What is the minimum log retention under Article 26?

Article 26 paragraph 6 requires deployers to keep automatically generated logs for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law. Sectoral overlays (AML, healthcare, public procurement) routinely push retention to 5-10 years.

Does Article 26 require a DPIA?

Article 26 paragraph 9 requires deployers that are bodies governed by public law, or private operators providing public services, and deployers of certain high-risk systems listed in Annex III, to perform a fundamental rights impact assessment before first use. This is in addition to any GDPR Article 35 DPIA obligation.

Who counts as a deployer?

Article 3(4) defines a deployer as any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity. The distinction between provider and deployer is critical: providers place systems on the market, deployers use them.

EU AI Act Article 26 deployer obligations: a 2026 compliance checklist

Q: When do Article 26 deployer obligations apply?

Article 26 obligations on deployers of high-risk AI systems apply from 2 August 2026, twenty-four months after Regulation (EU) 2024/1689 entered into force on 1 August 2024. Obligations on prohibited practices (Article 5) began 2 February 2025; general-purpose AI model rules began 2 August 2025.

Eleven obligations, eleven evidence artefacts. The checklist deployers can hand to their auditor on 2 August 2026.

Why Article 26 Is The Operational Spine

Most coverage of the EU AI Act focuses on Article 6 (high-risk classification) and Article 9 (risk management). Those bind providers. Article 26 binds deployers — the operators using the AI system in the real world — and the deployer-facing obligations start applying on 2 August 2026, twenty-four months after Regulation (EU) 2024/1689 entered into force on 1 August 2024.

If you are a hospital using a triage model, a bank using a credit-scoring model, an HR platform using a CV-screening model, a public authority using a benefits-assessment model: you are the deployer. Article 26 is your contract with the auditor.

The Eleven Obligations, Mapped To Evidence

Article 26 has eleven sub-paragraphs. Each one is operationalisable. The table below maps each paragraph to the evidence artefact a deployer needs to be able to produce on request.

§	Obligation (paraphrased)	Evidence artefact
26§1	Take appropriate technical and organisational measures to use the system per the provider's instructions.	Signed acceptance of the instructions-for-use document; deployment configuration diff against the provider baseline.
26§2	Assign human oversight to natural persons with necessary competence, training, and authority.	Named human-oversight roster with training records and authority delegation.
26§3	Ensure input data is relevant and sufficiently representative for the intended purpose.	Input-data governance policy + sample audit of input distribution vs intended purpose.
26§4	Monitor operation based on instructions and inform the provider of risks.	Monitoring dashboard + incident-ticketing trail with provider notifications.
26§5	Suspend use and inform the provider and the market surveillance authority where a serious incident occurs.	Incident-response runbook with 15-day notification SLA and contact list.
26§6	Keep automatically generated logs for at least six months.	Append-only audit ledger with retention floor enforced at the storage layer.
26§7	Inform workers' representatives and affected workers before putting a workplace high-risk AI system into use.	Workforce notification record with timestamps.
26§8	Where applicable, register the use of a high-risk AI system in the EU database.	EU database registration ID and submission receipt.
26§9	Carry out a fundamental rights impact assessment (FRIA) for in-scope deployments.	FRIA document signed by deployer accountable person.
26§10	Inform natural persons subject to the use of a high-risk AI system used to make decisions concerning them.	Affected-person disclosure language + record of delivery channel.
26§11	Cooperate with competent authorities on any action taken in respect of the system.	Designated authority-liaison contact + cooperation log.

An auditor walkthrough that cannot produce all eleven artefacts on request fails Article 26.

The Three Most Commonly Missed Obligations

Across the deployer reviews we have run in 2026, three obligations are missed more often than the other eight combined.

26§6 (log retention). Deployers point to a vendor SLA. The vendor SLA says retention is the deployer's responsibility. The deployer's storage uses its standard 90-day backup policy. The system fails the six-month floor by default. Fix: confirm in writing where the audit log is stored and that it survives at least six months. A storage-layer retention floor like the one described in our Article 12 post is the safest pattern.
26§9 (FRIA). Treated as identical to a GDPR Article 35 DPIA. It is not. The FRIA requires assessment of impact on fundamental rights including non-discrimination, freedom of expression, and access to public services, separate from data-protection risk. Fix: maintain a distinct FRIA artefact, not a re-labelled DPIA.
26§10 (affected-person notification). Deployers that fold the notice into a 30-page terms-of-service update fail the "informed" test. Fix: a discrete, plain-language notice at the point of decision, with a record of delivery.

The 2026 Timeline

Regulation (EU) 2024/1689 staggers application by article. The relevant deployer dates:

2 February 2025 — Chapter I (general provisions) and Article 5 (prohibited practices) in force. Deployers cannot use prohibited systems from this date.
2 August 2025 — General-purpose AI model obligations (Chapter V) apply. Deployers of GPAI-based systems are downstream of this date.
2 August 2026 — Article 26 deployer obligations on high-risk systems apply. This is the binding date for everything in the table above.
2 August 2027 — Obligations on high-risk AI systems embedded in regulated products (Annex I) apply.
2 December 2027 — Specific obligations on remote biometric identification under Article 26 paragraph 10 second sub-paragraph apply for deployers of post-remote biometric identification systems.

Building The Evidence Bundle

The point of the table above is that Article 26 compliance is an artefact-management problem, not a sentiment-management problem. A deployer that maintains the eleven artefacts as living documents, regenerates them after every material change, and can produce them on request is compliant. A deployer with a beautiful policy statement and no artefacts is not.

The AiEGIS Harness produces machine-readable artefacts for paragraphs 1, 4, 5, 6, and 11 by default; paragraphs 2, 3, 7, 9, and 10 are organisational artefacts the deployer must produce; paragraph 8 is a one-off registration. The complete machine-readable Article 26 mapping is published at /audit/article26-mapping.json.

Next Step

If you are within the 2 August 2026 window and have not yet built the evidence bundle, the fastest path is to start from a working harness rather than a blank policy document. AiEGIS Harness ships the artefact generators for the technical paragraphs; the organisational paragraphs are templated in the governance pack.