The risk-based structure
The EU AI Act classifies AI systems into four tiers: prohibited systems (banned outright), high-risk systems (Annex III — strict compliance requirements), limited-risk systems (transparency obligations), and minimal-risk systems (no specific requirements). Understanding which tier each of your AI deployments falls into is the starting point for everything else.
Annex III: the high-risk categories you need to know
High-risk systems include AI used in biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and asylum management, and administration of justice. If you deploy AI in any of these domains, the full compliance requirements apply.
What high-risk compliance requires
High-risk systems must meet requirements across eight areas: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, and cybersecurity. The cybersecurity requirements — Article 15 — map closely to existing security controls, making them a natural starting point for CISO-led compliance programs.
The provider vs. deployer distinction
Compliance obligations differ depending on whether you are a provider (you built the AI system) or a deployer (you use a system built by someone else). Deployers have lighter obligations but are not off the hook — they must conduct conformity assessments for high-risk systems, maintain use logs, and ensure human oversight mechanisms are in place.
Building your compliance program
Start with the system inventory and risk classification. Then build documentation templates for your high-risk systems. Establish a compliance monitoring cadence that reviews AI system behavior against regulatory requirements quarterly. And designate an AI compliance lead — someone who owns the relationship with the EU AI Office and tracks regulatory guidance as it evolves.
Are You a Provider, a Deployer, or Both? The Article 25 Decision Tree
The single most important question after the May 2026 Digital Omnibus update: are you a provider, a deployer, or both? Your obligations diverge significantly. The Act's Article 25 sets out how to determine.
- Do you develop or substantially modify a GPAI model and place it on the market? → Provider obligations (Articles 16-21 for high-risk, Articles 53-55 for GPAI).
- Do you use a GPAI model under your own authority for your own purposes? → Deployer obligations (Article 26).
- Do you fine-tune a GPAI for internal use only? → Often both. Provider for the fine-tuned model; deployer for its operational use.
- Do you embed an AI system in a product you sell? → Provider obligations for the embedded system, even if you didn't train the underlying model.
- Do you re-brand or modify another vendor's AI system? → Provider obligations under Article 25(1). The "downstream provider" rule.
Most enterprises in 2026 are deployers for most of their AI footprint, with provider obligations on the specific systems they fine-tune, embed, or re-brand. Mapping each AI system to a role is the foundational step — wrong role = wrong obligations = audit findings.
What Each Role Owes After the Digital Omnibus
The May 2026 Digital Omnibus moved the timeline for some obligations but not others. Current state for both roles:
| Obligation | Effective date | Provider | Deployer |
|---|---|---|---|
| Article 4 AI literacy | In force (Feb 2025) | Yes | Yes |
| Article 5 prohibitions | In force (Feb 2025) | Yes | Yes |
| Article 53 GPAI documentation | Aug 2, 2026 (enforcement) | Yes | Request from provider |
| Article 55 GPAI systemic risk | Aug 2, 2026 (enforcement) | Yes (for systemic-risk GPAI) | No |
| Article 9 risk management | Dec 2, 2027 (deferred from Aug 2026) | Yes (high-risk only) | Article 26 |
| Article 11 technical documentation (Annex IV) | Dec 2, 2027 | Yes | Request from provider |
| Article 12 record-keeping | Dec 2, 2027 | Yes | Article 26 (own logs) |
| Article 14 human oversight | Dec 2, 2027 | Yes (design) | Yes (implement) |
| Article 26 deployer obligations | Dec 2, 2027 | — | Yes |
| Article 73 serious incident reporting | Dec 2, 2027 | Yes (15-day window) | Yes (notify provider) |
The pattern: GPAI provider obligations (Articles 53-55) activate August 2, 2026. High-risk system obligations (Articles 9-15) for Annex III systems are deferred to December 2, 2027. Annex I product-safety obligations remain on the August 2, 2027 schedule. Prohibitions, AI literacy, and transparency obligations are already enforced.
For the deeper coverage of what changed and what didn't, see EU AI Act, Delayed to December 2027.
Flow-Down Clauses: What Deployers Should Demand from Their AI Vendors
Every enterprise that deploys a GPAI model is going to need flow-down evidence from the model provider. The five clauses to demand in your AI procurement contracts:
- Article 53 documentation rights. Provider supplies the training data summary, technical documentation, evaluation results, and instructions for downstream on request. Updated annually or on material model change.
- Article 25 role disclosure. Provider states explicitly whether they consider themselves the provider of record for the system you're licensing, and whether your use case may trigger downstream-provider obligations on you.
- Article 73 incident notification. Provider notifies you within 7 days of any serious incident affecting the model that may impact your deployment.
- Audit cooperation. Provider will respond to your auditor's reasonable requests for documentation when their model is in scope of your audit. Reasonable response time committed.
- Service-level continuity. Provider commits to a defined period of post-market support for the model version you're licensing, so you're not forced into an unplanned migration mid-audit cycle.
Procurement teams in 2026 are starting to ship AI-specific addenda built around these five clauses. Most AI vendors will not have ready answers; make their answers a contractual requirement. For the broader AI vendor RFP framework, see The Enterprise Agent RFP: 30 Procurement Questions.
FAQ
Am I a provider or a deployer under the EU AI Act?
If you develop or substantially modify an AI system and place it on the market, you are a provider. If you use an AI system under your own authority for your own purposes, you are a deployer. Many enterprises are both — provider for systems they fine-tune or embed; deployer for systems they procure as-is.
Does the Digital Omnibus delay affect provider obligations?
Partially. GPAI provider obligations (Articles 53-55) still activate August 2, 2026 with full enforcement powers. High-risk Annex III provider obligations (Articles 9-15) are deferred to December 2, 2027.
What documentation should I request from my AI vendors?
Article 53 documentation (training data summary, technical documentation, evaluation results, instructions for downstream), Article 25 role disclosure, Article 73 incident notification commitments, audit cooperation, and post-market support commitments. See the flow-down clauses section above.
Does GDPR override or interact with the EU AI Act?
They coexist. Article 10(5) of the AI Act clarifies the lawful basis for processing personal data in AI training under specific conditions. For most enterprise use cases, GDPR's existing obligations on data subjects' rights, processor relationships, and cross-border transfers apply on top of AI Act obligations.
If I'm a deployer using GPAI internally, what do I owe by August 2, 2026?
Mostly nothing new specifically tied to August 2 — your deployer obligations under Article 26 are deferred to December 2, 2027. But you should pre-position: the provider you license from is gaining new obligations, and their contracting posture will shift. Align your procurement language now.