EU AI Act deployer obligations: what your stack owes you by 2 August 2026

The distinction that vendors underexplain

The EU AI Act draws a line that most vendor communication obscures: the company that builds an AI system and the company that deploys it in a specific professional context carry different — and in some respects equally substantial — compliance obligations. Most of the industry conversation about the Act has focused on providers, the companies training models and shipping products. Article 26 of the Act is addressed to deployers, meaning any natural or legal person who uses a high-risk AI system under their own authority for professional purposes. If your organisation integrates an AI system into a business process, regardless of who built it, you are a deployer in the Act's meaning and Article 26 applies to you from 2 August 2026.

What Article 26 requires

The obligations for deployers of high-risk AI systems are operational, not merely documentary. Deployers must implement appropriate human oversight measures — defined by the Act not as a written policy but as actual operational controls: a designated person with the authority and capability to intervene when the system produces outputs that require review or override. Deployers must ensure that personnel interacting with the AI system have the AI literacy required to understand its capabilities, its limitations, and the conditions under which its outputs should not be relied upon. This AI literacy requirement entered into force under Article 4 in August 2025, giving organisations a twelve-month runway before the broader Article 26 obligations arrive. Deployers must also maintain logs of the system's operation to the extent those logs fall within their control, and must report serious incidents or malfunctions that affect fundamental rights or safety to the relevant national market surveillance authority without undue delay.

Annex III and the classification question

The practical question for most European operators is whether any component of their AI stack falls within the high-risk categories defined in Annex III of the Act. That list is specific and worth reading directly rather than relying on summaries. It covers AI systems used in employment and worker management contexts, including systems that influence recruitment, promotion, task allocation, or monitoring decisions; AI used in education to assess performance or determine access; systems that affect access to essential private and public services, including creditworthiness assessment; and AI used in law enforcement, border control, administration of justice, and democratic processes. The threshold for classification is not whether the system makes a final decision — it is whether the system's output materially influences one. A ranking tool, a scoring model, or a recommendation engine that shapes a decision about a person can trigger Annex III classification even if a human formally takes the decision downstream.

What operators need to do before August

Operators who have not begun auditing their AI stack against Annex III have approximately four months before enforcement. That timeline is compressed by two realities. First, the documentary work — maintaining the technical documentation, the logs, the monitoring protocols — cannot be created retroactively; it must be generated from the first day of compliant operation. Second, the contractual and procurement adjustments involved in verifying that providers have fulfilled their obligations under Article 13 (transparency and information obligations) are not quick. Article 25 of the Act requires providers to cooperate with deployers by supplying the technical documentation, conformity assessments, and information about intended purpose and foreseeable misuse that deployers need to run a compliant system. Most providers have not yet proactively delivered this documentation in a form that satisfies Article 26 requirements. Deployers should be requesting it now, and treating the quality of a provider's response as a signal about their compliance readiness.