AI Act Obligations for Deployers
A complete, article-by-article reference for AI Act deployers — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 27 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.
Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.
Regulation (EU) 2024/1689 — CELEX 32024R1689
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.
Who is a deployer?
A deployer is any natural or legal person, public authority, agency, or other body that uses an AI system under its own authority in a professional or organisational context, excluding use in the course of purely personal, non-professional activities.
27 obligation paragraphs in the AI Act are addressed to the Deployer role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.
Jump to an article
- Article 2 - Scope
- Article 4 - AI literacy
- Article 14 - Human oversight
- Article 25 - Responsibilities along the AI value chain
- Article 26 - Obligations of deployers of high-risk AI systems
- Article 27 - Fundamental rights impact assessment for high-risk AI systems
- Article 49 - Registration
- Article 50 - Transparency obligations for providers and deployers of certain AI systems
- Article 73 - Reporting of serious incidents
- Article 82 - Compliant AI systems which present a risk
- Bridge to product
- Frequently asked questions
Article 2 - Scope
Art. 2(1). This paragraph defines who is subject to the AI Act: providers placing AI systems or general-purpose AI models on the EU market, deployers established or located in the EU, and providers/deployers in third countries whose AI outputs are used in the EU.
chevron_rightSource text
Source text: “This Regulation applies to:”
In practice: Map your organisation's role (provider or deployer) and determine whether your AI systems or their outputs reach EU users. Even if your company is based outside the EU, if your AI system's output is used in the EU, you must comply. Conduct a territorial scope assessment as a first compliance step.
Article 4 - AI literacy
Art. 4. Providers and deployers of AI systems must take reasonable measures to ensure that their staff and other persons involved in operating or using AI systems on their behalf have a sufficient level of AI literacy, taking into account their technical background and the context of use. This obligation is proportionate to the individuals' existing knowledge and the specific AI systems involved.
chevron_rightSource text
Source text: “Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.”
In practice: Conduct an AI literacy gap analysis across all roles that interact with AI systems. Develop role-specific training programmes covering AI fundamentals, system-specific operation, ethical use, and risk awareness. Document training completion and periodically review literacy levels as AI systems evolve or new deployments occur.
Article 14 - Human oversight
Art. 14(4). High-risk AI systems must be provided to deployers in a way that enables the persons responsible for oversight to understand the system's capabilities and limitations, detect anomalies, be aware of automation bias, and correctly interpret the system's outputs.
chevron_rightSource text
Source text: “For the purpose of implementing paragraphs 1, 2 and 3, the high-risk AI system shall be provided to the deployer in such a way that natural persons to whom human oversight is assigned are enabled, as appropriate and proportionate:”
In practice: Include in the instructions for use explicit sections on system limitations, known failure modes, automation bias risks, and guidance on interpreting outputs, including any available interpretation tools or methods.
Art. 14(5). For high-risk AI systems used for biometric identification (Annex III point 1(a)), no action or decision may be taken by the deployer based on the system's identification output unless it has been separately verified and confirmed by at least two natural persons with the necessary competence, training, and authority. An exception applies for law enforcement, migration, border control, or asylum where Union or national law considers this requirement disproportionate.
chevron_rightSource text
Source text: “For high-risk AI systems referred to in point 1(a) of Annex III, the measures referred to in paragraph 3 of this Article shall be such as to ensure that, in addition, no action or decision is taken by the deployer on the basis of the identification resulting from the system unless that identification has been separately verified and confirmed by at least two natural persons with the necessary competence, training and authority. The requirement for a separate verification by at least two natural persons shall not apply to high-risk AI systems used for the purposes of law enforcement, migration, border control or asylum, where Union or national law considers the application of this requirement to be disproportionate.”
In practice: Implement a mandatory dual-review workflow in your deployment process for biometric identification systems, with automatic logging of both verifications. Document the exception procedure clearly if operating in law enforcement or border control contexts where the two-person rule may be waived.
Article 25 - Responsibilities along the AI value chain
Art. 25(1). Any distributor, importer, deployer, or third party becomes legally treated as a provider of a high-risk AI system—and must meet all provider obligations—if they rebrand it, substantially modify it, or change its purpose so that it becomes high-risk.
chevron_rightSource text
Source text: “Any distributor, importer, deployer or other third-party shall be considered to be a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:”
In practice: Organisations that rebrand, substantially modify, or repurpose AI systems should conduct a legal review before doing so to determine whether they will assume full provider obligations under Article 16. Document all modifications and purpose changes in writing.
Article 26 - Obligations of deployers of high-risk AI systems
Art. 26(1). Deployers of high-risk AI systems must take appropriate technical and organisational measures to ensure they use those systems in accordance with the provider's instructions for use. This obligation is linked to the human oversight and input data requirements set out in paragraphs 3 and 6 of the same article.
chevron_rightSource text
Source text: “Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems, pursuant to paragraphs 3 and 6.”
In practice: Establish an internal policy requiring staff to read and follow the provider's instructions for use before deploying any high-risk AI system. Document the technical and organisational measures taken (e.g., access controls, staff training, configuration settings) and keep records updated whenever instructions change.
Art. 26(2). Deployers must assign human oversight responsibilities to natural persons who have the necessary competence, training, authority, and support to perform that role. This ensures that qualified individuals are in place to supervise high-risk AI system operations.
chevron_rightSource text
Source text: “Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.”
In practice: Create a formal role assignment process for human oversight of high-risk AI systems. Define competency requirements, provide targeted training, and document the authority granted to oversight personnel. Ensure adequate resources and support structures are in place for those individuals.
Art. 26(3). The obligations in paragraphs 1 and 2 do not override other deployer obligations under Union or national law, and deployers retain the freedom to organise their own resources and activities when implementing human oversight measures indicated by the provider. This is a clarifying provision preserving legal pluralism.
chevron_rightSource text
Source text: “The obligations set out in paragraphs 1 and 2, are without prejudice to other deployer obligations under Union or national law and to the deployer’s freedom to organise its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.”
In practice: When implementing human oversight measures, ensure compliance with both the AI Act requirements and any other applicable Union or national law (e.g., labour law, sector-specific regulations). Document how your organisational arrangements satisfy all applicable obligations simultaneously.
Art. 26(4). Where a deployer exercises control over the input data fed into a high-risk AI system, that deployer must ensure the input data is relevant and sufficiently representative for the system's intended purpose. This obligation applies without prejudice to the general obligations in paragraphs 1 and 2.
chevron_rightSource text
Source text: “Without prejudice to paragraphs 1 and 2, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.”
In practice: Implement a data quality review process for any input data you control before it is fed into a high-risk AI system. Document how the data was assessed for relevance and representativeness relative to the system's intended purpose, and maintain records of these assessments.
Art. 26(5). Deployers must monitor high-risk AI system operations per the instructions for use, inform providers of risks or serious incidents without undue delay, and notify relevant market surveillance authorities. Financial institutions subject to internal governance rules under Union financial services law are deemed to fulfil the monitoring obligation by complying with those rules.
chevron_rightSource text
Source text: “Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72. Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system. Where deployers have identified a serious incident, they shall also immediately inform first the provider, and then the importer or distributor and the relevant market surveillance authorities of that incident. If the deployer is not able to reach the provider, Article 73 shall apply mutatis mutandis. This obligation shall not cover sensitive operational data of deployers of AI systems which are law enforcement authorities. For deployers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to the relevant financial service law.”
In practice: Establish a formal incident and risk monitoring procedure for each high-risk AI system in use. Define escalation paths for notifying providers, distributors, and market surveillance authorities. For financial institutions, map existing internal governance compliance to the AI Act monitoring obligation and document the equivalence. Maintain logs of all monitoring activities and notifications.
Art. 26(6). Deployers of high-risk AI systems must retain automatically generated logs for at least six months, unless other Union or national law requires otherwise. Financial institution deployers subject to Union financial services law must keep logs as part of their existing documentation obligations under that law.
chevron_rightSource text
Source text: “Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data. Deployers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the logs as part of the documentation kept pursuant to the relevant Union financial service law.”
In practice: Implement a log retention policy for all high-risk AI systems that defaults to a minimum of six months. For financial institution deployers, integrate AI system log retention into existing internal governance documentation frameworks under applicable Union financial services law (e.g., MiFID II, CRD IV). Ensure logs are stored securely and are accessible for audit purposes.
Art. 26(7). Deployers who are employers must inform workers' representatives and affected workers before putting a high-risk AI system into service at the workplace. This information must be provided in accordance with applicable Union and national rules on worker information and consultation.
chevron_rightSource text
Source text: “Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers’ representatives and the affected workers that they will be subject to the use of the high-risk AI system. This information shall be provided, where applicable, in accordance with the rules and procedures laid down in Union and national law and practice on information of workers and their representatives.”
In practice: Before deploying any high-risk AI system in a workplace context, establish a formal notification process for workers and their representatives. Document the notification, including the intended purpose of the AI system and the types of decisions it may influence. Align the process with existing works council or employee representative consultation procedures under national labour law.
Art. 26(8). Public authority deployers and Union institution deployers of high-risk AI systems must comply with registration obligations under Article 49. If they find that the system they intend to use is not registered in the EU database under Article 71, they must not use it and must inform the provider or distributor.
chevron_rightSource text
Source text: “Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49. When such deployers find that the high-risk AI system that they envisage using has not been registered in the EU database referred to in Article 71, they shall not use that system and shall inform the provider or the distributor.”
In practice: Before deploying any high-risk AI system, public authority deployers should verify the system's registration status in the EU database. Establish a pre-deployment checklist that includes a database registration check. If the system is not registered, halt deployment and notify the provider or distributor immediately, documenting the notification.
Art. 26(9). Where applicable, deployers of high-risk AI systems must use the transparency information provided by the provider under Article 13 to fulfil their obligation to carry out a data protection impact assessment (DPIA) under GDPR Article 35 or Law Enforcement Directive Article 27.
chevron_rightSource text
Source text: “Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680.”
In practice: When conducting a DPIA for a high-risk AI system, systematically incorporate the information provided by the provider in the instructions for use (Article 13 information) into the DPIA documentation. Map the AI system's data flows, risks, and intended purpose from the provider's documentation directly into the DPIA template to ensure completeness and regulatory alignment.
Art. 26(11). Deployers of high-risk AI systems listed in Annex III that make or assist in making decisions about natural persons must inform those persons that they are subject to the use of such a system. For law enforcement contexts, the notification obligation is governed by Article 13 of Directive (EU) 2016/680.
chevron_rightSource text
Source text: “Without prejudice to Article 50 of this Regulation, deployers of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system. For high-risk AI systems used for law enforcement purposes Article 13 of Directive (EU) 2016/680 shall apply.”
In practice: Implement a clear, accessible notice mechanism (e.g., on-screen disclosure, written notice, or signage) informing individuals when a high-risk AI system is being used to make or assist in decisions about them. For law enforcement deployers, align the notification process with Article 13 of Directive (EU) 2016/680 rather than this provision directly.
Art. 26(12). Deployers of high-risk AI systems are required to cooperate with relevant competent authorities in any action those authorities take in relation to the high-risk AI system to implement the AI Act.
chevron_rightSource text
Source text: “Deployers shall cooperate with the relevant competent authorities in any action those authorities take in relation to the high-risk AI system in order to implement this Regulation.”
In practice: Establish internal procedures and designated contact points to respond promptly to requests from market surveillance or other competent authorities. Maintain up-to-date documentation on deployed high-risk AI systems to facilitate efficient cooperation during inspections or investigations.
GDPR cross-reference — AI Act Art. 26 ↔ GDPR Art. 35
Art. 26(9) requires deployers to use the information the provider supplies to carry out a data protection impact assessment where one is required. That obligation lives in GDPR Article 35:
chevron_rightGDPR source text
GDPR Art. 35(1): “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
GDPR Art. 35(2): “The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.”
GDPR Art. 35(3): “A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:”
GDPR Art. 35(4): “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.”
GDPR Art. 35(5): “The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.”
GDPR Art. 35(6): “Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.”
GDPR Art. 35(7): “The assessment shall contain at least:”
GDPR Art. 35(8): “Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.”
GDPR Art. 35(9): “Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.”
GDPR Art. 35(10): “Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.”
GDPR Art. 35(11): “Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.”
Bridge: GDPR Article 35 is implemented as a control module in RuleMesh — the same control you would evidence here. Explore GDPR control modules →
Article 27 - Fundamental rights impact assessment for high-risk AI systems
Art. 27(1). Deployers of high-risk AI systems that are public bodies or private entities providing public services (with certain exceptions) must conduct a fundamental rights impact assessment before deploying the system, covering the processes, timeframes, and categories of persons affected.
chevron_rightSource text
Source text: “Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5 (b) and (c) of Annex III, shall perform an assessment of the impact on fundamental rights that the use of such system may produce. For that purpose, deployers shall perform an assessment consisting of:”
In practice: Create a standardised FRIA template that maps each high-risk AI use case to the deployer's processes, deployment schedule, and affected population categories. Align this with existing DPIA workflows to avoid duplication.
Art. 27(2). The FRIA obligation applies to the first use of a high-risk AI system; deployers may rely on prior assessments or those conducted by the provider in similar cases, but must update the assessment if relevant elements change during use.
chevron_rightSource text
Source text: “The obligation laid down in paragraph 1 applies to the first use of the high-risk AI system. The deployer may, in similar cases, rely on previously conducted fundamental rights impact assessments or existing impact assessments carried out by provider. If, during the use of the high-risk AI system, the deployer considers that any of the elements listed in paragraph 1 has changed or is no longer up to date, the deployer shall take the necessary steps to update the information.”
In practice: Establish a review trigger mechanism within your AI governance process so that any change in deployment context, affected population, or system configuration automatically flags the need to update the FRIA.
Art. 27(3). After completing the FRIA, deployers must notify the market surveillance authority of the results by submitting the filled-out template; deployers may be exempt from this notification obligation in cases covered by Article 46(1).
chevron_rightSource text
Source text: “Once the assessment referred to in paragraph 1 of this Article has been performed, the deployer shall notify the market surveillance authority of its results, submitting the filled-out template referred to in paragraph 5 of this Article as part of the notification. In the case referred to in Article 46(1), deployers may be exempt from that obligation to notify.”
In practice: Integrate the FRIA notification step into your AI deployment workflow as a mandatory gate before go-live, and maintain a record of submissions to the market surveillance authority for audit purposes.
Art. 27(4). Where a DPIA under GDPR Article 35 or Directive 2016/680 Article 27 already satisfies FRIA obligations, the FRIA shall complement rather than replace the DPIA, avoiding unnecessary duplication.
chevron_rightSource text
Source text: “If any of the obligations laid down in this Article is already met through the data protection impact assessment conducted pursuant to Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment.”
In practice: Map your existing DPIA process against the FRIA requirements and create a combined assessment template that satisfies both obligations simultaneously, clearly documenting which elements address each requirement.
GDPR cross-reference — AI Act Art. 27 ↔ GDPR Art. 35
The Art. 27 fundamental rights impact assessment runs alongside the GDPR data protection impact assessment — Art. 27(4) lets you build on an existing DPIA under GDPR Article 35:
GDPR Article 35 is quoted in full at AI Act Art. 26 above.
Bridge: GDPR Article 35 is implemented as a control module in RuleMesh — the same control you would evidence here. Explore GDPR control modules →
Article 49 - Registration
Art. 49(3). Public authority deployers (including Union institutions and persons acting on their behalf) must register themselves, select the system, and register its use in the EU database before putting into service or using a high-risk AI system listed in Annex III (except point 2). This obligation applies specifically to public sector deployers.
chevron_rightSource text
Source text: “Before putting into service or using a high-risk AI system listed in Annex III, with the exception of high-risk AI systems listed in point 2 of Annex III, deployers that are public authorities, Union institutions, bodies, offices or agencies or persons acting on their behalf shall register themselves, select the system and register its use in the EU database referred to in Article 71.”
In practice: Public authorities should establish an internal workflow requiring EU database registration and system selection before any high-risk AI system deployment. Designate a responsible official to manage registrations and maintain up-to-date records of all deployed high-risk AI systems.
Article 50 - Transparency obligations for providers and deployers of certain AI systems
Art. 50(3). Deployers of emotion recognition or biometric categorisation systems must inform the natural persons exposed to these systems of their operation and must process personal data in compliance with applicable EU data protection law. An exception applies for AI systems permitted by law for criminal law enforcement purposes.
chevron_rightSource text
Source text: “Deployers of an emotion recognition system or a biometric categorisation system shall inform the natural persons exposed thereto of the operation of the system, and shall process the personal data in accordance with Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680, as applicable. This obligation shall not apply to AI systems used for biometric categorisation and emotion recognition, which are permitted by law to detect, prevent or investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, and in accordance with Union law.”
In practice: Before deploying an emotion recognition or biometric categorisation system, prepare a clear notice for affected individuals explaining the system's operation. Conduct a DPIA under GDPR and ensure data processing agreements are in place. Document any law enforcement exception relied upon.
Art. 50(4). Deployers using AI to generate or manipulate deep fake image, audio, or video content must disclose that the content is artificially generated or manipulated; a similar obligation applies to AI-generated text published to inform the public on matters of public interest. Exceptions exist for law enforcement, artistic/satirical works (with limited disclosure), and text subject to human editorial review.
chevron_rightSource text
Source text: “Deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake, shall disclose that the content has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offence. Where the content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme, the transparency obligations set out in this paragraph are limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work. Deployers of an AI system that generates or manipulates text which is published with the purpose of informing the public on matters of public interest shall disclose that the text has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences or where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content.”
In practice: Implement a clear labelling or disclosure mechanism for all deep fake content at the point of publication or distribution. For artistic or satirical works, include a disclosure that does not impair enjoyment of the work. For AI-generated public interest text, establish an editorial review process and assign editorial responsibility to avoid the disclosure obligation.
Art. 50(6). Paragraphs 1 to 4 of Article 50 do not override the requirements in Chapter III (high-risk AI systems) and do not affect any other transparency obligations that apply to deployers of AI systems under EU or national law.
chevron_rightSource text
Source text: “Paragraphs 1 to 4 shall not affect the requirements and obligations set out in Chapter III, and shall be without prejudice to other transparency obligations laid down in Union or national law for deployers of AI systems.”
In practice: Deployers should audit all applicable transparency obligations from both Chapter III of the AI Act and any sector-specific or national laws, ensuring that compliance with Article 50(1)-(4) does not substitute for those broader obligations.
Article 73 - Reporting of serious incidents
Art. 73(2). The serious incident report must be submitted immediately after establishing a causal link between the AI system and the incident, and no later than 15 days after the provider or deployer becomes aware of the incident, with the timeline adjusted for severity.
chevron_rightSource text
Source text: “The report referred to in paragraph 1 shall be made immediately after the provider has established a causal link between the AI system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the provider or, where applicable, the deployer, becomes aware of the serious incident. The period for the reporting referred to in the first subparagraph shall take account of the severity of the serious incident.”
In practice: Implement an internal escalation and triage process that starts the 15-day reporting clock from the moment any team member becomes aware of a potential serious incident, and document the causal link assessment as part of the incident record.
Art. 73(4). When a serious incident results in the death of a person, the report must be submitted immediately after the provider or deployer establishes or suspects a causal relationship with the AI system, and no later than 10 days after becoming aware of the incident.
chevron_rightSource text
Source text: “Notwithstanding paragraph 2, in the event of the death of a person, the report shall be provided immediately after the provider or the deployer has established, or as soon as it suspects, a causal relationship between the high-risk AI system and the serious incident, but not later than 10 days after the date on which the provider or, where applicable, the deployer becomes aware of the serious incident.”
In practice: Establish a specific mortality-related incident protocol that triggers an immediate internal alert and initiates the reporting process as soon as a causal link to the AI system is suspected, with a hard deadline of 10 days from awareness.
Article 82 - Compliant AI systems which present a risk
Art. 82(1). Even if a high-risk AI system complies with the AI Act, if a market surveillance authority finds it still poses a risk to health, safety, fundamental rights, or public interest, it must require the operator to take all appropriate measures to eliminate that risk without undue delay.
chevron_rightSource text
Source text: “Where, having performed an evaluation under Article 79, after consulting the relevant national public authority referred to in Article 77(1), the market surveillance authority of a Member State finds that although a high-risk AI system complies with this Regulation, it nevertheless presents a risk to the health or safety of persons, to fundamental rights, or to other aspects of public interest protection, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk without undue delay, within a period it may prescribe.”
In practice: Operators should maintain a risk register that goes beyond regulatory compliance checklists and includes residual risk assessments. Establish a rapid-response protocol for receiving and acting on market surveillance authority directives, including a designated contact point and escalation path.
Bridge to product
Across the AI Act, the obligations that touch personal data converge on the same engineering controls GDPR already requires — and RuleMesh ships those as a ready-to-implement Jira backlog today.
- Risk management (AI Act Art. 9) ↔ GDPR Art. 32 (technical & organisational measures)
- Data governance / bias detection (Art. 10) ↔ GDPR Art. 9 (special categories) + Art. 32
- Automated logging (Art. 12) ↔ GDPR Art. 32 (audit trail / breach detection)
- Human oversight (Art. 14) ↔ GDPR Art. 22 (automated-decision safeguards)
- Deployer DPIA / FRIA (Arts. 26–27) ↔ GDPR Art. 35 (data protection impact assessment)
RuleMesh is not an AI Act compliance product — it implements GDPR control modules. But because the AI Act routes you to the exact GDPR articles RuleMesh already covers, starting with GDPR is your AI Act head start.
Frequently asked questions
Who is a deployer under the EU AI Act?
A deployer is any natural or legal person, public authority, agency, or other body that uses an AI system under its own authority in a professional or organisational context, excluding use in the course of purely personal, non-professional activities. (Source: AI Act definitions, CELEX 32024R1689.)
How many obligations does the AI Act place on deployers?
The RuleMesh knowledge graph identifies 27 obligation paragraphs addressed to the Deployer role, across Articles 2, 4, 14, 25, 26, 27, 49, 50, 73, 82.
When do AI Act deployers obligations apply?
Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.
Do the AI Act deployers obligations overlap with GDPR?
Yes. The AI Act repeatedly references specific GDPR articles and does not override GDPR — for example special-category data for bias detection (GDPR Art. 9), data protection impact assessments (GDPR Art. 35), and the technical and organisational measures of GDPR Art. 32. The two regulations require the same engineering controls.
Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.
GDPR Article 32 is your AI Act head start.
The AI Act and GDPR call for the same engineering work: risk management (Art. 9 ↔ GDPR Art. 32), data governance (Art. 10 ↔ GDPR Art. 9), logging (Art. 12 ↔ GDPR Art. 32), human oversight (Art. 14 ↔ GDPR Art. 22), incident reporting (Arts. 72/73 ↔ GDPR Arts. 33/34). RuleMesh delivers the GDPR side today: structured IT requirements your engineers and AI agents implement through the MCP. The AI Act's requirements are coming to the same MCP.