Deployer (EU AI Act)

Definition pursuant to Article 3(4) EU AI Act - those who use AI systems

26 April 2026 · Category: EU AI Act · Compliance-Kit

Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

A deployer pursuant to Article 3(4) EU AI Act is a natural or legal person, public authority, or other body that uses an AI system under its own authority - except in the course of a personal, non-professional activity. 90% of SMEs are pure deployers.

What is a Deployer (EU AI Act)?

Deployer obligations:

Article 4 AI Literacy: in effect since 02 February 2025 - staff training (mandatory)
Article 5 prohibitions: ensure that no deployed system performs prohibited practices
Article 26 high-risk deployer obligations from 02 August 2026 (Digital Omnibus proposal 19 November 2025: postponement to 02 December 2027 - trilogue ongoing, not adopted): use as intended, input data relevance review, retention of logs, employee information
Article 27 FRIA for certain deployers (public bodies, credit scoring): from 02 August 2026
Article 50 transparency from 02 August 2026: watermarking, chatbot disclosures, deepfake disclosure

Practical example

Practical use cases as a deployer: - ChatGPT for marketing copy → deployer, AI Literacy obligation - Microsoft Copilot in M365 → deployer + potentially high-risk use cases - HR recruiting algorithm from an external provider → deployer + high-risk (Annex III No. 4a) from 02 August 2026 (Digital Omnibus proposal 19 November 2025: postponement to 12/2027 - not adopted) - Gemini for code generation → deployer, AI Literacy

Frequently asked questions

Do I become a provider if I deeply integrate Copilot?

Not necessarily. As long as Microsoft remains identifiable as the provider and no substantial modification is made, you remain a deployer.

Do I need an Acceptable Use Policy?

Not strictly required by the EU AI Act. HOWEVER: best practice + GDPR interface (Article 5) + AGG interface (Section 22 AGG reversal of burden of proof for AI recruiting). The Compliance Kit provides a template.

What happens for high-risk deployers from 12/2027?

Obligations: use as intended, retention of logs (Article 26), input data relevance review, FRIA where applicable (Article 27), information of employees/data subjects.