GovCompass
Knowledge base
ReferenceAccountability

Art. 26.1 EU AI Act: following provider instructions as a deployer

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

Updated: June 2026

Introduction: the foundation of deployer compliance

Art. 26.1 is the first and in many ways most fundamental deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → obligation: use the AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → in accordance with the instructions provided by the supplier. This sounds simple. In practice, it is the obligation that organisations most frequently violate, not through deliberate non-compliance, but through informal "customisation" of AI system use that diverges from the documented intended purpose.

Art. 26.1 states: "Deployers shall use high-risk AI systems in accordance with the instructions for use accompanying such systems."

What are "instructions for use"?

Instructions for use (gebruiksinstructies) are a formal requirement for high-risk AI providers under Art. 13. They must be provided in machine-readable format and include:

  • The identity and contact details of the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry →
  • The characteristics, capabilities, and limitations of the system
  • The intended purpose and the categories of persons the system is designed to act upon
  • The level of accuracy and the relevant performance metrics
  • Known and foreseeable circumstances that may lead to risks
  • Human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → measures, including technical means to facilitate interpretation of AI outputs
  • Required input data specifications and data quality requirements
  • Deployment context limitations

For deployers: if your supplier has not provided documentation covering these elements, you cannot demonstrate Art. 26.1 compliance. Request the documentation explicitly, and document your request.

What does "in accordance with" mean?

The compliance obligation has three dimensions:

1. intended purpose compliance

The system must be used for the purpose it was designed and documented for. Using an AI-powered CV screening tool that was designed for initial shortlisting as the sole basis for hiring decisions, without human review, violates the intended purpose and Art. 26.1.

2. technical configuration compliance

If the instructions specify required input data formats, quality standards, or configuration parameters, these must be followed. A credit scoring system that specifies it requires complete 24-month transaction histories cannot validly be used with incomplete 6-month data.

3. user qualification compliance

If the instructions specify that certain users require specific qualifications or training to operate the system, deployers must ensure those qualifications are met (connecting Art. 26.1 to the Art. 4 literacy obligation).

Common violations in practice

  • Using a system in a country or language the provider has not validated
  • Expanding the user population beyond the intended audience (e.g. allowing untrained staff to operate a medically validated diagnostic AI)
  • Disabling human review steps that the provider's instructions require
  • Using the system for decision types it was not designed for
  • Integrating the system in an automated pipeline where the instructions specify manual review

Documentation requirements

For supervisory readiness, deployers should maintain:

  • A copy of all provider instructions (versioned)
  • A documented mapping of actual use against intended purpose
  • Records of configuration settings
  • Training recordstraining recordsEvidence of who completed which training content version, when, with results — the artefact that makes training function as a compliance control.Open full entry → demonstrating user qualifications
  • Any written agreements with the provider on scope or customisation

Compliance checklist

  1. Do you have the provider's instructions for use in writing for every high-risk AI system?
  2. Does the actual use of each system match its documented intended purpose?
  3. Are users trained to the level specified in the provider instructions?
  4. Is there a process for reviewing instructions when the provider releases updated versions?
  5. Are any deviations from instructions documented and discussed with the provider?
Legal referencesArt. 26Art. 13Art. 4

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.6 EU AI Act: log retention and audit trail obligations

Reference

Art. 26.6 requires deployers of high-risk AI to retain the system-generated logs for at least six months, unless other law requires longer. The logs are the primary evidence that the system was used in accordance with its instructions.