§ EU AI Act · Article 26
AI Act Article 26: Obligations, Deadlines & Penalties
At a glance
Article 26 of the AI Act imposes 15 obligations on deployer. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 26
Obligation 1
Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 2
Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
assign
- Deadline
-
—
- Penalty
-
—
Obligation 3
To the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 4
Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
monitor
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Financial institutions subject to requirements regarding their internal governance under Union financial services law are deemed to fulfill this by complying with those rules.
Obligation 5
Where deployers have reason to consider that the use of the high-risk AI system may result in a risk, they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
inform
- Deadline
-
without undue delay
- Penalty
-
—
- Exemptions
- This obligation shall not cover sensitive operational data of deployers of AI systems which are law enforcement authorities.
Obligation 6
Where deployers have identified a serious incident, they shall also immediately inform first the provider, and then the importer or distributor and the relevant market surveillance authorities of that incident.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
inform
- Deadline
-
immediately
- Penalty
-
—
Obligation 7
Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
keep
- Deadline
-
at least six months
- Penalty
-
—
- Exemptions
- Unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.
Obligation 8
Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers’ representatives and the affected workers that they will be subject to the use of the high-risk AI system.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
inform
- Deadline
-
before putting into service or using
- Penalty
-
—
Obligation 9
Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Sector scope
- public authorities, Union institutions, bodies, offices or agencies
- Action required
-
comply
- Deadline
-
—
- Penalty
-
—
Obligation 10
When such deployers find that the high-risk AI system that they envisage using has not been registered in the EU database referred to in Article 71, they shall not use that system and shall inform the provider or the distributor.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Sector scope
- public authorities, Union institutions, bodies, offices or agencies
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
Obligation 11
Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Action required
-
carry out
- Deadline
-
—
- Penalty
-
—
Obligation 12
In the framework of an investigation for the targeted search of a person suspected or convicted of having committed a criminal offence, the deployer of a high-risk AI system for post-remote biometric identification shall request an authorisation, ex-ante, or without undue delay and no later than 48 hours, by a judicial authority or an administrative authority whose decision is binding and subject to judicial review, for the use of that system.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Sector scope
- law enforcement
- Action required
-
request
- Deadline
-
no later than 48 hours
- Penalty
-
—
- Exemptions
- Except when it is used for the initial identification of a potential suspect based on objective and verifiable facts directly linked to the offence.
Obligation 13
If the authorisation requested pursuant to the first subparagraph is rejected, the use of the post-remote biometric identification system linked to that requested authorisation shall be stopped with immediate effect and the personal data linked to the use of the high-risk AI system for which the authorisation was requested shall be deleted.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Sector scope
- law enforcement
- Action required
-
stop
- Deadline
-
immediate effect
- Penalty
-
—
Obligation 14
In no case shall such high-risk AI system for post-remote biometric identification be used for law enforcement purposes in an untargeted way, without any link to a criminal offence, a criminal proceeding, a genuine and present or genuine and foreseeable threat of a criminal offence, or the search for a specific missing person.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Sector scope
- law enforcement
- Action required
-
prohibit
- Deadline
-
—
- Penalty
-
—
Obligation 15
It shall be ensured that no decision that produces an adverse legal effect on a person may be taken by the law enforcement authorities based solely on the output of such post-remote biometric identification systems.
Regulation (EU) 2024/1689, Article 26, Article 26
- Obligated entity
-
deployer
- Sector scope
- law enforcement
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
§ Deadlines
EU AI Act compliance deadlines
-
2025-02-02
Article 4 AI literacy
in_force
-
2025-02-02
Article 5 prohibitions (unacceptable risk)
in_force
-
2025-08-02
GPAI model obligations (Articles 51 to 56)
in_force
-
2026-08-02
Article 50(2) machine-readable marking (watermarking) of AI-generated content
provisionally_amended
-
2026-08-02
Article 50 transparency obligations OTHER than the 50(2) marking grace (for example disclosure that a user is interacting with an AI system)
scheduled
-
2026-08-02
Annex III stand-alone high-risk obligations
provisionally_amended
-
2026-08-02
National AI regulatory sandboxes (establishment deadline)
provisionally_amended
-
2026-12-02
NEW Article 5 prohibition: AI generation of non-consensual intimate imagery (NCII) and CSAM
provisionally_amended
-
2027-08-02
Annex I embedded (regulated-product) high-risk obligations
provisionally_amended
§ Frequently asked
Questions about Article 26
Who must comply with Article 26 of the AI Act?
+
deployer.
What does Article 26 of the AI Act require?
+
ensure assign monitor
What is the compliance deadline for AI Act Article 26?
+
at least six months; before putting into service or using; immediate effect; immediately; no later than 48 hours; without undue delay