Art 26 sets out the deployer obligations for high-risk AI systems. They are stand-alone duties owed by the deployer to the regulator and cannot be contracted away to the provider.
What are the main Art 26 deployer obligations for high-risk AI?
The principal duties: (a) take technical and organisational measures to ensure the system is used in accordance with the instructions for use, (b) assign human oversight to natural persons with the necessary competence, training and authority to intervene, (c) ensure that input data is relevant and sufficiently representative for the intended purpose where the deployer controls the input, (d) monitor the operation of the system and report serious incidents to the provider and the relevant national market-surveillance authority, (e) keep automatically generated logs for at least 6 months, (f) inform affected workers and their representatives before the system is put into service at the workplace, (g) coordinate with GDPR data protection impact assessments where relevant, and — for public bodies and certain private deployers — carry out a Fundamental Rights Impact Assessment under Art 27.
What transparency obligations do we owe to our own employees?
Art 26(7) requires deployers of high-risk AI at the workplace to inform workers' representatives and the affected workers — before the system is put into service — that they will be subject to the use of a high-risk AI system. This duty is independent of the GDPR Art 13/14 information duties and any national co-determination / works-council rules. The information must be understandable (not just a legal-technical notice) and documented.
What is a Fundamental Rights Impact Assessment (FRIA)?
Art 27 requires deployers that are bodies governed by public law, private operators providing public services, and deployers of specific high-risk AI listed in Annex III points 5(b) and 5(c) (creditworthiness and life or health insurance risk assessment) to carry out a FRIA before putting the system into service. The FRIA describes the deployer's processes in which the system will be used, the period and frequency of use, the categories of affected natural persons, the specific risks of harm and the human-oversight measures. The result must be notified to the national market-surveillance authority. A FRIA is not the same as a GDPR DPIA, but the two can be coordinated.
What does Art 50 transparency look like in practice for deployers?
Three practical things: (1) chatbots and conversational AI: end-users must be informed they are interacting with an AI system unless that is obvious to a reasonably well-informed person (Art 50(1) applies to providers, but deployer-side disclosure is best practice). (2) AI-generated or manipulated image, audio or video that constitutes a deepfake: the DEPLOYER must disclose that the content has been artificially generated or manipulated (Art 50(4)). (3) AI-generated text published to inform the public on matters of public interest: must be labelled as artificially generated unless the content has undergone human editorial review and a natural or legal person holds editorial responsibility (Art 50(4)). Disclosure must be clear, distinguishable and provided no later than at the time of the first interaction or exposure.
What does Art 4 AI literacy mean in practice, and what should a register contain?
Art 4 requires providers and deployers to take measures to ensure a 'sufficient level' of AI literacy for staff and other persons operating or using AI systems on their behalf, taking into account their technical knowledge, experience, education, training and the context of use. A useful register typically contains: a list of roles with AI exposure, competency requirements per role, completed training activities (date, content, attendee list), evaluation method, and documentation of ongoing follow-up. The required level is contextual — an HR administrator using Copilot for candidate communication needs a different level than a data scientist training your own models.