Although Article 4 does not appear in Chapter II, Section 2, it does appear at the end of Chapter I and imposes an obligation on deployers to ensure their staff and others dealing with the operation and use of AI systems have sufficient AI literacy. Deployers should consider the technical knowledge, experience, education and training; the context of how the AI systems will be used; and the people using them.

Under Article 3, the objective of AI literacy is to enable deployers and other parties to make informed decisions about AI systems and their deployment, as well as to gain awareness about the opportunities, risks and possible harms AI can cause. These notions may vary depending on the context the AI is used in, which suggests deployers must adapt their training to be meaningful for their staff, so the staff can acquire the necessary skills and knowledge about the AI being deployed.

For deployers, AI literacy may include understanding the correct application of technical elements during the AI system's development phase, the measures to be applied during its use or the suitable ways to interpret the AI system's output.

The EU AI Board is required to support the European Commission in promoting AI literacy tools, as well as public awareness and understanding of the benefits, risks, safeguards, rights and obligations in relation to the use of AI systems.

Deployers are generally not subject to due diligence requirements, unlike importers and distributors of high-risk AI systems.

However, deployers that are public authorities and EU institutions, bodies, offices or agencies must first verify the high-risk AI system they intend to use has been properly registered in the EU database in accordance with Article 49. They must also refrain from using an AI system that has not been registered.

Deployers are required to monitor the operation of the high-risk AI system based on the instructions for use they receive from the provider. When relevant, they must give feedback to the provider, which enables the provider to comply with the system's post-market monitoring obligations.

If the deployer has any reason to believe use of the high-risk AI system in accordance with the instructions for use may result in it presenting a risk to the health, safety and fundamental rights of individuals, see Article 79(1), the deployer must inform the provider or distributor and the relevant market surveillance authority without undue delay and suspend further use of that system.

Financial institutions that are deployers are deemed to have fulfilled their monitoring obligation if they have complied with the rules under EU law on internal governance arrangements, processes and mechanisms that apply to the financial sector.

When Article 35 of the EU General Data Protection Regulation requires deployers to carry out data protection impact assessments, they may rely on the instructions for use given by the provider for assistance.

Deployers must assign human oversight to natural persons who have the necessary competence, training, authority and support to oversee the use of high-risk AI systems. Deployers remain free to organize their own resources and activities to implement the human oversight measures indicated by the providers.

To the extent the deployer exercises control over the input data, it must ensure the input data is relevant and sufficiently representative of the high-risk AI system's intended purpose.

If a deployer has identified a serious incident, it must immediately inform the provider, then the importer or distributor and the relevant market surveillance authorities.

Before "putting to service" or using a high-risk AI system in the workplace, deployers who are employers must inform affected workers and their representatives that they will be subject to the use of the high-risk system, in accordance with the rules and procedures under EU or national law.

Regardless of the transparency requirements that apply to certain AI systems, such as chatbots, generative AI, deepfakes or emotion-recognition systems, deployers of high-risk AI systems referred to in Annex III, those concerned with fundamental rights rather than product safety, that make or assist in making decisions related to natural persons must inform them about the use of the high-risk AI system.

When a high-risk AI system processes personal data, deployers must keep the automatically generated logs for a period appropriate to the system's intended purpose, which is at least six months, unless indicated otherwise in applicable EU or national law, particularly the GDPR.

Financial institutions that are deployers must maintain the logs as part of the documentation they are required to keep in accordance with EU laws applicable to the financial sector.

Deployers must cooperate with the relevant competent authorities in any action they take regarding the high-risk AI system to implement the AI Act. Deployers of post-remote biometric identification systems must also submit annual reports to the relevant market surveillance and data protection authorities. Specific additional obligations apply to deployers of post-remote biometric identification systems.

Article 27 of the AI Act mandates deployers of high-risk AI systems to conduct fundamental rights impact assessments to evaluate and mitigate potential adverse impacts on fundamental rights. However, unlike data protection impact assessments imposed on any controller of a high-risk processing activity, FRIAs are limited to certain high-risk AI systems and some deployers. Significantly, providers are not required to carry out FRIAs because deployers decide to use AI systems for specific concrete purposes.

FRIAs only apply to high-risk AI systems that fall under Article 6.2 of the AI Act. Deployers of high-risk AI systems that are intended to be used as safety components of products or are products themselves, covered by the EU harmonization legislation and pursuant to Article 6.1 of the AI Act, are not required to carry out FRIAs. High-risk AI systems that fall under Article 6.1 are already required to undergo third-party conformity assessments before they are placed on the market or put into use.

Furthermore, deployers of high-risk AI systems that are intended to be used as safety components in the management and operation of critical digital infrastructure or road traffic or in the supply of water, gas, heat or electricity are also excluded from the obligation to carry out FRIAs.

For all other high-risk AI systems that fall under Annex III, the obligation to carry out FRIAs is limited to the following categories of deployers:

• Public law entities.
• Private operators that provide public services, such as education, health care, social services, housing and administration of services.
• Other private operators, such as banks and insurance entities, that deploy AI systems to evaluate creditworthiness, establish a credit score, and assess risk and pricing for life and health insurance.

This means, in practice, many deployers using high-risk AI systems will not be required to perform FRIAs though they may still need to carry out DPIAs.

FRIAs must contain the following information:

• A description of the deployer's processes that will use the high-risk AI system in line with its intended purpose.
• A description of the period in which and the frequency with which each high-risk AI system is intended to be used.
• The categories of natural persons and groups likely to be affected by the system's use in the specific context.
• The specific risks of harm likely to impact the categories of persons or groups of persons identified pursuant to the last bullet above, taking into account the information given by the provider pursuant to Article 13, i.e., instructions for use.
• A description of the implementation of human oversight measures, according to the instructions for use.
• The measures to be taken when those risks materialize, including the arrangements for internal governance and complaint mechanisms.

Deployers are only required to carry out FRIAs for the first use of a high-risk AI system. They may rely on previously conducted FRIAs or existing impact assessments carried out by the provider. They may also rely on DPIAs if one has been carried out that reflects the FRIA's obligations. Deployers have an obligation to keep their FRIAs up to date. Once the assessment has been performed, deployers must notify the market surveillance authority of the results. This will involve submitting a completed template questionnaire developed by the AI Office.

By performing this assessment, deployers ensure their use of high-risk AI systems is compliant with legal standards and aligned with the broader ethical obligations to protect and promote fundamental human rights, thereby fostering greater public trust and acceptance of AI technologies.

Before importers place high-risk AI systems on the market, they must verify the AI system's conformity with the AI Act. In particular, they must verify:

• The provider has conducted the proper conformity assessment in accordance with Article 43.
• The provider has drawn up the technical documentation of the AI system.
• The AI system bears the required CE marking and is accompanied by the EU declaration of conformity and instructions for use.
• The provider has appointed an authorized representative in accordance with Article 22(1), when required.

Importers must indicate their name, registered trade name or registered trademark, and the address where they can be contacted on the high-risk AI system and its packaging or accompanying documentation, when applicable. While a high-risk AI system is under their responsibility, they should ensure the storage or transport conditions do not jeopardize the system's compliance with the requirements under Chapter III, Section 2 of the AI Act.

Importers should not place a high-risk AI system on the market if there is reason to believe it does not conform with the AI Act, is falsified or is accompanied by falsified documentation until the system has been brought into conformity. Presumably, the provider must bring the high-risk AI system into conformity, given that the importer is required in such cases to inform the provider about the risks of the AI system.

Importers must keep a copy of the EU declaration of conformity, the certificate issued by the notifying body and the instructions of use for 10 years after the high-risk AI system is placed on the market or put into service. Importers must also ensure technical documentation is available for regulatory authorities upon request.

Importers must inform the provider of the high-risk AI system, the authorized representative and market surveillance authorities when it presents a risk to the health, safety or fundamental rights of persons within the meaning of Article 79(1).

Importers are obligated to provide the relevant competent authorities with all necessary information and documentation related to the AI system, including technical information, upon reasoned request. They must also cooperate with relevant competent authorities on any action they take regarding a high-risk AI system the importers placed on the market to reduce and mitigate the risks it poses.

Before making a high-risk AI system available on the market, distributors are required to verify that the system conforms with the AI Act. Distributors must verify that AI systems bear the CE marking and are accompanied by a copy of the EU declaration of conformity and instructions of use. They also need to ensure providers and importers have complied with their respective obligations, including conformity assessments.

While a high-risk AI system is under their responsibility, distributors must ensure the storage or transport conditions applied to such AI do not jeopardize their compliance with the requirements under Section 2, Chapter III of the AI Act.

Furthermore, based on the information in its possession, when a distributor believes a high-risk AI system does not comply with the requirements, it must not make the system available on the market until it complies. Presumably, the provider of the AI system will ensure compliance.

If the system has already been placed on the market, the distributor must take any corrective action needed to bring it into compliance, withdraw it, recall it or ensure the provider, importer or relevant operator takes corrective actions.

When a distributor believes a high-risk AI system that does not comply with Section 2, Chapter III of the AI Act presents a risk to the health, safety or fundamental rights of persons within the meaning of Article 79(1), it must inform the provider or the importer of the AI system before it is placed on the market. If the AI system has already been placed on the market, the distributor must immediately inform the provider or importer of the AI system and the relevant competent authorities of the member states, providing the details of noncompliance and any corrective actions taken.

Distributors must provide the relevant competent authorities with all necessary information and documentation regarding the distributor's actions to demonstrate the system's conformity with Chapter III, Section 2 of the AI Act, upon reasoned request. Distributors must cooperate with relevant competent authorities in actions regarding the high-risk AI systems they have made available on the market, in particular to reduce and mitigate their risks.

Authorized representatives must hold a written mandate from the provider specifying their tasks and responsibilities. They must also provide a copy of the mandate to market surveillance authorities upon request.

Pursuant to this mandate, the authorized representative is required to carry out the following tasks based on the steps below.

The authorized representative must verify the EU declaration of conformity, the technical documentation referred to in Article 11, has been drawn up and the provider has carried out an appropriate conformity assessment procedure. Further, when a provider has registered a high-risk AI system in the EU database referred to in Articles 49 and 71, the authorized representative must verify that the information referred to in Point 3 of Section A of Annex VIII is correct.

Authorized representatives are obligated to terminate the mandate with a provider if they believe or have reason to believe the provider is acting contrary to its obligations pursuant to the AI Act. When applicable, the authorized representative must register the high-risk AI system in the EU database, per Articles 49 and 71, unless the provider has already done so.

The authorized representative must keep the provider's contact details, a copy of the EU declaration of conformity, the technical documentation and the certificate issued by the notified body, when applicable, for 10 years after the high-risk AI system is placed on the market or put into service.

When the authorized representative decides to terminate the mandate with a provider, it must immediately inform the relevant market surveillance authority and the notified body, when applicable, including its reasons for doing so.

The authorized representative must act as the point of contact for national authorities within the EU. They must provide the competent authorities with documentation and information necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter III, Section 2 of the AI Act, including access to the logs, upon reasoned request. Also upon reasoned request, the authorized representative must cooperate with competent authorities on any action they may take about the high-risk AI system, in particular, to reduce and mitigate the risks it poses.