Art. 26.8 EU AI Act: registration in the EU database

Updated: June 2026

Introduction: the EU AI database

The EU AI Act establishes a publicly accessible EU database for high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → AI systems. Art. 49 creates registration obligations for providers. Art. 26.8 extends a more limited registration obligation to deployers, specifically deployers operating high-risk AI systems in areas of particular public interest: public authorities and bodies deploying AI in migration, asylum, and border controlcontrolThe concrete, testable measure that reduces a specific risk, and through that risk protects the principle behind it. Also called a risk management measure, risk response, or risk treatment. Always traceable to the risk it addresses: under EU AI Act Art. 9 every control must map back to a specific risk, and controls recorded separately from their risks is a recognized compliance failure. It works in one of three types: preventive, detective, or corrective. See risk, control types, evidence.Open full entry →, and in biometric identification contexts.

Who must register under Art. 26.8?

Art. 26.8 creates deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → registration obligations for:

1. Public authorities using high-risk AI systems listed in Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → points 1, 6, 7, or 8 (biometric identification, law enforcement, migration/asylum, justice)
2. Any deployer using a high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → where the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → is established outside the EU, in this case the deployer takes on provider-equivalent registration obligations

For most private-sector Dutch organizations deploying AI in HR, credit, or healthcare contexts: Art. 26.8 registration is not directly required. However, the provider is required to register under Art. 49, and deployers should verify that their provider has done so.

What must be registered?

Deployer registrations must include:

• The deployer's name, registered address, and contact details
• The registration number of the AI system (assigned by the provider's registration)
• The deployer's use case, how and in what context the system is deployed
• The categories of individuals affected
• Geographic scope of deployment within the EU

Verification obligations for all deployers

Even where Art. 26.8 does not directly require deployer registration, all deployers of high-risk AI should verify that their provider has fulfilled their registration obligations under Art. 49. Request the system's EU database registration number from your provider and cross-check it against the public database once it is operational.

Compliance checklist

1. Are any of your high-risk AI deployments in Annex III points 1, 6, 7, or 8 contexts?
2. Is your organization a public authority? If so, Art. 26.8 registration may apply directly.
3. Are any of your AI providers established outside the EU? If so, verify registration obligations carefully.
4. Have you requested and verified the EU database registration number from each of your high-risk AI providers?