High-Risk AI Deployer Checklist: 20 Steps Before the August 2026 Deadline
Article 26 of the EU AI Act lays out exactly what deployers of high-risk AI systems must do before go-live. This 20-point checklist, organised across supplier verification, human oversight, data governance, and internal procedures, gives you a concrete action plan with regulatory references and priority levels.
Article 26 of Regulation (EU) 2024/1689 defines the obligations of deployers of high-risk AI systems. Unlike providers — who bear the heaviest technical and documentation burdens — deployers are organisations that use a high-risk AI system in a professional context. That scope is wide: it covers HR departments using AI screening tools, hospitals using diagnostic AI, banks using credit scoring models, and any public authority deploying AI in benefit allocation or law enforcement.
A note on the August 2026 deadline: The original EU AI Act timeline set August 2026 as the date for high-risk system obligations to apply fully. The proposed AI Omnibus regulation (under discussion since late 2025) may push this to December 2027. Until the Omnibus is formally adopted, August 2026 remains the operative compliance target. Do not rely on a postponement that has not yet been signed into law.
The 20 points below are organised into four sections. For each point: the relevant article, the concrete action required, and the priority level (Critical / Important / Recommended).
Section 1 — Supplier Verification (5 Points)
These steps must be completed before you sign a contract or put a system into service. You cannot delegate compliance by simply pointing to your vendor.
1. Confirm the system is listed in the EU database
- Article: Art. 71, Art. 26(1)
- Action: Ask your provider for the EU database registration number. Verify it at the official EU AI Act database portal. If the system is not registered, it cannot legally be deployed for high-risk use.
- Priority: Critical
2. Obtain and review the EU Declaration of Conformity
- Article: Art. 47, Art. 26(1)
- Action: Request the signed Declaration of Conformity from the provider. Verify it covers the specific use case you intend to deploy. Keep a copy on file.
- Priority: Critical
3. Review the provider's instructions for use
- Article: Art. 13, Art. 26(1)
- Action: The provider must supply instructions covering intended purpose, performance limitations, maintenance needs, and human oversight requirements. Confirm these are complete, up to date, and in a language your staff can use.
- Priority: Critical
4. Verify the provider's technical documentation is accessible
- Article: Art. 11, Annex IV
- Action: You do not need to hold Annex IV documentation yourself, but you must be able to obtain it on request from the provider and produce it to supervisory authorities within a reasonable timeframe.
- Priority: Important
5. Include AI Act compliance clauses in the supplier contract
- Article: Art. 26(1), Recital 87
- Action: Ensure your contract with the provider includes: obligations to notify you of any changes affecting conformity, a commitment to supply updated instructions for use, and a right to audit or request documentation. Do not rely on a generic software licence.
- Priority: Important
Section 2 — Human Oversight Setup (5 Points)
Article 14 requires that high-risk AI systems be designed to allow human oversight. Article 26(5) requires deployers to assign this oversight to specific, qualified individuals.
6. Designate named human oversight responsible persons
- Article: Art. 26(5), Art. 14(1)
- Action: Identify by name and role the individuals responsible for monitoring the system during operation. Document this assignment formally (role description, training record, escalation authority).
- Priority: Critical
7. Train oversight personnel on system limitations and error patterns
- Article: Art. 14(4)(c), Art. 26(6)
- Action: Oversight personnel must understand what the system can and cannot do, how to detect anomalies, and when to disregard or override an output. Deliver documented training before deployment. Record completion.
- Priority: Critical
8. Establish override and escalation procedures
- Article: Art. 14(4)(d)
- Action: Write and test a procedure specifying: how an oversight person can halt or override the system's output, under what conditions this is mandatory (e.g., when the system flags low confidence), and who must be notified after an override.
- Priority: Critical
9. Implement meaningful human review for consequential decisions
- Article: Art. 14(5)
- Action: "Human oversight" is not a rubber stamp. If the system's output feeds into a decision that significantly affects a person (employment, credit, benefits), document how the human reviewer actually evaluates that output — not merely approves it.
- Priority: Important
10. Define what constitutes "automated decision" vs "human-assisted decision" for your use case
- Article: Art. 14, Recital 48
- Action: Clarify internally — and document — the boundary between automated recommendations and final decisions. This distinction affects both your oversight obligations and any overlap with GDPR Article 22.
- Priority: Recommended
Section 3 — Data and Log Management (5 Points)
Article 26(5) and (6) impose specific obligations around data quality and operational logging. These feed directly into incident investigations and supervisory audits.
11. Implement input data quality controls
- Article: Art. 26(4), Art. 10(3)
- Action: Establish controls ensuring that data fed into the system meets the quality conditions described in the provider's instructions for use. Document who is responsible for data preparation and what validation steps occur before input.
- Priority: Critical
12. Activate and configure system logging
- Article: Art. 19, Art. 26(5)
- Action: Where the system has automatic logging capabilities (as required of providers under Art. 12), confirm these are active and properly configured for your deployment. Logs must cover operation periods and must be retained for at least six months (verify with provider if longer is required).
- Priority: Critical
13. Define log retention policy and access controls
- Article: Art. 19(3), Art. 26(5)
- Action: Document who can access operational logs, under what conditions, and for how long they are retained. Ensure logs are tamper-evident. Align retention periods with GDPR data minimisation obligations.
- Priority: Important
14. Establish a process for detecting and reporting serious incidents
- Article: Art. 73(6) (deployer notification obligations)
- Action: Define what constitutes a serious incident or near-miss for your AI use case. Create a workflow for documenting incidents, notifying the relevant market surveillance authority within the required timeframe (typically 15 days for serious incidents), and preserving logs.
- Priority: Critical
15. Conduct periodic data drift monitoring
- Article: Art. 26(5), Art. 9(7)
- Action: Input data distributions can shift over time, degrading system performance. Assign responsibility for periodic monitoring (quarterly minimum), and define a threshold at which the provider must be notified or the system taken out of service for re-evaluation.
- Priority: Recommended
Section 4 — Internal Procedures and Training (5 Points)
Compliance is not a one-time exercise. Articles 26(7) and 26(9) require deployers to have ongoing internal procedures that are documented, maintained, and communicated.
16. Conduct a Fundamental Rights Impact Assessment (FRIA) where required
- Article: Art. 27
- Action: If you are a body governed by public law, or a private entity providing public services, you are required to conduct a FRIA before deployment. Even where not strictly mandatory, a FRIA is strongly recommended for any system making consequential decisions about individuals. Document and retain the assessment.
- Priority: Critical (mandatory for public bodies and certain private entities)
17. Establish a written AI system use policy for internal staff
- Article: Art. 26(7)
- Action: Create and distribute an internal policy governing: approved use cases for the system, prohibited uses, data handling requirements, escalation paths, and contact information for oversight personnel. Obtain signed acknowledgement from all users.
- Priority: Important
18. Register the deployment in your internal AI inventory
- Article: Art. 26(8)
- Action: Maintain an internal register of all high-risk AI systems in use, updated at each change of deployment context. This register should cross-reference: system name, provider, EU database ID, oversight personnel, review date.
- Priority: Important
19. Define a re-evaluation trigger for material changes
- Article: Art. 26(1), Art. 43(4)
- Action: If you substantially modify the intended purpose of a high-risk AI system, a new conformity assessment may be required. Document internally what constitutes a "substantial modification" for your deployment context, and create a review trigger when those conditions are met.
- Priority: Important
20. Schedule an annual compliance review
- Article: Art. 26(5), Art. 9(1)
- Action: High-risk AI system compliance is not static. Schedule an annual internal review covering: log analysis, incident reports, oversight effectiveness, training currency, and supplier notification of any relevant changes. Document the outcome.
- Priority: Recommended
Summary Table
| # | Area | Priority |
|---|---|---|
| 1–5 | Supplier verification | 3 Critical / 2 Important |
| 6–10 | Human oversight | 3 Critical / 1 Important / 1 Recommended |
| 11–15 | Data and log management | 3 Critical / 1 Important / 1 Recommended |
| 16–20 | Internal procedures | 1 Critical / 3 Important / 1 Recommended |
Seven of the twenty points are rated Critical — meaning non-compliance creates direct legal exposure under Article 99 of the AI Act (fines up to €15 million or 3% of global annual turnover). Complete those first, before any other work.
DILAIG generates deployer-specific compliance reports, pre-fills your Article 26 action plan, and tracks your progress against each of these 20 points. Run your first audit at dilaig.com — it takes less than 20 minutes.