The EU AI Act's Forgotten Half: What Article 26 Means for Deployers

For two years, almost every conversation about the EU AI Act has been about providers. Who builds the system, who places it on the market, who runs the conformity assessment. Deployers, the organisations that actually put high-risk AI to work on real people, have been treated as an afterthought. That is a mistake, and it is about to become an expensive one.

Article 26 is the part of the Act that governs deployers, and it is not light. It sets out eight substantive duties: use the system in line with the provider's instructions, assign competent human oversight, keep input data relevant and representative, monitor operation and report incidents, suspend use when serious risks appear, hold logs, and inform workers where the system affects them. Article 27 then adds a further duty for many deployers, the Fundamental Rights Impact Assessment.

The logic is simple once you see it. The provider designs a system for a range of possible uses. The deployer takes that system and applies it to a specific group of people, in a specific context, to make specific decisions. Most of the real-world risk lives in that act of contextualisation, which is exactly why the obligations sit where they do.

The FRIA is the part that catches people out. Unlike the data protection impact assessment under the GDPR, it has no approved methodology, no body of supervisory guidance, and no direct predecessor in EU law. Some organisations have read that absence as permission to wait. The opposite is true. The duty is already live, it is unconditional for public authorities, and the lack of a template puts the burden on each deployer to build a credible method of its own.

There is also a trap hidden in the supply chain. A deployer can only meet its Article 26 duties if the provider hands over enough information, above all the Annex IV technical documentation. Without it, you cannot complete a credible FRIA, set proper human-oversight standards, or design monitoring that will hold up. Most procurement contracts in the market today do not deal with this dependency, so the gap tends to surface at audit rather than at signing.

So where should a deployer start? Three moves matter more than the rest. First, build a real inventory of every AI system in use or under procurement, at the system level rather than the budget line, including tools bought as ordinary software that happen to contain AI. Second, commission or refresh your Fundamental Rights Impact Assessments, and scope them across the full range of Charter rights, not just non-discrimination. Third, stand up a governance committee with the authority to approve deployments, review monitoring, and suspend a system when it misbehaves.

Our whitepaper, The Deployer's Burden, works through all of it: the full Article 26 obligation set, a practical read on the FRIA, the procurement clauses that close the information gap, and a sequenced plan for the first eighteen months. If your organisation runs high-risk AI, the deployer's half of the Act is the half that now needs your attention.