§ EU AI Act · Article 26

AI Act Article 26: Obligations, Deadlines & Penalties

Regulation (EU) 2024/1689, Article 26 · All obligations · EU AI Act · Full article analysis
At a glance
Article 26 of the AI Act imposes 15 obligations on deployer. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 26

Obligation 1
Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
ensure
Deadline
Penalty
Obligation 2
Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
assign
Deadline
Penalty
Obligation 3
To the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
ensure
Deadline
Penalty
Obligation 4
Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
monitor
Deadline
Penalty
Exemptions
Financial institutions subject to requirements regarding their internal governance under Union financial services law are deemed to fulfill this by complying with those rules.
Obligation 5
Where deployers have reason to consider that the use of the high-risk AI system may result in a risk, they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
inform
Deadline
without undue delay
Penalty
Exemptions
This obligation shall not cover sensitive operational data of deployers of AI systems which are law enforcement authorities.
Obligation 6
Where deployers have identified a serious incident, they shall also immediately inform first the provider, and then the importer or distributor and the relevant market surveillance authorities of that incident. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
inform
Deadline
immediately
Penalty
Obligation 7
Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
keep
Deadline
at least six months
Penalty
Exemptions
Unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.
Obligation 8
Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers’ representatives and the affected workers that they will be subject to the use of the high-risk AI system. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
inform
Deadline
before putting into service or using
Penalty
Obligation 9
Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Sector scope
public authorities, Union institutions, bodies, offices or agencies
Action required
comply
Deadline
Penalty
Obligation 10
When such deployers find that the high-risk AI system that they envisage using has not been registered in the EU database referred to in Article 71, they shall not use that system and shall inform the provider or the distributor. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Sector scope
public authorities, Union institutions, bodies, offices or agencies
Action required
inform
Deadline
Penalty
Obligation 11
Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Action required
carry out
Deadline
Penalty
Obligation 12
In the framework of an investigation for the targeted search of a person suspected or convicted of having committed a criminal offence, the deployer of a high-risk AI system for post-remote biometric identification shall request an authorisation, ex-ante, or without undue delay and no later than 48 hours, by a judicial authority or an administrative authority whose decision is binding and subject to judicial review, for the use of that system. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Sector scope
law enforcement
Action required
request
Deadline
no later than 48 hours
Penalty
Exemptions
Except when it is used for the initial identification of a potential suspect based on objective and verifiable facts directly linked to the offence.
Obligation 13
If the authorisation requested pursuant to the first subparagraph is rejected, the use of the post-remote biometric identification system linked to that requested authorisation shall be stopped with immediate effect and the personal data linked to the use of the high-risk AI system for which the authorisation was requested shall be deleted. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Sector scope
law enforcement
Action required
stop
Deadline
immediate effect
Penalty
Obligation 14
In no case shall such high-risk AI system for post-remote biometric identification be used for law enforcement purposes in an untargeted way, without any link to a criminal offence, a criminal proceeding, a genuine and present or genuine and foreseeable threat of a criminal offence, or the search for a specific missing person. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Sector scope
law enforcement
Action required
prohibit
Deadline
Penalty
Obligation 15
It shall be ensured that no decision that produces an adverse legal effect on a person may be taken by the law enforcement authorities based solely on the output of such post-remote biometric identification systems. Regulation (EU) 2024/1689, Article 26, Article 26
Obligated entity
deployer
Sector scope
law enforcement
Action required
ensure
Deadline
Penalty
§ Deadlines

EU AI Act compliance deadlines

§ Frequently asked

Questions about Article 26

Who must comply with Article 26 of the AI Act? +
deployer.
What does Article 26 of the AI Act require? +
ensure assign monitor
What is the compliance deadline for AI Act Article 26? +
at least six months; before putting into service or using; immediate effect; immediately; no later than 48 hours; without undue delay
Need a cross-border briefing on AI Act Article 26?
Search Fontvera ↵
All EU obligation pages  ·  All EU AI Act articles  ·  AI Act Article 26 deep analysis