Art. 26.1 EU AI Act: Following Provider Instructions as a Deployer

Updated: June 2026 — full revision to Validai quality standard

Introduction: The Foundation of Deployer Compliance

Art. 26.1 is the first and in many ways most fundamental deployer obligation: use the AI system in accordance with the instructions provided by the supplier. This sounds simple. In practice, it is the obligation that organisations most frequently violate — not through deliberate non-compliance, but through informal "customisation" of AI system use that diverges from the documented intended purpose.

Art. 26.1 states: "Deployers shall use high-risk AI systems in accordance with the instructions for use accompanying such systems."

What Are "Instructions for Use"?

Instructions for use (gebruiksinstructies) are a formal requirement for high-risk AI providers under Art. 13. They must be provided in machine-readable format and include:

• The identity and contact details of the provider
• The characteristics, capabilities, and limitations of the system
• The intended purpose and the categories of persons the system is designed to act upon
• The level of accuracy and the relevant performance metrics
• Known and foreseeable circumstances that may lead to risks
• Human oversight measures, including technical means to facilitate interpretation of AI outputs
• Required input data specifications and data quality requirements
• Deployment context limitations

For deployers: if your supplier has not provided documentation covering these elements, you cannot demonstrate Art. 26.1 compliance. Request the documentation explicitly, and document your request.

What Does "In Accordance With" Mean?

The compliance obligation has three dimensions:

1. Intended Purpose Compliance

The system must be used for the purpose it was designed and documented for. Using an AI-powered CV screening tool that was designed for initial shortlisting as the sole basis for hiring decisions — without human review — violates the intended purpose and Art. 26.1.

2. Technical Configuration Compliance

If the instructions specify required input data formats, quality standards, or configuration parameters, these must be followed. A credit scoring system that specifies it requires complete 24-month transaction histories cannot validly be used with incomplete 6-month data.

3. User Qualification Compliance

If the instructions specify that certain users require specific qualifications or training to operate the system, deployers must ensure those qualifications are met (connecting Art. 26.1 to the Art. 4 literacy obligation).

Common Violations in Practice

• Using a system in a country or language the provider has not validated
• Expanding the user population beyond the intended audience (e.g. allowing untrained staff to operate a medically validated diagnostic AI)
• Disabling human review steps that the provider's instructions require
• Using the system for decision types it was not designed for
• Integrating the system in an automated pipeline where the instructions specify manual review

Documentation Requirements

For supervisory readiness, deployers should maintain:

• A copy of all provider instructions (versioned)
• A documented mapping of actual use against intended purpose
• Records of configuration settings
• Training records demonstrating user qualifications
• Any written agreements with the provider on scope or customisation

Compliance Checklist

1. Do you have the provider's instructions for use in writing for every high-risk AI system?
2. Does the actual use of each system match its documented intended purpose?
3. Are users trained to the level specified in the provider instructions?
4. Is there a process for reviewing instructions when the provider releases updated versions?
5. Are any deviations from instructions documented and discussed with the provider?