Deployer Compliance Checklist

Under the EU AI Act, a 'deployer' is any natural or legal person, public authority, agency, or other body that uses an AI system under its authority except where the AI system is used in the course of a personal non-professional activity. If your organisation uses an AI system built by a third party in any professional context — HR screening tools, credit scoring systems, customer service AI, document processing — you are a deployer and have specific obligations under Article 26. Deployers are distinct from providers. Providers develop and place AI systems on the EU market. Deployers use them. The distinction matters because your compliance obligations — while significant — are different from those of the provider, and you cannot assume that the provider's CE marking or conformity assessment covers your deployment context.

Before deploying any high-risk AI system, deployers must complete a structured pre-deployment review. This is not a one-time tick-box exercise — it is a documented assessment that must be retained and updated. Under Article 26(2), deployers must ensure that the intended purpose of the AI system matches their specific use case. A recruitment AI certified for candidate pre-screening is not automatically certified for performance review or promotion decisions. Using it for an uncertified purpose makes you responsible for that extended use.

Article 26(1) requires deployers to implement appropriate human oversight measures during deployment. This is one of the most operationally significant obligations for deployers, and one of the most frequently underestimated. Human oversight does not mean a person watches every AI decision in real time. It means you have designed your deployment so that a qualified person can understand the AI system's outputs, identify when those outputs may be incorrect or biased, and intervene or override the system when necessary. The oversight framework must be appropriate for the risk level and operational context of the system.

Deployers are responsible for the quality of data they provide as inputs to AI systems. Under Article 26(3), deployers must ensure that input data is relevant for the intended purpose of the system and is prepared in accordance with the provider's instructions. This is particularly important for AI systems whose outputs depend heavily on the quality and representativeness of the data they process. An AI system that performs well on nationally representative data may perform poorly — and introduce bias — when given data from a specific regional or demographic subset.

Article 26(6) requires deployers to retain the logs automatically generated by high-risk AI systems. The retention period is determined by applicable Union or national law, but the default is three years unless sector-specific rules require longer. These logs are the evidential backbone of your compliance posture. If an incident occurs, or if a supervisory authority requests access to records, your log retention and organisation will determine whether you can demonstrate compliant operation or face an adverse finding.

If your deployed AI system causes or contributes to a serious incident — an event resulting in harm to health, safety, or fundamental rights — you have specific notification obligations. Under Article 26(5), deployers must immediately notify the provider and, where applicable, market surveillance authorities. For deployers in the public sector or in highly regulated sectors, additional sector-specific incident reporting requirements may also apply, layering on top of EU AI Act obligations.