EU AI Act Art.26 Deployer Obligations 2026: What Every SaaS Company Must Do Before August
Post #1384 in the sota.io EU AI Act Compliance Series
2 August 2026 is the compliance deadline for high-risk AI deployer obligations under the EU AI Act. If your SaaS product uses AI — whether you built the model yourself, consume a third-party API, or embed an AI feature from a vendor — you almost certainly qualify as a deployer under the regulation. And deployers face a concrete set of obligations under Article 26 that many engineering teams are not yet aware of.
This guide walks through every requirement, who it applies to, and exactly what you must implement before the August deadline.
Provider vs. Deployer: The Distinction That Changes Everything
The EU AI Act draws a sharp line between two roles:
Provider (Art.3(3)): The entity that develops an AI system, places it on the market, or puts it into service under its own name or trademark. This is typically the company that trained the model.
Deployer (Art.3(4)): Any natural or legal person, public authority, agency, or other body that uses an AI system under its own authority — except for personal, non-professional use.
The critical implication: if you integrate GPT-4, Claude, Gemini, or any other AI model into your SaaS product and deploy it to users in a professional context, you are a deployer under the AI Act. OpenAI, Anthropic, and Google are the providers. You are the deployer.
This matters because deployers have a distinct set of obligations under Article 26 that are separate from — and in some cases stricter than — what providers must do.
Which AI Systems Trigger Article 26?
Article 26 obligations apply specifically to high-risk AI systems as defined in Article 6 and Annex III of the AI Act. Not every AI deployment qualifies, but the Annex III list is broader than most developers expect:
The eight high-risk categories (Annex III):
- Biometric identification and categorisation of natural persons
- Management of critical infrastructure (roads, water, energy, digital infrastructure)
- Education and vocational training (determining access, assessing learning outcomes, evaluating test results)
- Employment, workers management, and access to self-employment (recruitment, promotion, task allocation, work monitoring)
- Access to essential private and public services (credit scoring, risk assessment for insurance, emergency services)
- Law enforcement (risk assessment, polygraphs, crime analytics)
- Migration, asylum, and border control
- Administration of justice and democratic processes
Practical examples for SaaS builders:
- An HR platform using AI to screen CVs or rank candidates → Category 4 (high-risk)
- A lending platform using AI for credit decisioning → Category 5 (high-risk)
- An education tool using AI to grade student work or determine course placement → Category 3 (high-risk)
- An AI-powered chatbot for general customer support → Likely not high-risk (Art.6 exemption for narrow purpose)
- AI used internally to help engineers write code → Not high-risk
If you are unsure, apply the two-step test from Art.6: (1) Is the system already regulated under EU safety legislation? (2) Does it fall into an Annex III category? If yes to either, assume high-risk until you can demonstrate otherwise.
The Seven Core Obligations Under Article 26
1. Use the System According to Its Instructions
Deployers must take appropriate technical and organisational measures to ensure they use the high-risk AI system in accordance with the instructions for use provided by the provider (Art.26(1)).
What this means in practice:
- Read the provider's documentation, terms of service, and compliance guidance
- Do not use the AI system for purposes not covered by the provider's instructions
- Document your use case and how it aligns with the stated intended purpose
- If you modify the system or feed it inputs outside its stated scope, you may be treated as a provider under Art.25(4)
Common failure mode: Developers take an AI API designed for one use case (e.g., document classification) and repurpose it for a higher-stakes application (e.g., candidate ranking) without checking whether the provider's instructions cover that use case.
2. Ensure Qualified Human Oversight
Article 26 requires deployers to assign the human oversight task to natural persons with the necessary competence, training, and authority (Art.26(2), cross-referencing the human oversight requirements in Art.14).
Art.14 specifies that high-risk AI systems must be designed and developed to enable effective human oversight by natural persons during their use period. As a deployer, your obligation is to actually implement that oversight — not just technically enable it.
What this means in practice:
- Designate a named individual or team responsible for monitoring AI output
- Ensure those individuals can understand, question, and override the AI's decisions
- Give oversight personnel sufficient authority to halt or modify the AI system when needed
- Document the oversight structure in your quality management documentation
- Do not design workflows where the AI output is automatically applied without human review for high-stakes decisions
Red flag: Many SaaS platforms build "human-in-the-loop" features but then design UX flows that make it practically impossible for the human to override the AI recommendation. Art.14 requires genuine override capability — not checkbox compliance.
3. Provide AI Literacy Training
Under Art.4, both providers and deployers must take measures to ensure that the staff responsible for operating high-risk AI systems on their behalf have a sufficient level of AI literacy, tailored to their roles and context.
Deployers cannot delegate this to the AI provider. You own AI literacy for your team.
What this means in practice:
- Conduct an AI literacy baseline assessment for staff who work with high-risk AI systems
- Provide targeted training covering: how the AI system makes decisions, its known limitations and failure modes, how to recognise and respond to anomalous outputs
- Document training completion and maintain records
- Include AI literacy requirements in your hiring and onboarding processes for relevant roles
Minimum curriculum for a high-risk AI deployer:
- What the model does and does not do (capability boundaries)
- How bias and error manifest in this category of AI system
- When and how to escalate or override AI decisions
- Your organisation's data handling obligations when AI processes personal data
4. Monitor Operation and Report Problems
Deployers must monitor the operation of the high-risk AI system on the basis of the instructions for use, and inform providers and, where applicable, distributors and market surveillance authorities when they become aware of serious incidents or malfunctioning (Art.26(4)).
What this means in practice:
- Establish ongoing monitoring of AI outputs for accuracy, bias, and unusual patterns
- Define thresholds that trigger internal review (e.g., anomalously high rejection rates for a particular demographic group)
- Have a documented process for escalating incidents to the AI provider
- Know how to contact your AI provider's safety or compliance team
- For incidents that result in death, serious harm, or fundamental rights violations: report to the relevant national competent authority under Art.73 — note that Art.73 deadlines are measured in days (2 days for critical infrastructure incidents, 10 days if death is involved, 15 days for other serious incidents)
Monitoring metrics to track:
- Output distribution over time (does the distribution shift unexpectedly?)
- Override rates (are human reviewers rejecting AI recommendations unusually often?)
- Error rates by category (are certain input types producing systematically worse outputs?)
- Feedback loop signals (are affected persons disputing decisions at elevated rates?)
5. Retain Logs
Deployers must keep the logs automatically generated by the high-risk AI system to the extent that such logs are under their control (Art.26(5)).
Minimum retention: The logs must be kept for the period necessary to fulfil obligations under the AI Act, but at minimum for 6 months. For sectors subject to additional sector-specific regulation (financial services, healthcare), longer periods may apply.
What to log:
- Input data that triggered high-stakes decisions (subject to GDPR minimisation principles)
- Timestamps and context of AI-assisted decisions
- Any human override events and the reason given
- System configuration at the time of decision (model version, threshold settings)
- Incidents reported to providers or authorities
Practical note: Many third-party AI APIs do not log inputs and outputs on your behalf. You must implement your own logging layer. Do not rely on the AI provider's retention policy to satisfy this obligation.
6. Inform Workers Before Deploying AI in the Workplace
If you are deploying a high-risk AI system to monitor, manage, or evaluate employees — for example, AI-assisted performance management, scheduling, or productivity monitoring — you must inform both the workers and their representatives before deployment (Art.26(6)).
What this means in practice:
- Notify workers' representatives (works council, union, etc.) in advance, not after the fact
- Provide clear information about what the system does, what data it processes, and how decisions are made
- Document the notification and any consultation process
- In most EU member states, works council information and consultation rights pre-date the AI Act — your notification process must satisfy both frameworks
This obligation applies specifically when:
- You use AI to monitor employee behaviour or productivity
- AI influences hiring, promotion, or termination decisions
- AI allocates work or manages shift scheduling
7. Register in the EU AI Database Where Required
Deployers of high-risk AI systems in certain categories must register their deployment in the EU-wide AI database before the system is put into service (Art.26(7), referencing the registration obligations in Art.49).
Registration is required when:
- The AI system is classified as high-risk under Annex III
- The deployer is a public body, or operates essential public services, or the system is used in law enforcement or migration contexts
Registration is NOT required for: purely internal use by private companies for their own employees (e.g., an HR tool used only internally), or AI systems deployed by SMEs in lower-risk Annex III sub-categories where the provider has already registered.
Check the EU AI Act Database at https://aiact.eu once it goes live in 2026 for the formal registration interface. Registration details include: the deployer's name and contact information, the AI system's intended purpose and the specific Annex III category, the geographic area of deployment.
Fundamental Rights Impact Assessment (Art.27)
Beyond Art.26, Art.27 requires certain deployers to carry out a fundamental rights impact assessment before putting the high-risk AI system into service. This applies to:
- Public bodies deploying high-risk AI
- Private deployers providing publicly accessible services in categories 5–8 of Annex III (credit scoring, insurance, law enforcement support, migration services, justice administration)
The assessment must cover:
- The specific rights that could be affected (right to non-discrimination, privacy, due process, access to justice)
- The scope of individuals affected and any particularly vulnerable groups
- The safeguards implemented and their adequacy
- Residual risks and how they will be monitored
Submit the completed assessment to the relevant national competent authority upon request.
Who Is the Competent Authority for Your Deployment?
Each EU member state designates a national competent authority (NCA) for AI Act enforcement. For deployers:
- The relevant NCA is typically in the member state where you are established
- If you are established outside the EU but deploy to EU users, the NCA of the member state where users are located has jurisdiction
- Sectoral regulators (banking authority, insurance authority, data protection authority) may share oversight for AI systems in regulated sectors
NCAs will become fully operational by 2 August 2026 alongside the full entry into force of deployer obligations.
The 2 August 2026 Deadline: What Must Be Ready
| Obligation | Who | When Required |
|---|---|---|
| Use according to instructions | All high-risk AI deployers | 2 August 2026 |
| Human oversight assignment | All high-risk AI deployers | 2 August 2026 |
| AI literacy training | All high-risk AI deployers | 2 August 2026 |
| Monitoring system | All high-risk AI deployers | 2 August 2026 |
| Log retention (≥6 months) | All high-risk AI deployers | 2 August 2026 |
| Worker notification | Deployers using AI in workplace | Before first deployment |
| Registration in EU database | Public bodies + certain private deployers | 2 August 2026 |
| Fundamental rights impact assessment | Public bodies + Art.27 private deployers | Before first deployment |
28-Item Compliance Checklist for Art.26 Deployers
Classification (items 1–5)
- 1. Identified all AI features in your product
- 2. Classified each AI feature against the Annex III categories
- 3. Documented the classification decision with rationale
- 4. Verified with your AI provider(s) whether their systems are high-risk
- 5. Determined whether any feature that appeared low-risk has now been modified in a way that shifts classification
Instructions and Intended Use (items 6–9)
- 6. Obtained and read the provider's instructions for use for each high-risk AI system
- 7. Documented your intended use case and verified it matches the provider's stated intended purpose
- 8. Confirmed you are not using the system for purposes outside its stated scope
- 9. Documented what happens if your use case evolves (process to re-check alignment)
Human Oversight (items 10–14)
- 10. Named the person(s) responsible for human oversight of each high-risk AI deployment
- 11. Verified those persons have sufficient competence to understand and evaluate AI outputs
- 12. Implemented genuine override capability in your product workflows
- 13. Documented the oversight structure in your quality management documentation
- 14. Tested the override process (confirm it works in production, not just in theory)
AI Literacy (items 15–17)
- 15. Identified all staff who operate or supervise high-risk AI systems
- 16. Completed baseline AI literacy assessment for those staff
- 17. Delivered tailored training covering system capabilities, limitations, and escalation procedures
Monitoring and Incident Response (items 18–21)
- 18. Defined monitoring metrics and thresholds for each high-risk AI deployment
- 19. Assigned responsibility for ongoing monitoring
- 20. Documented the incident escalation process including how to contact AI providers
- 21. Verified you know the Art.73 reporting requirements for serious incidents
Logging (items 22–24)
- 22. Implemented logging for all high-risk AI decision events
- 23. Verified log retention is at least 6 months (or longer per sector rules)
- 24. Confirmed logs are stored in a way that makes them accessible for regulatory review
Workers and Registration (items 25–28)
- 25. Identified any AI deployments that affect your employees directly
- 26. Completed works council / employee notification process where required
- 27. Determined whether you must register in the EU AI database
- 28. Prepared the fundamental rights impact assessment where Art.27 applies
Common Misconceptions About Art.26
"We just use an API, the provider is responsible." Wrong. Using an AI API makes you a deployer, not a provider. You bear the Art.26 obligations regardless of where the model was built.
"We are a startup, so SME exemptions apply." SME provisions under the AI Act primarily benefit providers in terms of reduced documentation and support from sandbox programmes. Deployer obligations under Art.26 apply to organisations of all sizes. Startup status does not exempt you from human oversight or logging requirements.
"Our AI is general-purpose, so Annex III doesn't apply." The classification is based on how you deploy and use the AI, not on whether the underlying model is general-purpose. If you use a general-purpose model (GPAI) for a high-risk use case (e.g., CV screening), you are deploying a high-risk AI system.
"Our data processor handles GDPR, so we're covered." GDPR and the AI Act have overlapping but non-identical requirements. Your DPA covers personal data processing obligations. The AI Act adds human oversight, logging, and monitoring requirements that your DPA does not address.
Next in the EU-AI-ACT-DEPLOYER-SPRINT-2026 Series
This post is the first in our five-part deployer sprint series running up to the 2 August 2026 deadline:
- Art.26 Deployer Obligations (this post) — the foundational overview
- Conformity Assessment — self-assessment vs. third-party for high-risk AI deployers
- Art.11 Technical Documentation — what deployers must maintain vs. what providers must supply
- Art.14 Human Oversight — detailed implementation guide for SaaS platforms
- Deployer Sprint Finale — complete August readiness checklist
EU compliance on EU infrastructure: sota.io provides managed PaaS with GDPR-compliant deployment on Hetzner Germany — no CLOUD Act exposure, no US parent company, and deployment documentation that simplifies your AI Act technical documentation requirements. Start your EU-sovereign deployment.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.