substantially change it, you stop being a deployer and become the provider.
Deployer obligations, article by article
- Art. 26(1)Use per instructions
Operate the system in line with the provider's instructions for use.
- Art. 26(2)Human oversight
Assign oversight to competent people with the authority and training to intervene.
- Art. 26(4)Input-data relevance
Ensure input data you control is relevant and representative for the intended purpose.
- Art. 26(5)Monitor & suspend
Monitor operation and suspend use if the system presents a risk, informing the provider.
- Art. 26(6)Keep logs
Retain the automatically generated logs for an appropriate period (at least 6 months).
- Art. 26(7)Inform workers
Before using high-risk AI at work, inform workers and their representatives.
- Art. 26(11)Transparency to affected people
Tell individuals when a high-risk system is used in decisions affecting them.
- Art. 27Fundamental Rights Impact Assessment (FRIA)
Public bodies and certain essential-service deployers must complete a FRIA before first use.
- Art. 50Transparency for limited-risk use
Disclose AI interaction (chatbots) and label AI-generated or manipulated content.
- Art. 4AI literacy
Ensure staff who operate or are affected by AI have a sufficient level of AI literacy.
Key deadlines
- 2 Feb 2025 — AI literacy (Art. 4) + prohibited-practice ban in force
- 2 Aug 2026 — deployer obligations for high-risk systems (Art. 26/27) apply
- 2 Aug 2026 — Art. 50 transparency duties apply
FAQ
We only use ChatGPT / an off-the-shelf tool — are we a deployer?
Yes, if you use it professionally under your own authority. Whether Article 26's high-risk duties bite depends on the use case: a general chatbot is usually limited-risk (Art. 50 transparency), but using AI to screen candidates or score credit is a high-risk deployment with the full Art. 26 set.
What is a FRIA and do we need one?
A Fundamental Rights Impact Assessment (Art. 27) documents how a high-risk AI deployment could affect people's rights and how you mitigate it. It's mandatory for public bodies and for deployers of high-risk systems in areas like essential private/public services (e.g. credit, insurance) before first use.
Can we be both a deployer and a provider?
Yes. If you deploy a vendor's system but also rebrand it, substantially modify it, or repurpose it into a high-risk use (Art. 25), you take on provider obligations for that system in addition to your deployer duties.
Not sure? You might also be a…
Run the free 2-minute checker — deterministic, no sign-up.