Acta acta.ink
EU AI Act · 7 min read

Art. 26 Deployer Obligations: What the EU AI Act Means for Your Company

You're using AI. Under Art. 26, that makes you a 'deployer' with specific legal obligations. Here's the plain-language breakdown.

If your company uses AI tools — ChatGPT, Claude, Gemini, Copilot, or any other AI system — the EU AI Act classifies you as a "deployer." This isn't optional. If you're established in the EU or your AI usage affects people in the EU, Art. 26 applies to you.

The enforcement date is August 2, 2026. Here's what you need to know.

What is a "deployer"?

The EU AI Act defines a deployer as any natural or legal person that uses an AI system under its authority. This is deliberately broad. You don't need to build AI — you just need to use it.

If your employees use ChatGPT through a company account, you're a deployer. If they use it through personal accounts for work purposes, you're likely still a deployer — because it happens "under your authority" as an employer.

Art. 26 obligations: the plain-language version

Art. 26(1) — Technical and organisational measures

You must implement "appropriate technical and organisational measures" to ensure that you use high-risk AI systems in accordance with the instructions of use. For general-purpose AI like ChatGPT, this means having a governance framework: policies on acceptable use, technical controls on what data can be shared, and documentation of how AI is deployed.

In practice: An AI usage policy, technical controls that scan or filter what employees send to AI tools, and a record of which AI systems you use and how.

Art. 26(5) — Monitoring

You must monitor the operation of AI systems on the basis of the instructions of use. This means ongoing oversight — not a one-time risk assessment that gets filed away.

In practice: Audit logs of AI interactions, dashboards showing usage patterns, alerts for policy violations, and regular reviews of how AI is being used across the organisation.

Art. 26(7) — Worker information

Before putting an AI system into use in the workplace, deployers who are employers shall inform workers' representatives and affected workers that they will be subject to the use of the AI system.

In practice: Clear communication to employees about which AI tools are in use, how they're monitored, and what their rights are. This goes hand-in-hand with Art. 4 literacy requirements.

What about GDPR obligations?

The EU AI Act doesn't replace GDPR — it sits alongside it. If your AI usage involves personal data (and it almost certainly does), you also need:

  • Art. 35 GDPR — DPIA: A Data Protection Impact Assessment for AI processing that's likely to result in high risk (common mistakes here)
  • Art. 9 GDPR — Special categories: If health, biometric, political, or other sensitive data could enter the AI system, you need explicit legal basis
  • Art. 33 GDPR — Breach notification: If a data breach occurs involving AI-processed personal data, you have 72 hours to notify the supervisory authority

The provider vs. deployer split

This is the part most companies misunderstand. OpenAI, Anthropic, Google, and Microsoft have their own obligations under the EU AI Act — as providers. They handle Art. 16 (registration), Art. 17 (quality management), Art. 18 (technical documentation), and Art. 22 (EU declaration of conformity).

None of this exempts you from your deployer obligations. Think of it like renting an office: the landlord ensures the building meets fire safety codes, but you're still responsible for your own fire evacuation plan. The provider makes the AI system compliant. You make your use of it compliant.

What are the penalties?

The EU AI Act's penalty framework includes fines of up to:

  • €35 million or 7% of global turnover for the most serious violations
  • €15 million or 3% of turnover for less serious violations
  • €7.5 million or 1% of turnover for supplying incorrect information

For SMEs and startups, the Act specifies proportionate maximum amounts. The exact penalty depends on the nature and severity of the infringement, but regulators have made clear that "we didn't know" is not a defence.

A practical compliance roadmap

  1. Inventory — document every AI system in use (including shadow AI)
  2. Classify — determine which uses could be considered high-risk
  3. Assess — conduct DPIAs and, where applicable, Fundamental Rights Impact Assessments (Art. 27)
  4. Control — implement technical measures (PII scanning, access controls, usage policies)
  5. Monitor — set up audit logging and ongoing oversight
  6. Train — ensure Art. 4 AI literacy for all users
  7. Document — maintain records of all of the above for regulatory inspection

August 2026 sounds far away. For most organisations, steps 1–7 take 3–6 months to implement properly. The time to start is now.

Disclaimer: This article provides a general overview of Art. 26 deployer obligations and does not constitute legal advice. The EU AI Act's application depends on specific circumstances including risk classification, sector, and use case. Consult qualified legal counsel for guidance specific to your organisation.

Related reading

Art. 4 AI Literacy Is Already Enforceable — Here's What That Means 3 DPIA Mistakes That Regulators Flag First Shadow AI: Your Employees Are Pasting Sensitive Data Into ChatGPT

See how Acta can help

PII detection, audit logging, policy enforcement, AI literacy insights. One platform for EU AI Act compliance.

Try Acta free

Free extension included · Pay as you go

← All articles