Inferensys

Glossary

Deployer Obligations

The legal duties under the EU AI Act assigned to the professional user of a high-risk AI system, including ensuring human oversight, monitoring operation, and conducting fundamental rights impact assessments.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
EU AI ACT COMPLIANCE

What is Deployer Obligations?

Deployer obligations are the specific legal duties assigned to the professional user of a high-risk AI system under the EU AI Act, distinct from the developer's responsibilities.

Under the EU AI Act, a deployer is the natural or legal person under whose authority a high-risk AI system is used in a professional capacity. Their primary obligations include implementing meaningful human oversight, monitoring the system's operation for anomalies, and ensuring input data is relevant and representative of the intended purpose. The deployer must also retain automatically generated logs for a period appropriate to the system's intended purpose.

A critical deployer obligation is conducting a Fundamental Rights Impact Assessment (FRIA) before putting the system into service. This documented process evaluates the specific risks to the rights and freedoms of affected individuals. Deployers must also immediately report any serious incident or malfunction to the provider and the relevant market surveillance authority, and cooperate fully in any post-market monitoring or audit.

DEPLOYER OBLIGATIONS

Frequently Asked Questions

Clarifying the legal duties assigned to professional users of high-risk AI systems under the EU AI Act, including oversight, monitoring, and fundamental rights impact assessments.

A deployer is the professional user who operates a high-risk AI system under their authority, and their primary obligations include implementing human oversight measures, ensuring input data is relevant and representative, monitoring the system's operation, and conducting a Fundamental Rights Impact Assessment (FRIA). Unlike the provider who builds the system, the deployer is responsible for its proper use in a specific context. They must assign competent human overseers with the authority to override automated decisions, retain automatically generated logs for audit purposes, and immediately inform the provider and market surveillance authorities of any serious incidents or malfunctions. If a deployer substantially modifies the system or uses it outside its intended purpose, they legally assume the provider's obligations and must conduct a new conformity assessment.

EU AI ACT COMPLIANCE

Core Deployer Duties

The legal duties under the EU AI Act assigned to the professional user of a high-risk AI system, including ensuring human oversight, monitoring operation, and conducting fundamental rights impact assessments.

01

Fundamental Rights Impact Assessment (FRIA)

A mandatory, documented process for deployers of high-risk AI systems to evaluate the specific risks to the rights and freedoms of individuals likely to be affected by the system's operation. The assessment must include:

  • A detailed description of the deployer's processes in which the high-risk AI system will be used
  • The period and frequency of the system's intended use
  • The categories of natural persons and groups likely to be affected
  • The specific risks of harm likely to impact those groups
  • The human oversight measures to be implemented
  • The measures to be taken in case of materialized risks
Art. 27
EU AI Act Mandate
02

Human Oversight Obligations

Deployers must ensure that natural persons to whom human oversight is assigned have the necessary competence, training, and authority to carry out that role. This goes beyond a tokenistic rubber-stamp. Oversight must be built on human-in-the-loop, human-on-the-loop, or human-in-command paradigms. The operator must be able to:

  • Fully understand the system's capacities and limitations
  • Remain aware of automation bias
  • Correctly interpret the system's output
  • Decide to disregard, override, or reverse the output
  • Intervene or stop the system via a 'kill switch'
Art. 14
Human Oversight Requirement
03

Input Data Control

The deployer bears strict responsibility for ensuring that the input data fed into the high-risk AI system is relevant and sufficiently representative for its intended purpose. This is a critical distinction from provider obligations. If a deployer feeds biased or irrelevant data into a compliant model, the deployer is liable for the resulting harm. This requires rigorous data governance at the point of use, including checks for distribution drift and data quality anomalies.

Art. 29
Deployer Data Duty
04

Monitoring and Incident Reporting

Deployers are legally obligated to monitor the operation of the high-risk AI system based on the instructions of use. If the deployer identifies or has reason to believe that the system presents a serious incident—defined as any malfunction or failure leading to death or serious damage to health or property—they must immediately notify the provider and the relevant market surveillance authority. This triggers a mandatory investigation and potential recall.

Art. 26
Monitoring Obligation
05

Record-Keeping and Logs

Deployers must retain the automatically generated logs of the high-risk AI system for a period appropriate to the system's intended purpose, at minimum six months unless otherwise specified in applicable EU or national law. These logs must capture:

  • The period of each use
  • The reference database against which input data has been checked
  • The input data that led to a match
  • The natural persons involved in verification
Art. 12
Log Retention Mandate
06

Transparency to Affected Individuals

Deployers of emotion recognition systems or biometric categorization systems must inform the exposed natural persons of the operation of the system. For systems making consequential decisions—those producing legal effects or similarly significant impacts—the deployer must provide a meaningful explanation of the role of the AI in the decision-making procedure and the principal parameters of the decision taken. This operationalizes the right to explanation.

Art. 50
Transparency Duty
COMPLIANCE INTEGRATION

Operationalizing Deployer Obligations

The systematic translation of legal duties under the EU AI Act into concrete, auditable workflows and technical controls for the professional user of a high-risk AI system.

Operationalizing deployer obligations is the process of converting the EU AI Act's abstract legal duties into specific, repeatable technical and procedural controls. For a deployer—the entity using a high-risk AI system in a professional setting—this means moving beyond policy documents to implement human oversight mechanisms, automated monitoring pipelines, and data governance protocols that function in a live production environment.

This requires integrating compliance directly into the system's operational lifecycle, including the execution of a fundamental rights impact assessment and the maintenance of an auditable human oversight log. The goal is to ensure that obligations like meaningful human intervention and post-market monitoring are not manual afterthoughts but are engineered as deterministic, verifiable features of the system's architecture.

EU AI ACT RESPONSIBILITY MATRIX

Deployer vs. Provider Obligations

A comparative breakdown of the distinct legal duties assigned to the developer (Provider) and the professional user (Deployer) of a high-risk AI system under the EU AI Act.

ObligationProviderDeployerShared/Joint

Risk Management System

Establish, implement, document, and maintain

Technical Documentation

Compile and maintain comprehensive dossier

Retain records of use and monitoring

Conformity Assessment

Conduct before market placement

CE Marking & Registration

Affix mark and register in EU database

Fundamental Rights Impact Assessment

Conduct prior to first use

Human Oversight

Design system to allow for it

Assign competent humans with actual authority to override

Post-Market Monitoring

Systematically collect and analyze performance data

Monitor operation for anomalies and risks

Serious Incident Reporting

Notify authorities immediately

Notify provider and authorities immediately

Data Governance

Ensure training data meets quality criteria

Ensure input data is relevant to intended purpose

Instructions for Use

Provide clear, complete, and correct instructions

Operate system in accordance with instructions

Substantial Modification

Re-assess compliance if system is modified

Do not modify system without provider coordination

Cooperation with Authorities

Provide documentation on request

Provide documentation on request

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.