Deployer Obligation Self-Assessment

Even if your AI vendor is fully compliant, you as a deployer still have independent legal obligations under the EU AI Act. This tool maps exactly what YOU must do.

Why this matters: Vendor compliance does not make you compliant. A SOC2-certified SaaS vendor does not give you SOC2. Same principle applies here. Deployers carry obligations under Articles 26, 29, 50, and FRIA requirements that no provider can fulfill on your behalf.

Assess Your Deployer Readiness

Answer five questions covering the core deployer obligations. Each maps to specific Articles you must satisfy independently of your AI provider.

Your score and gap analysis are generated locally. Use the output to prioritize your compliance roadmap.

Privacy By Design: This executes entirely in your browser. We never see your responses.

1. Use Per Provider Instructions (Article 26(1))

Do you operate your high-risk AI system in accordance with the provider's instructions for use?

No Documentation (Critical)

We have not received or reviewed provider instructions. Operators use the system based on informal training.

Partial Compliance

We have provider documentation but have not verified our actual usage aligns with the stated intended purpose.

Verified Compliance

We maintain auditable records confirming our use matches the provider's intended purpose and instructions.

2. Human Oversight (Article 26(2))

Have you assigned human oversight to individuals who have the competence, training, and authority to fulfill that function?

No Oversight (Critical)

AI outputs are accepted automatically. No designated human overseer exists for high-risk decisions.

Informal Oversight

A person reviews outputs, but they lack formal training on the AI system's limitations and override authority is unclear.

Structured Oversight (Compliant)

Designated overseers are trained, have documented authority to override, and their interventions are logged.

3. Monitoring and Incident Reporting (Articles 26(5), 72)

Do you monitor the AI system's operation and report serious incidents to the provider and relevant authorities?

No Monitoring (Critical)

We do not actively monitor the AI system post-deployment. No incident reporting process exists for AI-specific events.

Generic IT Monitoring

We use standard IT monitoring but have no AI-specific incident classification, escalation, or authority notification process.

Active AI Monitoring (Compliant)

We monitor for anomalies, have AI-specific incident codes, and maintain a documented process for notifying the provider and national authorities of serious incidents.

4. Log Retention (Article 26(6))

Do you retain AI-generated logs for at least six months under your direct control?

No Retention (Critical)

Logs are overwritten by vendor defaults (typically 30 days). We have no independent log retention.

Vendor-Managed

We rely on the vendor to retain logs but have not verified the retention period or our ability to access them for audits.

Independent Retention (Compliant)

We export and retain logs under our direct control for at least six months, accessible for regulatory audit.

5. Transparency and FRIA (Articles 26(7-11), 27)

Have you completed a fundamental rights impact assessment (if required) and do you notify affected individuals and workers?

No FRIA or Notification (Critical)

We have not assessed fundamental rights impact. Workers and affected individuals are not informed about AI use in decisions affecting them.

Partial Compliance

We updated our GDPR privacy notice but have not completed a specific AI fundamental rights impact assessment or notified workers' representatives.

Full Compliance

FRIA completed (where required), workers' representatives notified, and individuals informed when AI decisions affect them.

Deployer Obligation Assessment Record

Disclaimer: This self-assessment provides a baseline readiness indicator. It does not replace a formal legal audit. Consult licensed EU regulatory counsel to ensure full deployer compliance.