DE | EN

Deployer Obligations Under the EU AI Act

Deployer obligations

Most companies that use AI do not develop it themselves. They deploy ready-made systems, integrate them into existing processes and work with them. In the language of the EU AI Act, that makes them deployers. This role comes with its own obligations, which differ clearly from those of a provider.

The three roles at a glance

The EU AI Act distinguishes three central roles along the AI value chain. The role determines which obligations apply to a company.

Providers develop AI systems, or have them developed, and place them on the market under their own name. They carry the most comprehensive obligations: conformity assessment, technical documentation, CE marking, a quality management system. For most small and medium-sized enterprises this is not the relevant role.

Deployers use AI systems under their own responsibility for professional purposes. Whoever uses an AI-based HR tool, runs a chatbot on their website or uses Microsoft Copilot in daily work is a deployer. The obligations are less extensive than the provider’s, but by no means trivial.

Distributors make AI systems available on the EU market without developing or deploying them themselves. For most user companies this role does not apply.

The role is determined per AI system. A company can take on different roles for different systems. A complete AI register documents not only the existing systems, but also the respective role.

When a deployer becomes a provider

An important special case: under certain circumstances a deployer becomes a provider and takes on the provider’s extensive obligations. This happens in three cases. First, when the AI system is distributed under your own name or brand. Second, when a substantial modification is made to the system. Third, when the intended purpose is changed so that a previously non-critical system becomes a high-risk system.

Substantial modifications are more than mere configuration. Fine-tuning with your own data, training new models or fundamental changes to how the system works can trigger the role change. Whoever only adjusts settings or optimizes prompts remains a deployer.

Obligations depend on the risk class

The specific deployer obligations depend on which risk class the deployed AI system falls into. For high-risk systems the most comprehensive requirements apply under Article 26. For systems with limited risk, transparency obligations under Article 50 apply. For minimal risk there are no specific deployer obligations beyond the general AI literacy.

High-risk: the full list of obligations

Deployers of high-risk AI systems must take appropriate technical and organizational measures to use the system in line with the provider’s instructions for use. That sounds obvious, but in practice it is often the biggest weak point. The instructions must not only exist, but also be followed, and compliance documented.

Human oversight is another central obligation. Deployers must assign oversight to natural persons who have the necessary competence, training and authority. The system must not decide fully autonomously when people are affected. Whoever exercises this oversight must be qualified accordingly.

Input data, insofar as it is under the deployer’s control, must match the intended purpose and be representative. Whoever feeds a recruiting tool with biased or incomplete data violates this obligation.

Logging requires automatically generated logs to be kept for at least six months. These logs are relevant for audits, incident analysis and proof of proper use.

The monitoring obligation means observing operation against the instructions for use and, in the event of risks or serious incidents, informing the provider and the market surveillance authority. Where risks are identified, use must be suspended.

Employers who deploy high-risk systems in the workplace have additional information obligations towards employee representatives and affected employees. This applies before deployment, not only afterwards.

Certain deployers must also carry out a fundamental rights impact assessment. This concerns public bodies, companies that provide public services, and banks and insurers in creditworthiness checks or risk assessments.

Limited risk: transparency comes first

For AI systems with limited risk, the obligations are more manageable. Article 50 primarily requires transparency. Users must know they are interacting with an AI. This concerns chatbots, deepfakes and AI-generated content. The labelling obligation lies partly with the provider, partly with the deployer.

The practical starting point

Before obligations can be met, it must be clear which AI systems exist in the company and which risk class they belong to. The risk class does not follow from the system itself, but from the specific use case. The same AI model can be minimal or high-risk depending on its purpose.

A systematic recording process creates the necessary basis. From asset to use case, from use case to risk class, from risk class to the specific obligations. The NADOVO framework maps this path in a structured way. The DISCOVER phase records the assets, the DEFINE phase assigns use cases and risk classes to them.

The deployer obligations are no reason to panic, but also not a formality. Whoever understands them early and approaches them systematically avoids a scramble before August 2026 and at the same time creates the basis for responsible AI use.


About the author

Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

Further reading:

© 2026 Jochen Stier / contoro.solutions