# EU AI Act August 2026: The Deployer Compliance Checklist for Swiss Companies

> Author: Chris Jon Graf (AI Strategist & CEO)
> Updated: 2026-06-26
> URL: https://ai-outsourcing.ch/insights/eu-ai-act-august-2026-the-deployer-compliance-checklist-for-swiss-companies

## Summary

On August 2, 2026, the full high-risk AI obligations of the EU AI Act enter into force. Swiss companies deploying AI agents face a critical compliance gap: Article 26 establishes nine independent, non-delegable deployer obligations — regardless of vendor certification. Provider certification does not shield the deployer. This guide shows C-level executives exactly what must be implemented before the enforcement deadline and why the most common misconception — that compliance lies with the vendor — is legally untenable.

## The Deadline and the Misconception: Why August 2026 Remains Critical for Deployers

On August 2, 2026, the transition period for all high-risk AI systems under the EU AI Act expires. Although the AI Omnibus political agreement of May 7, 2026 proposes shifting standalone Annex III systems to December 2, 2027, this amendment is not yet enacted in law. Legal counsel across the industry advise planning for August 2, 2026 regardless. For Swiss companies with EU market activity, the extraterritorial reach under Article 2(1)(c) is unambiguous: any deployer in a third country whose AI system outputs are used in the EU falls within scope — irrespective of Switzerland not having adopted the EU AI Act.

The most prevalent misconception at C-level: 'Our AI vendor is certified, so we are compliant.' Article 26 makes it unequivocal: vendor certification does not release the deployer from any of its nine independent obligations. You bear legal responsibility for deployment — regardless of who built the system.

## The Nine Non-Transferable Deployer Obligations Under Article 26

Article 26 EU AI Act establishes nine independent obligations that rest with the deployer and cannot be delegated to the provider. These obligations are cumulative — absence of a single one can trigger sanctions up to €15 million or 3% of worldwide annual turnover.

### 1. Use in Accordance with Provider Instructions

You must deploy the AI system exclusively according to the provider's instructions for use. Any deviation — such as using an HR evaluation agent for credit decisions — makes you legally the manufacturer with all associated obligations under Chapter III Section 2. The provider's instructions are not optional but legally binding.

### 2. Assignment of Competent Human Oversight Personnel

You must designate natural persons with sufficient competence, authority and technical understanding to oversee the system. These individuals must be capable of understanding, questioning and overriding AI decisions. A formal 'human-in-the-loop' setup without actual competence does not suffice.

### 3. Retention of Audit Trails for At Least Six Months

You must retain automatically generated logs of AI system decisions for at least six months — technically and legally separate from other business logs. This includes input data, timestamps, decision paths and confidence scores. Logs must be available to supervisory authorities within 48 hours upon request.

### 4. Continuous Monitoring of Operation

You must continuously monitor whether the system functions as intended and shows no signs of bias, drift or unexpected correlations. This requires defined KPIs, thresholds and escalation processes — not occasional spot checks.

### 5. Reporting of Serious Incidents Without Undue Delay

Serious incidents — defined as events with impacts on fundamental rights, health or safety — must be reported to the competent market surveillance authority without undue delay. Industry standard interprets 'without undue delay' as 72 hours. Internal investigation must not delay reporting.

### 6. Conducting a Fundamental Rights Impact Assessment (FRIA)

Before deploying high-risk AI affecting vulnerable groups, a FRIA is mandatory. This must go beyond technical risk assessment to analyse societal, ethical and individual fundamental rights impacts. The FRIA must be documented and presented upon request.

### 7. Worker Notification Before Workplace AI Deployment

Under Article 26(7), workers and their representatives must be informed before workplace AI systems are deployed. This applies to systems for performance evaluation, monitoring, recruitment or work allocation. Information must be transparent, comprehensible and timely — not at implementation.

### 8. Bridging GDPR DPIA and AI Act Documentation

You must coordinate data protection impact assessments under GDPR (or Swiss revDSG) with AI-Act-specific risk assessments. The two frameworks overlap but are not identical. An isolated DPIA does not fulfil AI Act requirements.

### 9. Implementation of AI Literacy Training

You must ensure that all personnel interacting with the AI system possess sufficient AI literacy. This includes not only technical users but also executives making decisions based on AI outputs.

> **Legal Clarification**
>
> The provider's system card does NOT substitute your own deployer documentation. You are obliged to maintain independent records of risk assessment, oversight measures and governance structures. This is an independent duty and cannot be substituted by vendor documentation.

## AI Agents and Annex III Classification: Why Orchestration Increases Risk

The EU AI Act creates no separate risk category for autonomous agents. Classification depends on the task. A scheduling agent is minimal risk. An agent evaluating employee performance falls under Annex III Category 4 — high risk. Critical for orchestrated agents coordinating multiple sub-tasks: if even ONE sub-task falls under Annex III, the entire agent system may be classified high risk. HR, finance, credit scoring, healthcare and essential services are almost always affected.

This means for outsourced AI agents: you cannot assume an agent is 'low risk' simply because the primary function appears benign. If the agent accesses HR data or generates financial recommendations as part of its decision logic, this can elevate the entire application into the high-risk category.

**35%** — of enterprises have scaled agentic automation across two or more business functions — without corresponding governance (McKinsey 2025)

## Layered Compliance: Where Provider Obligations End and Deployer Obligations Begin

The EU AI Act divides responsibility into two clearly separated layers: the provider bears GPAI obligations under Articles 9, 12 and 13 — risk management, logging capability, transparency documentation. The deployer bears high-risk system obligations at the application layer. Clarity on where one set of obligations ends and the other begins is essential. A common error: deployers assume the provider's system card covers their own documentation duties. This is legally incorrect.

For Swiss companies outsourcing AI agents, this means: you must demand full GPAI compliance documentation from the provider AND build your own deployer evidence in parallel. The GPAI Code of Practice, endorsed in August 2025, provides a compliance pathway — but only for the provider side.

## Swiss Particularity: Extraterritoriality Without National Adoption

Switzerland has deliberately NOT adopted the EU AI Act, pursuing a sector-specific approach based on OECD and Council of Europe guidelines. The revDSG runs in parallel. Nonetheless: Swiss companies active in EU markets or whose AI outputs are used in the EU must fully comply with EU AI Act obligations — even when physically operating in Switzerland. Article 2(1)(c) makes the extraterritorial effect unambiguous. You cannot invoke the absence of national adoption if your business activity produces EU-relevant outputs.

This creates a dual challenge for Swiss C-level: you must remain revDSG-compliant AND simultaneously fulfil EU AI Act deployer obligations. The two frameworks do not harmonise automatically. A coordinated governance approach is imperative.

> **Strategic Note**
>
> Use the transition period to build integrated governance structures covering both revDSG and EU AI Act. An isolated compliance initiative per regulation is inefficient and leads to inconsistencies. Establish ONE central AI governance function coordinating both frameworks.

## What Swiss C-Level Must Do in the Coming Weeks

1. Inventory all deployed AI systems and classify each according to Annex III. Orchestrated agents can become high-risk through a single high-risk sub-task.
2. Demand full GPAI compliance documentation from your AI providers, including system card, risk management protocols and technical documentation.
3. Build your own deployer documentation in parallel: risk assessment for the specific use case, oversight structures, designated oversight personnel, escalation processes.
4. Implement a log retention system that stores automatically generated audit trails for at least six months and can deliver them to supervisory authorities within 48 hours.
5. Conduct a Fundamental Rights Impact Assessment for each high-risk system before productive deployment — especially when vulnerable groups are affected.
6. Train your workforce in AI literacy and ensure oversight personnel actually possess the competence to question and override AI decisions.
7. Establish a 72-hour incident response process for serious incidents with a direct reporting line to the competent market surveillance authority.
8. Coordinate GDPR/revDSG data protection impact assessments with AI Act risk assessments in an integrated governance framework.
9. Inform workers and their representatives transparently about planned workplace AI deployments — before implementation, not during.

## FAQ

### Does the EU AI Act apply to Swiss companies even though Switzerland has not adopted it?

Yes, if your company is active in EU markets or if your AI system outputs are used in the EU. Article 2(1)(c) explicitly regulates extraterritorial effect: any deployer in a third country whose system outputs are used in the EU is subject to the EU AI Act — independent of national legislation.

### Does my AI provider's certification protect me from deployer obligations?

No. Provider certification fulfils only provider obligations under Chapter III Section 2. Article 26 defines nine independent deployer obligations that are non-transferable. You bear legal responsibility for deployment — regardless of whether the provider is certified. This is one of the most common and consequential misconceptions.

### How long must I retain AI system logs?

At least six months. Logs must comprise automatically generated audit trails of AI decisions — input data, timestamps, decision paths, confidence scores. They must be stored technically and legally separate from other business logs and deliverable to supervisory authorities within 48 hours.

### What counts as a 'serious incident' that must be reported?

Events with impacts on fundamental rights, health or safety of persons. This includes systematic discrimination, unexpected decision patterns with bias, or technical failures with societal consequences. Reporting must occur 'without undue delay' — industry standard is within 72 hours, independent of the status of internal investigations.

### Is a GDPR data protection impact assessment sufficient for AI Act compliance?

No. GDPR data protection impact assessments and AI Act risk assessments overlap but are not identical. A DPIA focuses on data protection risks; the AI Act demands a broader analysis including fundamental rights, societal impacts and technical risks. You must coordinate both frameworks, not substitute one for the other.

### What sanctions apply for violation of deployer obligations?

Up to €15 million or 3% of worldwide annual turnover for missing risk management, logging or transparency duties. Up to €35 million or 7% for prohibited practices. Article 99 EU AI Act sets fines according to severity and turnover. Swiss companies with EU market activity are also subject to these sanctions.

## Sources

- [EU AI Act – Official European Commission page (June 2026)](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai)
- [EU AI Act: Update on the application timeline and implications for Swiss companies – Lenz & Staehelin (Aug 2025)](https://www.lenzstaehelin.com/news-and-insights/browse-thought-leadership-insights/insights-detail/the-eu-ai-act-update-on-the-application-timeline-and-implications-for-swiss-companies/)
- [EU AI Act Compliance Checklist 2026 – Witness AI (June 2026)](https://witness.ai/blog/eu-ai-act-compliance-checklist-2026/)
- [Article 26 EU AI Act: Deployer Obligations Guide – AIActBlog.nl (March 2026)](https://www.aiactblog.nl/en/posts/article-26-deployer-obligations-eu-ai-act-checklist)
- [EU AI Act Enterprise Implementation Guide – Enzai (April 2026)](https://www.enz.ai/eu-ai-act-enterprise-compliance-guide)
- [AI Regulation in Switzerland 2025 – Nemko (2025)](https://digital.nemko.com/regulations/ai-regulation-in-switzerland)
- [EU AI Act Compliance Checklist 2026 – AgentWorks (April 2026)](https://agent-works.ai/eu-ai-act)