EU AI Act Article 26 and Local AI: Deployer Checklist 2026

English 6 min read
eu-ai-act compliance lokale-ki

The August 2026 deadline for EU AI Act obligations is now just weeks away, and compliance discussions on X are picking up pace. Rรฉmy Schlich noted on X that "EU lawmakers have agreed to delay key obligations for high-risk AI systems under the EU AI Act" โ€” with a revised timeline extending to 2027โ€“2028 for the most demanding requirements. That is accurate. But the nuance matters enormously for SMBs: the delay applies specifically to Annex III high-risk AI systems, not to the general deployer obligations taking effect on 2 August 2026.

If you run a local LLM stack for internal use โ€” document search, meeting summaries, internal Q&A โ€” this distinction changes everything. Based on our reading of the EU AI Act, most of these use cases do not trigger Article 26 at all.

What Article 26 Actually Says

Article 26 of the EU AI Act establishes obligations for deployers โ€” organisations that use AI systems in their own operations โ€” of high-risk AI systems. It does not apply to every AI deployment. The trigger is risk classification under Annex III of the regulation.

If your AI system does not fall under Annex III, Article 26 does not apply to you. You are subject only to the lighter-touch transparency obligations of Article 50.

This means the first question is not "how do we comply with Article 26?" but "does Article 26 even apply to our system?"

The Annex III High-Risk Categories

Based on our reading, Annex III defines eight high-risk domains:

  1. Biometric identification โ€” facial recognition, emotion recognition, biometric categorisation
  2. Critical infrastructure โ€” AI controlling energy, water, or transport systems
  3. Education and training โ€” AI making or influencing admission, grading, or assessment decisions
  4. Employment โ€” recruitment, performance evaluation, promotion, or termination decisions
  5. Access to essential services โ€” creditworthiness, insurance risk scoring, social benefit eligibility
  6. Law enforcement โ€” risk profiling of individuals, emotion detection in investigations
  7. Migration and asylum โ€” risk classification or application assessment
  8. Administration of justice โ€” AI supporting judicial or administrative decisions

For most SMBs running local LLMs as internal productivity tools, none of these apply. A self-hosted Llama 3.3 or Qwen2.5 instance answering employee questions, drafting emails, or searching knowledge bases does not, in our reading, constitute a high-risk system under Annex III.

Five Practical Scenarios

Scenario 1: Internal Knowledge Assistant

A logistics company runs a local Mistral model that answers staff questions about shipping procedures and regulatory requirements. Classification: not high-risk. Article 26 does not apply.

Scenario 2: RAG-Based Document Search

A law firm uses local embeddings with Qwen2.5 to search contract archives. Lawyers review all results and make every decision. Classification: not high-risk. Human decision-making is the operative step.

Scenario 3: Automated CV Screening

An HR department deploys a model that ranks candidates and auto-generates rejection decisions. Classification: high-risk (Annex III ยง4 โ€” employment). Article 26 applies in full.

Scenario 4: Credit Scoring Support

A lending institution uses a locally hosted model to generate creditworthiness assessments for loan applicants. Classification: high-risk (Annex III ยง5 โ€” essential services). Article 26 applies in full.

Scenario 5: Procurement Recommendation Engine

A procurement team uses a local LLM to evaluate supplier proposals and rank them. Classification: depends on implementation. If a human reviews all outputs before any decision, this is likely not high-risk. If the system's ranking directly determines contract awards without meaningful human review, the classification becomes less clear. Legal advice recommended.

The Article 26 Compliance Checklist

For organisations whose local AI deployment does fall under Annex III, Article 26 sets out the following core obligations based on our reading:

โ˜ Follow the provider's instructions for use (Art. 26(1)) Use the system only for its documented purpose. Retain written records of the intended use case and any deviations from provider guidance.

โ˜ Implement human oversight measures (Art. 26(2)) Ensure that a natural person can review and override system outputs before they take effect. The person responsible must have sufficient understanding to make a genuine judgement.

โ˜ Monitor operation and maintain logs (Art. 26(5)) Monitor the system during operation. Enable automatic logging where technically possible. Retain logs for at least six months. With locally hosted systems, this infrastructure is entirely within your own control โ€” a structural advantage.

โ˜ Report serious incidents to the provider (Art. 26(5)) Notify the AI system provider immediately of serious incidents or malfunctions that affect fundamental rights or safety. Where incidents have implications for public safety, notify the national supervisory authority (UK: ICO; DE: BNetzA / BSI; ES: AESIA).

โ˜ Conduct a Fundamental Rights Impact Assessment where applicable (Art. 26(9)) Required for certain public bodies and private entities providing essential services such as credit and insurance, before deploying a high-risk AI system. Document findings.

โ˜ Check EU database registration requirements Certain high-risk AI systems must be registered in the EU AI Act database. Clarify with your provider whether they handle this obligation or whether you must act independently.

Updated Timeline: The Digital Omnibus Effect

The political agreement of 7 May 2026 between the Council of the EU and the European Parliament โ€” part of the Digital Omnibus package โ€” adjusted the enforcement schedule for high-risk AI. Based on our reading:

Date What applies
2 February 2025 Art. 4 (AI literacy) โ€” already in force
2 August 2026 General deployer obligations: transparency, AI competence documentation, use case logging
2 December 2027 Full Art. 26 obligations for standalone high-risk AI (Annex III)
2 August 2028 Art. 26 obligations for high-risk AI embedded in regulated products (Annex I)

SMBs running general-purpose local AI assistants are primarily affected by the August 2026 layer: they need to document what AI they use, demonstrate staff competence (Art. 4), and apply basic transparency where AI interacts with users or produces consequential outputs.

Article 26's more demanding requirements โ€” logging, oversight, incident reporting โ€” are relevant only to Annex III deployments, and those organisations now have until December 2027.

Why Local AI Simplifies Article 26 Compliance

A point worth making: for organisations that do deploy high-risk AI, a local LLM setup is structurally easier to bring into Article 26 compliance than a cloud-API solution.

When you run a model on-premise โ€” whether on a Mac Studio M3 Ultra, a dedicated GPU server, or an edge device โ€” you own all compliance-critical infrastructure by default:

  • Complete log retention: every interaction stays on your servers, subject only to your own policies and retention schedules โ€” not a cloud provider's data terms.
  • Configurable oversight gates: human approval steps can be built directly into the workflow at the application layer, with the model infrastructure under your control.
  • Full data isolation: no training data, no query data, and no output data crosses external network boundaries โ€” directly relevant to GDPR Art. 25 (data protection by design).

For more on how local AI affects your data protection posture, see our overview of data sovereignty with local AI.

The kAIra toolkit includes a pre-built Annex III classification flow that generates a documented audit trail โ€” designed specifically so SMBs can answer the "is this high-risk?" question in writing before deployment.

What to Do Now

Whether or not Article 26 applies to your current AI setup, the action items before August 2026 are the same for every deployer:

  1. Inventory your AI tools โ€” every system in use, not just the prominent ones
  2. Run the Annex III check โ€” does any deployment fall into the eight categories?
  3. Document purpose and scope โ€” written description of each system's function and decision context
  4. Demonstrate staff AI competency โ€” Art. 4 applies to every deployer, regardless of risk class
  5. For high-risk deployments: start building the Article 26 infrastructure now, ahead of the December 2027 deadline

Start with a pilot project to get your local AI stack classified, documented, and ready for August 2026. Questions about your specific use case? Get in touch.