WARRANT
[email protected] Open the demo →
ENTRY № 27 · STATUTORY READING · EU AI ACT, ART. 26
PUBLISHED 2026-05-11 · ~13-MIN READ · WARRANT COMPLIANCE

Article 26, line by line.

Twelve paragraphs. One column of the Official Journal. Article 26 binds every deployer of a high-risk AI system to a stack of operational duties that runs from the first use of the system to the last. Use per the instructions for use. Staff competent human oversight. Watch the input data. Monitor the run. Report serious incidents. Retain logs for at least six months. Inform workers, inform data subjects, register with the EU database, perform a data protection impact assessment, perform a fundamental rights impact assessment under Article 27, cooperate with regulators. Application 2026-08-02, subject to the May 2026 Omnibus provisional deferral to 2027-12-02. The provider gets Articles 12, 13 and 14. The deployer gets Article 26.

Warrant is regulator-grade evidence infrastructure for AI agents in regulated industries: drop an agent's execution trace, get a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant.

AUDIENCE
Deployers
Banks, insurers, hospitals, employers, public authorities running high-risk AI.
APPLICATION
2026-08-02
Subject to provisional Omnibus deferral to 2027-12-02 (May 2026 trilogue, pending OJEU).
FRIA
Art. 27
Fundamental Rights Impact Assessment for certain deployers under the Article 27(1) trigger.
01 · WHO IS A DEPLOYER · ART. 3(4)

Who is a deployer.

'deployer' means a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity. Regulation (EU) 2024/1689 · Article 3(4) · 13 June 2024

Two definitions sit next to each other in Article 3 and the gap between them runs all the way through the regulation. Article 3(3) names the provider as the person who develops a high-risk AI system, or has it developed, and places it on the Union market or puts it into service under their own name or trademark. Article 3(4) names the deployer as the person using the system under their authority, in any setting other than personal non-professional use.

Most banks, insurers, hospitals, employers and public authorities running AI in 2026 are deployers, not providers. They buy the system from a third-party vendor or use a managed service hosted by that vendor. They configure it for their use case. They feed it customer data. They make decisions off its outputs. They are the operative party at the moment a natural person is affected.

The article between them, Article 25, governs the boundary. Article 25(1) lists three situations in which a person becomes a provider of an existing high-risk AI system. Putting their name or trademark on it. Modifying it substantially under Article 3(23). Modifying its intended purpose so that an AI system not previously classified as high-risk becomes high-risk. The deployer who fine-tunes a vendor's foundation model on their own customer data, ships it under their own brand and routes it at customers can find themselves on the provider side of Article 16, with the full Article 12 logging duty and the full Article 11 technical documentation duty bolted on overnight.

Most regulated deployers will not cross that line. The mass case is the bank that buys a vendor credit-scoring system and uses it under contract. That bank carries Article 26.

02 · § 26(1) · MEASURES AND IFU

Use the system per the instructions for use.

Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems, pursuant to paragraphs 3 and 6. Regulation (EU) 2024/1689 · Article 26(1) · 13 June 2024

The opening paragraph does not invent a new artefact. It binds the deployer to one the provider already produced. The instructions for use are the document Article 13 obliges the provider to draw up and ship with every high-risk AI system. Article 13(3) lists what that document contains, from the system's intended purpose to its known limitations to the human oversight measures the provider has built in. Article 26(1) closes the loop. The deployer must use the system within the envelope the provider drew.

The phrase appropriate technical and organisational measures is borrowed from GDPR Article 32 and carries the same risk-based register. The measures scale with the gravity of the use case. A hospital deploying a high-risk diagnostic-support system must put deeper measures in place than a small employer deploying a high-risk recruitment-screening tool, even though both sit under Article 26(1). The measures are the deployer's own. The benchmark is the IFU.

"The provider writes the IFU. The deployer signs to it. The evidence is whether the run respected the envelope."Warrant Compliance · 2026-05-11

What this looks like in practice. A bank deploying a vendor credit-scoring system pulls the IFU into its model risk policy. It tags every production decision with the IFU version at run time. It blocks any prompt template, threshold or cohort the IFU does not authorise. When the vendor ships a new IFU version, the bank's deployment pipeline refuses to advance until the new IFU has been re-acknowledged at the model risk committee. The audit trail at the end of all that is what an Article 26(1) inspection asks for.

03 · § 26(2) · COMPETENT OVERSIGHT

Competent natural persons for human oversight.

Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support. Regulation (EU) 2024/1689 · Article 26(2) · 13 June 2024

Article 14 binds the provider to build the oversight architecture into the system. Article 14(3) names the kinds of measures the provider must identify, including those the deployer is to implement under Article 14(3)(b). Article 26(2) is the staffing duty. The provider supplies the design. The deployer puts named, qualified humans into the seats.

Four words load every audit. Competence. Training. Authority. Support. Each is independently testable. A reviewer who has the authority to override but not the training to read the system's outputs fails the test. A reviewer with the training but no real authority to halt a decision fails it too. A reviewer with both but no operational support, no relief schedule, no second-line escalation, no time budget per case, fails on support.

Paragraph 3 is the safe-harbour clause. The obligations set out in paragraphs 1 and 2, are without prejudice to other deployer obligations under Union or national law and to the deployer's freedom to organise its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider. The deployer chooses how to staff. The deployer does not choose whether to.

04 · § 26(4) · INPUT DATA

Where the deployer controls the input data, the deployer owns the input.

Without prejudice to paragraphs 1 and 2, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system. Regulation (EU) 2024/1689 · Article 26(4) · 13 June 2024

Article 10 binds the provider on training, validation and testing data. Article 26(4) binds the deployer on production input data, where the deployer is the party that controls it. Most of the time, the deployer is. The bank chooses which customer attributes to feed the credit-scoring system. The hospital chooses which patient features to surface to the diagnostic-support system. The employer chooses which CV fields enter the recruitment-screening system.

Two adjectives carry the weight. Relevant. The input must connect to the intended purpose the IFU declared. Sufficiently representative. The input must reflect the population the system will decide on. A deployer that pipes in a feature the IFU did not contemplate has broken Article 26(1) and Article 26(4) at the same time. A deployer that runs a system trained on Western European mortgage applicants against an Eastern European or rural cohort, without confirming representativeness, has broken Article 26(4) even if the IFU permitted the input.

The boundary is the phrase to the extent the deployer exercises control. Where the system is fully managed and the deployer cannot change the input pipeline, the duty narrows. Where the deployer assembles the input from internal systems, the duty is full.

05 · § 26(5) · MONITOR AND REPORT

Monitor the run. Report the harms.

Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72. Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system. Where deployers have identified a serious incident, they shall also immediately inform first the provider, and then the importer or distributor and the relevant market surveillance authorities of that incident. Regulation (EU) 2024/1689 · Article 26(5) · 13 June 2024

One paragraph carries three distinct duties. The first sentence is steady-state monitoring against the IFU and a feedback channel into the provider's Article 72 post-market monitoring system. The second sentence is the risk-detection escalation, with three obligations bound together: notify the provider or distributor, notify the market surveillance authority, suspend the use. The third sentence is the serious-incident reporting trail. The order matters. First the provider, and then the importer or distributor and the relevant market surveillance authorities.

Article 73 governs serious-incident reporting in detail and binds the provider on the timeline. The deployer's duty under Article 26(5) is to feed the chain. The chain breaks if the deployer cannot identify a serious incident. The chain breaks if the deployer cannot route the report. The chain breaks if the deployer cannot prove either step happened.

The verb suspend is operationally severe. A bank that has reason to consider its credit-scoring system is producing a risk under Article 79(1) cannot continue to underwrite while the conversation with the vendor is ongoing. The system stops. The deployer's continuity arrangements take over. The audit trail must show the timestamp of the suspension and the timestamp of the notification.

06 · § 26(6) · LOG RETENTION

Logs at least six months.

Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data. Regulation (EU) 2024/1689 · Article 26(6) · 13 June 2024

This is the deployer-side mirror of the provider's Article 19(1) retention duty. The logs are the artefacts Article 12 obliges the system to generate automatically over its lifetime. The provider is responsible for the system being able to produce them. The deployer is responsible for retaining the ones that come into the deployer's hands.

Three constraints. Under their control. The deployer keeps what it can address. Appropriate to the intended purpose. Six months is a floor, not a ceiling. Unless provided otherwise. Sectoral law often is. MiFID II Article 16(7) runs five years. The Medical Device Regulation Article 10(8) runs ten years and fifteen for implantable devices. The Capital Requirements Regulation and the EBA outsourcing guidelines push five years for risk-relevant records. Six months is the regulatory minimum the deployer must beat. It is rarely the actual retention horizon.

The phrase in particular in Union law on the protection of personal data is the GDPR carve-back. Where logs contain personal data, GDPR Article 5(1)(e) storage limitation applies. The deployer cannot retain longer than the GDPR purpose-specific period, even if Article 26(6) would tolerate longer retention. The two regimes are read together. The deployer settles on a per-use-case retention number that satisfies both.

07 · § 26(7) · WORKPLACE

Workers' representatives before service.

Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system. This information shall be provided, where applicable, in accordance with the rules and procedures laid down in Union and national law and practice on information of workers and their representatives. Regulation (EU) 2024/1689 · Article 26(7) · 13 June 2024

The trigger is Annex III(4) employment, workers management and access to self-employment. Recruitment screening at Annex III(4)(a). Performance, promotion and termination decisions at Annex III(4)(b). Both attach Article 26 in full and pull Article 26(7) on top.

The obligation is procedural and timing-sensitive. The notice runs before putting into service or using. A deployer that rolls out a recruitment-screening AI in May and notifies the works council in June has not satisfied the article. The notice runs to two audiences. Workers' representatives, which is the works council in Germany, the CSE in France, the RSU in Italy, the equivalent statutory or recognised body in each Member State. Affected workers, the people the system will decide on or assist deciding on.

The phrase where applicable, in accordance with the rules and procedures laid down in Union and national law and practice picks up the existing labour-information regimes. Information-and-consultation directives. Collective agreements. National works council statutes. Article 26(7) sits on top of those and adds a substantive trigger but defers to them on procedure.

08 · § 26(8) · PUBLIC AUTHORITY

Public-authority registration under Article 49.

Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49. When such deployers find that the high-risk AI system that they envisage using has not been registered in the EU database referred to in Article 71, they shall not use that system and shall inform the provider or the distributor. Regulation (EU) 2024/1689 · Article 26(8) · 13 June 2024

Two duties stack here. The first is the registration duty under Article 49 and the EU database under Article 71. Public-authority deployers register themselves and their use against entries the provider has already lodged. The Annex VIII(C) information set names the deployer, the use case, the legal basis, the system in use and the contact point. The database is public, in part. The deployer's registration creates a discoverable trail of every Annex III system any public authority anywhere in the Union is running.

The second is the conformity check. If the deployer cannot find the system in the database, the deployer cannot use it. The article inverts the usual permission stance. Use is conditioned on prior provider registration. The deployer's positive duty is to look. The deployer's negative duty is to refuse to operate the system and notify the provider or distributor of the gap.

Private deployers do not carry Article 26(8) directly. They carry the underlying Article 26 duties and the FRIA trigger under Article 27 if it applies, but the registration duty is the public-authority track.

09 · § 26(9) · DPIA

The DPIA cross-reference.

Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680. Regulation (EU) 2024/1689 · Article 26(9) · 13 June 2024

This is not a new DPIA obligation. It is a routing instruction. Where the deployer's use of a high-risk AI system already triggers a DPIA under GDPR Article 35 or, in the law-enforcement context, Article 27 of the Law Enforcement Directive, the deployer must use the Article 13 instructions for use as an input to that DPIA. The information the provider supplied about the system's intended purpose, known limitations, oversight measures, performance metrics, training data characteristics flows into the deployer's DPIA narrative.

The practical implication is that a deployer cannot run a credible AI DPIA without the IFU. If the provider's IFU is thin, the deployer's DPIA will be thin and the deployer wears it. The article shifts a documentation burden upstream by making the provider's quality of disclosure load-bearing for the deployer's own GDPR compliance.

10 · ART. 27 · THE FRIA TRIGGER

The fundamental rights impact assessment under Article 27.

Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5 (b) and (c) of Annex III, shall perform an assessment of the impact on fundamental rights that the use of such system may produce. Regulation (EU) 2024/1689 · Article 27(1) · 13 June 2024

The fundamental rights impact assessment lives in Article 27, not in Article 26. The two articles are read together. Article 26 is the operational stack. Article 27 is the upstream impact assessment that must be done before the operational stack starts running, where the trigger fires.

The trigger has three limbs. Bodies governed by public law. Hospitals operating under public-law statutes. Public broadcasters. Government departments and their agencies. Private entities providing public services. The recital text and 2025 Member State guidance treat this as covering schools, hospitals and welfare administrators that operate under public-service mandates even when constituted as private entities. Deployers of Annex III(5)(b) creditworthiness systems and Annex III(5)(c) life-and-health insurance risk-pricing systems. Two specific Annex III categories where the FRIA bites every deployer regardless of public or private status. Annex III(2) critical infrastructure is excluded.

What the FRIA contains, per Article 27(1) sub-paragraphs. A description of the deployer's processes in which the high-risk AI system will be used. The intended purpose and the period and frequency of use. The categories of natural persons and groups likely to be affected. The specific risks of harm. The implementation of human oversight measures. The measures to be taken in case of materialisation of risks, including governance, complaint mechanisms, internal arrangements.

Article 27(2) confirms the obligation applies to the first use. The deployer may, in similar cases, rely on a previously conducted FRIA or on existing impact assessments carried out by the provider. Article 27(3) requires the deployer to notify the market surveillance authority of the FRIA results, on a template the AI Office develops under Article 27(5). Article 27(4) integrates the FRIA with any DPIA already in hand, so that a deployer running a single AI system across both regimes is not made to repeat itself.

The interaction with Article 26 is sequential. Run the FRIA. File the result. Then start running the system, with Article 26(1) through Article 26(12) attaching the moment use begins.

11 · § 26(10) AND § 26(11) · BIOMETRIC AND NOTICE

Post-remote biometric ID. Notice to the affected.

Without prejudice to Directive (EU) 2016/680, in the framework of an investigation for the targeted search of a person suspected or convicted of having committed a criminal offence, the deployer of a high-risk AI system for post-remote biometric identification shall request an authorisation, ex-ante, or without undue delay and no later than 48 hours, by a judicial authority or an administrative authority whose decision is binding and subject to judicial review, for the use of that system, except when it is used for the initial identification of a potential suspect based on objective and verifiable facts directly linked to the offence. Each use shall be limited to what is strictly necessary for the investigation of a specific criminal offence. Regulation (EU) 2024/1689 · Article 26(10) · 13 June 2024

Article 26(10) is the law-enforcement carve-out attached to Annex III(1)(a) post-remote biometric identification. Three conditions stack. The use must sit within a criminal investigation for a specific suspect or convict. The deployer must obtain authorisation, ex ante where practicable and no later than 48 hours otherwise, from a judicial or binding administrative authority whose decision is subject to judicial review. Each use is limited to what is strictly necessary for the investigation of a specific criminal offence. The carve-out from prior authorisation is narrow and applies only to initial identification based on objective and verifiable facts directly linked to the offence.

The same paragraph sits inside a wider law-enforcement architecture under Articles 5 and 79, the prohibitions on real-time biometric ID in publicly accessible spaces, and the data-protection limits under the Law Enforcement Directive. Article 26(10) does not loosen those. It tightens the post-remote use case the regulation does permit.

Without prejudice to Article 50 of this Regulation, deployers of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system. For high-risk AI systems used for law enforcement purposes Article 13 of Directive (EU) 2016/680 shall apply. Regulation (EU) 2024/1689 · Article 26(11) · 13 June 2024

Article 26(11) is the data-subject notification duty. It runs against every Annex III system that decides about, or assists in deciding about, a natural person. The duty is informational. The natural person must know they are subject to use of the system. The notice does not need to disclose the model. It does need to surface the existence of the system, the purpose, the role in the decision.

The interaction with GDPR Article 13 and Article 14, the data-controller transparency duties, is direct. A deployer that already complies with GDPR Article 13 by notifying the data subject of automated processing under Article 22 will usually satisfy Article 26(11) at the same time, provided the notice names the AI system specifically. A boilerplate privacy policy reference to "automated decisions" no longer suffices once the system is high-risk.

Article 26(12) closes the article. Deployers shall cooperate with the relevant competent authorities in any action those authorities take in relation to the high-risk AI system in order to implement this Regulation. Cooperation is the catch-all. It includes producing logs under Article 26(6), surfacing the FRIA under Article 27, supplying the IFU acknowledgements under Article 26(1), naming the oversight staff under Article 26(2), demonstrating monitoring under Article 26(5).

12 · CROSS-REFERENCE WEB

The articles Article 26 reads against.

Article 26 does not stand alone. It reads against six other articles in the regulation, and a deployer audit ends up touching all of them.

Art. 13
The instructions for use the provider must produce. The IFU is what Article 26(1) binds the deployer to follow, and what Article 26(9) routes into the deployer's DPIA. READ · the IFU is the contract between provider and deployer; Article 26 makes the IFU regulator-visible.
Art. 14
The human oversight measures the provider designs into the system, including the measures Article 14(3)(b) flags as deployer-implemented. READ · provider designs the seat; Article 26(2) names the person who sits in it.
Art. 27
The fundamental rights impact assessment. Article 26 does not point to it in text, but Article 27(1) is the upstream pre-condition for any deployer who falls inside its trigger. READ · Article 27 first; Article 26 attaches from first use.
Art. 49
The EU database registration regime. Article 26(8) makes Article 49 binding on public-authority deployers and conditions use on prior registration. READ · Article 49 plus Annex VIII determines what the public-authority deployer files.
Art. 72
The provider's post-market monitoring system. Article 26(5) feeds it from the deployer side. READ · the provider has the system; Article 26(5) is the deployer's data-flow into it.
Art. 73
Serious-incident reporting. Article 26(5) lists the order: first the provider, then the importer or distributor and the market surveillance authority. READ · Article 73 sets the provider's timeline; Article 26(5) routes the deployer's notice into the chain.
13 · FIELD MAPPING

Where Warrant maps Article 26.

The deployer-side evidence package built under Warrant carries one field per Article 26 paragraph that an inspection asks for. The mapping is below. Each row is a clause, what an inspection expects the evidence to show, and the field on the Warrant evidence record that holds the proof.

Article 26 clause What the evidence must show Warrant evidence field
26(1) Use per the instructions for use, verified per decision against the IFU version in force at run time. trace.actions[].ifu_compliance
26(2) Competent oversight staff named, with training record and authority delegation on file. metadata.deployer_oversight_staff
26(4) Input data relevance and representativeness check at the run-time boundary. trace.actions[].input_data_check
26(5) Monitoring trail plus serious-incident reporting record per Article 73. metadata.incident_reports
26(6) Deployer-controlled logs retained for at least six months, longer where sectoral law applies. trace.retention_proof
26(7) Workers' representative notification record, dated before first use at the workplace. metadata.worker_notification
26(8) Annex VIII deployer registration ID for public-authority deployers, with the EU database lookup proof. metadata.deployer_registration_id
26(9) DPIA on file, citing the Article 13 IFU as input. metadata.dpia_id
26(11) Per-decision notification record to the affected natural person. trace.actions[].subject_notification
Art. 27 FRIA performed before first use, on file, market surveillance authority notified. metadata.fria_id

One property of this stack is easy to miss and hard to delegate. The deployer-side record-and-retention duty under Article 26(6), read with the per-decision evidence each clause above expects, does not move to the model vendor. The vendor can ship a system that produces logs. The vendor cannot discharge the deployer's duty that the records of what the system did exist, are kept for the appropriate period, and are legible to a regulator who asks. The obligation lands on the named accountable deployer, per action, and stays there.

That leaves one open question a deployer should put to any evidence arrangement before relying on it. When the regulator asks to see what the agent did and which Article 26 clause each action met, is the record independently verifiable without contacting the vendor that produced it, and by whom. A record only the producer can vouch for is a weaker answer to Article 26(12) cooperation than a record a regulator, an auditor, or a counterparty can check on its own.

W
Sample EU deployer evidence package · Warrant registerINDEPENDENTLY VERIFIABLE WITHOUT CONTACTING WARRANT
→ /v/7de85ceaeac42a47
14 · FAQ

Questions a deployer's compliance officer asks first.

Am i a deployer or a provider under the EU AI Act?

Article 3(3) defines the provider as the person who develops or has developed a high-risk AI system and places it on the Union market or puts it into service under their own name or trademark. Article 3(4) defines the deployer as the person using an AI system under their authority, except in the course of personal non-professional activity. A bank that builds and places its own credit-scoring AI system on the market is the provider. A bank that uses a third-party credit-scoring AI system to underwrite loans is the deployer. The same legal entity can be a provider for one system and a deployer for another. Article 25(1)(c) re-classifies a deployer as a provider where the deployer makes a substantial modification to the system or puts it on the market under their own name.

What is the difference between Article 14(3)(b) deployer oversight measures and Article 26(2) competent staff?

Article 14 binds the provider to design oversight measures into the system and identify the measures the deployer must implement, including those listed at Article 14(3)(b). Article 26(2) binds the deployer to assign that oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support. The provider supplies the measures. The deployer staffs them. A provider that ships a system with a documented two-step human review checkpoint and a deployer that names a single junior reviewer with no training record have together failed Article 26(2), even if the system itself satisfies Article 14.

Does the Article 26(6) log retention apply to me if i run the system on the provider's infrastructure?

The text reads, to the extent such logs are under their control. Where the deployer hosts no infrastructure of its own and the provider operates the system as a managed service, the deployer-side retention duty attaches to whatever logs the deployer can access, configure or export under the contract. The provider's separate Article 19(1) retention duty continues to run. Most managed-service contracts after May 2026 explicitly route an export feed to the deployer and a parallel retention obligation back to the provider, precisely so neither side bears the entire forensic burden alone.

When does the Article 27 fundamental rights impact assessment actually trigger?

Article 27(1) obliges the deployer to perform a FRIA prior to deploying a high-risk AI system referred to in Article 6(2), in two situations. First, where the deployer is a body governed by public law or a private entity providing public services. Second, where the deployer is using a system listed at Annex III points 5(b) creditworthiness or credit scoring of natural persons or 5(c) risk assessment and pricing in life and health insurance. Annex III point 2 critical infrastructure is excluded. The obligation applies to the first use of the system. The deployer may, in similar cases, rely on previously conducted assessments or on the provider's existing impact assessment.

Do i need to publish the fundamental rights impact assessment?

No. Article 27(3) requires the deployer to notify the market surveillance authority of the results of the assessment, by submitting the filled-out template the AI Office develops under Article 27(5). There is no general obligation to publish the FRIA. National competent authorities may, however, require the FRIA to be produced on request under Article 21, and the FRIA forms part of the evidence record a deployer should expect to surface during any post-market monitoring inspection under Article 72.

What does appropriate to the intended purpose mean for log retention beyond the six-month floor?

Six months is the floor. The phrase appropriate to the intended purpose pushes retention longer wherever sectoral law speaks. MiFID II Article 16(7) requires five years for orders and decisions to deal. The Medical Device Regulation Article 10(8) requires ten years, fifteen for implantable devices. The Capital Requirements Regulation Article 87(7) and the EBA guidelines on outsourcing imply a minimum of five years for risk-relevant records. A deployer who rotates a six-month window while running a credit-decision system whose disputes surface eighteen months later has not satisfied the appropriateness limb.

Article 26(7): does notifying the works council count as informing workers' representatives?

In most Member States, yes. Article 26(7) requires the deployer-employer to inform workers' representatives and the affected workers, in accordance with the rules and procedures laid down in Union and national law and practice on information of workers and their representatives. In Germany the Betriebsrat is the relevant representative body. In France the Comité Social et Économique. In Italy the Rappresentanze Sindacali Unitarie. The notification must precede putting the system into service or using it at the workplace, not follow it. A retroactive notice issued after rollout does not satisfy the article.

How does Article 26 interact with GDPR Article 22 if my deployer-side use produces solely automated decisions?

GDPR Article 22 prohibits decisions based solely on automated processing that produce legal or similarly significant effects on a data subject, except under three carve-outs. The AI Act applies without prejudice to the GDPR. A deployer running a high-risk credit scoring system under Annex III(5)(b) must satisfy both regimes in parallel. Article 26(11) requires the deployer to inform the natural person they are subject to use of the system. GDPR Article 22(3) requires meaningful human intervention as one route out of the prohibition. Article 14 oversight measures, Article 26(2) competent oversight staff, and the GDPR Article 22(3) intervention right collapse, in practice, into the same person at the same checkpoint.

15 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotation of Article 26 paragraphs (1) through (12), Article 27(1), and Article 3(3) and (4) reflects the official English-language text of Regulation (EU) 2024/1689 as published in the Official Journal of the European Union on 12 July 2024.

FILED ALONGSIDE
ENTRY № 01 · 2026-05-07
Article 12, the logging obligation.
Provider logging that creates the artefacts the deployer retains under Article 26(6).
EU AI ACT · ART. 6
The classification gate.
Whether the system is high-risk at all. The gate that pulls Article 26 onto the deployer.
EU AI ACT · ART. 12 · § 75
The per-action record question.
Whether a high-risk agentic system owes a record per action, and who must be able to read it.