AI Act Deployer Obligations

Definition

The EU AI Act splits responsibilities across two main roles. The provider is the AI vendor that develops or markets the model (OpenAI, Anthropic, Microsoft, Google). The deployer is the organisation that puts the AI system to use under its own authority - an Irish accountancy firm using ChatGPT Enterprise to summarise client documents is a deployer, not a provider. Article 26 of the AI Act sets out the deployer obligations for high-risk AI systems: take appropriate technical and organisational measures to use the system in accordance with the provider's instructions, assign human oversight to natural persons with the necessary competence and authority, ensure input data is relevant and sufficiently representative for the system's purpose, monitor the system's operation and retain automatically generated logs for at least six months, inform workers' representatives and affected workers before putting the system into service in a workplace, complete a fundamental rights impact assessment where Article 27 requires it, register the deployment in the EU database for high-risk AI systems when acting as a public body, and inform data subjects when they become the subject of an AI-driven decision. These obligations apply on top of GDPR, not instead of it. The deployer of a high-risk AI system providing recruitment shortlisting still owes GDPR Article 22 protections, a DPIA, and a DPA - the AI Act adds fundamental-rights and competence-of-overseer layers above that. Most workplace AI use cases that involve hiring, performance management, credit, education, or essential services fall into the high-risk category in Annex III and trigger deployer obligations on the Irish buyer. General-purpose AI tools used for low-stakes tasks (drafting an email, summarising a meeting note) sit outside high-risk and trigger only limited-risk transparency duties such as labelling AI-generated content where required.

Why it matters for software choice

Irish SMEs frequently assume the AI vendor handles AI Act compliance and the buyer just has to sign the contract. That is wrong for high-risk use cases - the deployer takes on its own statutory obligations covering oversight, monitoring, worker notification, and fundamental rights. Procurement teams need to know which side of the high-risk line a planned use case sits before they sign, because the answer changes who is on the hook when something goes wrong.

Authority sources

• EU AI Act Article 26 - Obligations of deployers of high-risk AI systems (artificialintelligenceact.eu)
• EU AI Act - Regulation (EU) 2024/1689 (full text) (eur-lex.europa.eu)

Software categories this affects

Vendors covered by this term

Related terms