Deployer compliance checklist (Article 26, paragraphs 1-12)

Requirement: Take appropriate technical and organisational measures so that the high-risk AI system is used according to the instructions for use accompanying the system.

Evidence to hold: Standard operating procedure per system; signed acknowledgement from each operator that they have received the instructions for use.

Requirement: Human oversight must be assigned to natural persons who have the necessary competence, training and authority, and the necessary support.

Evidence to hold: Named oversight role with role description; training records mapped to Article 4; documented authority to intervene or suspend.

Requirement: Paragraphs 1 and 2 are without prejudice to other deployer obligations and to the deployer's freedom to organise its own resources and activities to implement the human-oversight measures indicated by the provider.

Evidence to hold: Internal note mapping Article 26 duties against parallel obligations under GDPR, sectoral law and works-council agreements.

Requirement: To the extent the deployer exercises control over input data, the deployer shall ensure that the input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.

Evidence to hold: Data-governance policy; control inventory identifying which input fields the deployer (vs. provider) owns; documented data quality checks on the controlled fields.

Requirement: Monitor operation on the basis of the instructions for use. Where the deployer has reason to consider that use may present a risk within the meaning of Article 79(1), inform the provider or distributor and the market-surveillance authority without undue delay and suspend the use of the system. Report serious incidents per Article 73.

Evidence to hold: Monitoring runbook; incident log with timestamps; escalation path to provider and competent authority; documented suspension procedure.

Requirement: Keep the logs automatically generated by the high-risk AI system to the extent they are under the deployer's control. Retention is at least 6 months unless other applicable Union or national law (notably GDPR) requires otherwise.

Evidence to hold: Log export procedure; retention policy; immutable storage evidence; integration with GDPR retention rules.

Requirement: Employers who are deployers of a high-risk AI system in the workplace must, prior to putting it into service or use, inform workers' representatives and the affected workers that they will be subject to its use.

Evidence to hold: Works-council briefing minute; written notice to affected employees dated before go-live; intranet publication evidence.

Requirement: Deployers that are public authorities, agencies or bodies, or Union institutions, bodies, offices or agencies, shall register their use of high-risk AI systems in the EU database referred to in Article 71 before putting them into service.

Evidence to hold: Confirmed registration; internal reference to the Annex VIII Section C data submitted.

Requirement: Where applicable, deployers shall use the information provided under Article 13 to comply with their data-protection-impact-assessment obligation under Article 35 GDPR. The DPIA remains the deployer's responsibility.

Evidence to hold: DPIA document explicitly referencing the provider's Article 13 instructions; DPO sign-off; periodic-review cadence.

Requirement: Deployers of post-remote biometric identification systems in the context of investigations for a targeted search of a suspected or convicted person must request prior authorisation from a judicial or administrative authority whose decision is binding (with the limited exemption in Article 26(10)).

Evidence to hold: Authorisation log per use; internal review of timeliness; restricted to law-enforcement deployers — does not apply to HR-tech.

Requirement: Deployers of high-risk AI systems referred to in Annex III that make decisions, or assist in making decisions, related to natural persons must inform the persons concerned that they are subject to the use of the high-risk AI system.

Evidence to hold: Standardised disclosure text embedded in decision letters (offer, rejection, performance review); audit trail showing the disclosure was sent.

Requirement: Deployers shall cooperate with the relevant competent authorities on any action those authorities take in relation to the high-risk AI system to implement this Regulation.

Evidence to hold: Single point of contact identified; document-production playbook; legal-hold procedure for AI-system records.

Requirement: Providers and deployers shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account technical knowledge, experience, education, training and the context of use. In force since 2 February 2025.

Evidence to hold: Role-based literacy mapping; documented training per person with timestamp; refresher cadence.

Requirement: Providers shall ensure that AI systems intended to interact directly with natural persons are designed so that those persons are informed they are interacting with an AI system, unless this is obvious from the context. Applies from 2 August 2026.

Evidence to hold: Disclosure copy reviewed; placement near first point of interaction; accessibility check.

Requirement: Deployers of emotion-recognition systems or biometric-categorisation systems shall inform the natural persons exposed to the system of its operation and process personal data in accordance with the GDPR and the Law Enforcement Directive. Applies from 2 August 2026.

Evidence to hold: Pre-exposure notice; lawful-basis assessment under GDPR; record of any explicit consent if relied upon.

Requirement: Deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake shall disclose that the content has been artificially generated or manipulated. Deployers of AI systems generating text published with the purpose of informing the public on matters of public interest must disclose the AI generation, with limited exemptions. Applies from 2 August 2026.

Evidence to hold: Standard disclosure caption; editorial workflow check; exemption-rationale memo if relying on Article 50(4) exemption.