# EU AI Act Deployer Obligations Checklist

A deployer file needs more than a policy statement. Use this checklist to collect role evidence, provider instructions, oversight ownership, input data checks, logs where controlled, FRIA triggers, notices, monitoring, and retention records.

Educational starter. Not legal advice.

- [ ] **Confirm role** - Record whether your organization is the deployer, provider, or potentially both for each AI system. (Article 3, Article 25, Article 26)
- [ ] **Confirm high-risk status** - Check whether the system is high-risk under Article 6 and Annex III before relying on a light-touch process. (Article 6, Annex III)
- [ ] **Use according to instructions** - Retain the provider instructions and map how your local procedure follows them. (Article 26)
- [ ] **Assign human oversight** - Name the role responsible for supervision, intervention, override, and escalation. (Article 26, Article 14)
- [ ] **Control input data** - Document how deployer-controlled input data is relevant and sufficiently representative for the intended purpose. (Article 26(4))
- [ ] **Keep logs where under your control** - Preserve system logs or usage records where the deployer controls those logs. (Article 26)
- [ ] **Complete FRIA where triggered** - Assess whether Article 27 applies and retain the impact assessment before first use where required. (Article 27)
- [ ] **Provide transparency notices** - Check whether Article 50 notice or labelling obligations apply to the use case. (Article 50)
- [ ] **Monitor operation** - Define how users report anomalies, performance concerns, rights impacts, and vendor incidents. (Article 26; Article 72/73 escalation context)
- [ ] **Retain evidence** - Keep the system inventory, classification rationale, provider documents, oversight records, training records, and review dates.