Art. 26.8 EU AI Act: registration in the EU database
Art. 26.8 requires deployers that are public authorities (or act on their behalf) to verify that a high-risk AI system is registered in the EU database before putting it into use, and to refrain from using it if it is not.
Updated: June 2026
Introduction: the EU AI database
The EU AI Act establishes a publicly accessible EU database for high-risk AI systems. Art. 49 creates registration obligations for providers. Art. 26.8 extends a more limited registration obligation to deployers, specifically deployers operating high-risk AI systems in areas of particular public interest: public authorities and bodies deploying AI in migration, asylum, and border control, and in biometric identification contexts.
Who must register under Art. 26.8?
Art. 26.8 creates deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → registration obligations for:
- Public authorities using high-risk AI systems listed in Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → points 1, 6, 7, or 8 (biometric identification, law enforcement, migration/asylum, justice)
- Any deployer using a high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → where the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → is established outside the EU, in this case the deployer takes on provider-equivalent registration obligations
For most private-sector Dutch organisations deploying AI in HR, credit, or healthcare contexts: Art. 26.8 registration is not directly required. However, the provider is required to register under Art. 49, and deployers should verify that their provider has done so.
What must be registered?
Deployer registrations must include:
- The deployer's name, registered address, and contact details
- The registration number of the AI system (assigned by the provider's registration)
- The deployer's use case, how and in what context the system is deployed
- The categories of individuals affected
- Geographic scope of deployment within the EU
Verification obligations for all deployers
Even where Art. 26.8 does not directly require deployer registration, all deployers of high-risk AI should verify that their provider has fulfilled their registration obligations under Art. 49. Request the system's EU database registration number from your provider and cross-check it against the public database once it is operational.
Compliance checklist
- Are any of your high-risk AI deployments in Annex III points 1, 6, 7, or 8 contexts?
- Is your organisation a public authority? If so, Art. 26.8 registration may apply directly.
- Are any of your AI providers established outside the EU? If so, verify registration obligations carefully.
- Have you requested and verified the EU database registration number from each of your high-risk AI providers?