Deployer readiness checklist: are you ready for 2 August 2026?

By PowerQuant | Updated June 2026 | Reading time: ~8 minutes

How to use this checklist

Work through each section. For every item, mark it as Done, In progress, or Not started. Any item left as “Not started” after 1 July 2026 is a concrete gap that needs an owner and a close-by date. “In progress” items need a completion date this side of 2 August 2026.

One preliminary question before you begin: have you identified which legal entity in your group is the deployer for each AI system? Article 3(4) defines the deployer as the natural or legal person that uses an AI system under its authority. If your group deploys through a subsidiary, that subsidiary is the deployer; its parent cannot simply absorb the obligation. Confirm entity mapping first.

Track 1: AI inventory (the foundation)

Every other obligation — Article 26, Article 50, Article 4 — depends on knowing which AI systems you operate. An incomplete inventory means incomplete compliance.

• You have a single, current inventory of every AI system used in any part of the employment lifecycle (recruitment, screening, assessment, work allocation, performance monitoring, termination prediction).
• Each system is classified as Annex III high-risk / limited-risk / minimal-risk / under review, with the specific Annex III point cited where applicable (for most HR-tech: point 4(a) or 4(b)).
• Provider vs. deployer is designated for each system. Where you have customised a system substantially, you have assessed whether Article 25 makes you a co-provider.
• GPAI-based tools are listed separately with the model identity, version, and the specific HR use-case for which each is used.
• The inventory has a named owner and a defined quarterly review cadence after 2 August 2026.
• Shadow AI is covered — procurement has confirmed there are no employee-procured SaaS tools or expired pilots still running that the inventory does not reflect.

Track 2: Article 4 — AI literacy (already late)

Article 4 has been in force since 2 February 2025. It is not an August 2026 obligation. If you are reading this in mid-2026 and your organisation does not have a documented AI literacy programme, you are already non-compliant.

• Role-based literacy mapping exists: every employee and contractor who operates, oversees, or uses an AI system on the organisation's behalf has been identified.
• Training is documented per person: each person has a training record with date, content scope, and the system(s) it covers.
• Oversight roles have enhanced training: the people named as human-oversight roles under Article 26(2) have documented competency for the specific system, not generic AI awareness.
• A refresher cadence is set: training is not a one-time event. There is a defined cycle (typically annual) and a trigger for out-of-cycle retraining (new system, significant provider update).
• The programme covers Article 50 obligations: staff who produce or review AI-generated content that reaches candidates or employees know the 2 August 2026 disclosure duties.

Track 3: Article 26 — per-system deployer evidence

For every Annex III high-risk system in your inventory, you should hold the following evidence. “Hold” means it is retrievable within 24 hours — not that you believe a vendor could produce it if asked nicely.

From the provider

• Instructions for use (Art. 13) — current version, stored in your system record. Note the version date; if the provider has released an update after you last checked, re-request.
• EU declaration of conformity (Art. 47) — or, if conformity assessment is not yet complete, written confirmation of timeline and interim risk-mitigation measures.
• EU database registration confirmation (Art. 49) — the provider's registration reference number for the system.
• Human-oversight capability documentation (Art. 14) — how the system enables an operator to monitor, override, or suspend it.
• Log export documentation — what logs are generated automatically, how to export them, and whether retention can be extended to at least six months.

From your own organisation

• Standard operating procedure documenting how the system is used and by whom, with explicit confirmation that use follows the provider's instructions for use (Art. 26(1)).
• Named human oversight role (Art. 26(2)) with a role description that includes the authority to intervene, override, or suspend, and the training records supporting the competence claim.
• Input data governance note (Art. 26(4))identifying which input fields are within the deployer's control and confirming they are relevant and sufficiently representative.
• Log retention configuration confirmed (Art. 26(6)) — retention is at least six months; GDPR retention obligations have been checked for conflicts.
• Worker information notice delivered (Art. 26(7)) — proof that affected workers and, where applicable, workers' representatives were informed before the system went live. For systems already in use: retrospective notice delivered and timestamped.
• Affected-person disclosure mechanism (Art. 26(11)) — candidates, employees, or contractors subject to the system are informed. Decision letters, rejection emails, or onboarding communications contain the required notice.
• Article 86 explanation path — individuals can request a meaningful explanation of AI-assisted decisions. The internal procedure for handling such requests is documented and tested.
• FRIA assessed (Art. 27) — Article 27 applies directly to public-sector bodies and operators of certain public services; private HR-tech deployers should document their assessment of whether it applies, and if not, why.
• Incident and malfunction escalation path — the procedure for escalating a serious incident to the provider and, where required, to the market-surveillance authority (Art. 26(5), Art. 73) is documented and assigned.
• DPIA updated (Art. 26(9)) — where applicable under GDPR Article 35, the DPIA explicitly incorporates the provider's Article 13 information.

Track 4: Article 50 — transparency (2 August 2026)

Article 50 applies from 2 August 2026 regardless of whether a system is classified as high-risk. It covers four distinct scenarios.

• AI chatbot / assistant notice (Art. 50(1)) — every AI system that interacts directly with candidates or employees shows a clear disclosure that it is AI, unless the context makes this obvious.
• Emotion-recognition and biometric categorisation notice (Art. 50(3)) — deployers using these systems in any context (interview scoring, candidate assessment, workplace monitoring) inform affected persons before or at the point of exposure.
• Deep-fake disclosure (Art. 50(4)) — training videos, synthetic avatars, AI-generated imagery used in HR communications carry a clear disclosure that the content was artificially generated or manipulated.
• AI-generated text in public-interest communications (Art. 50(4)) — where AI generates text intended to inform the public (e.g. published DEI reports, investor communications generated by AI), disclosure or human editorial responsibility is documented.
• Vendor-side marking confirmed — for generative AI tools, the vendor has confirmed that Art. 50(2) machine-readable marking is implemented and that the marking survives common transformations (copy-paste, PDF export).

What to do if you have gaps

Prioritise by risk and lead time:

1. Inventory gaps come first — nothing else can be fixed without knowing what you are fixing it for. If your inventory is incomplete, run a rapid discovery sprint (IT + finance + structured interviews across HR teams) in the next two weeks.
2. Worker information notices have the longest lead time for systems involving works-council consultation. Start immediately.
3. Vendor evidence gaps (missing DoC, no instructions for use) require vendor outreach. Send a structured evidence request to every high-risk provider this week; two weeks of silence tells you something material about your vendor's own readiness.
4. Article 50 transparency notices are usually quick to fix — a disclosure line in the right place in a chatbot UI or email template. Do not let them slip for want of a single paragraph of copy.
5. Article 4 backlog needs an owner. If training has not happened, prioritise the people in oversight roles first; general awareness training for all AI users second.

The Digital Omnibus wildcard

The provisional political agreement of 7 May 2026 proposes to postpone stand-alone Annex III applicability to 2 December 2027 (proposed; not yet adopted). If this is formally adopted before 2 August 2026, the Annex III high-risk obligations in Track 3 above would not technically be enforceable until the new date. Track 1 (inventory), Track 2 (Art. 4 literacy), and Track 4 (Art. 50 transparency) are not affected by the proposal — those dates do not move under the Omnibus.

The practical recommendation: do not stand down Track 3 on the basis of a proposal that has not yet been published in the Official Journal. The evidence you collect is not wasted if the date moves — it is exactly the evidence you will need in December 2027, and your enterprise customers' procurement teams will ask for it in 2026 regardless.

Sources

• Regulation (EU) 2024/1689 (AI Act), Articles 3, 4, 6, 13, 14, 25, 26, 27, 47, 49, 50, 73, 79, 86, 99 and Annex III — eur-lex.europa.eu/eli/reg/2024/1689/oj
• Council of the EU press release — Digital Omnibus provisional agreement, 7 May 2026: consilium.europa.eu
• European Commission — AI Act implementation timeline: ai-act-service-desk.ec.europa.eu