MAY 2026 · ANNEX TO INDEPENDENT RESEARCH
Annex A — The Deployer Multiplier.
Three downstream segments where the AI Act cascade becomes visible — and what each deployer produces between recognition and August 2, 2026.
3 segments · Art. 25, 26, 27 deployer cascade · Drafting period April 15 – May 5, 2026
22 pages · A4 · 1.3 MB · In English
HEADLINE
Most deployers do not know they are deployers
More than 3,500 European organizations are already identifiable as deployers exposed to Article 26 — drawn from the publicly stated client counts of just four named high-risk providers in the parent report's sample. Across the 37 high-risk providers screened, the realistic order of magnitude is in the tens of thousands. EU-wide, the figure runs into the hundreds of thousands. Most do not know they qualify as deployers under the AI Act.
The annex analyses three segments in turn. Segment 1 — HRTech deployers (HR directors and CHROs of medium-to-large EU employers) trigger Annex III §4. Segment 2 — Healthcare deployers (hospitals, clinics, private practices using AI scribe applications) trigger Article 6(1) via the MDR/IVDR safety-component pathway; Article 27 FRIA does not apply but Article 26 §1, §2, §5, §6, §9, §12 do. Segment 3 — Retail-banking deployers (EU credit institutions using third-party scoring AI) trigger Annex III §5(b) and Article 27 FRIA automatically by activity.
Each segment receives a path-to-discovery model (four trigger types: incident, supervisor, contract, internal audit), an active Article 26 paragraph subset, an Article 27 FRIA logic, an Article 25 reverse-bascule check, and a wake-up event archetype. Cross-segment patterns name the shared base cascade and the asymmetries between segments. The cascade is dated by design — Article 26 §1–§12, Article 27 (where applicable), Article 49 and Article 50 become binding August 2, 2026.
METHODOLOGY NOTE
What this annex develops
This annex is a single volume that develops §3.1 ("The Deployer Multiplier") of the parent EU AI Act Readiness Report (April 2026). It does not re-screen any of the fifty providers in the parent's §6. It does not produce sector aggregates that overlap the parent's §6.1–6.4. The unit of analysis here is the deployer segment, not the provider firm.
Three segment profiles are constructed for illustrative purposes. The HRTech segment in particular is illustrated typologically, owing to the absence of public registers of HR-AI deployers in the European Union. No specific employer, hospital, clinic, credit institution, or other organization is identified by name in this annex; the descriptors used are drawn from publicly disclosed information about the relevant sectors and from the parent report's §6 sector breakdown.
The Digital Omnibus on AI is in ongoing trilogue (trilogue 2 closed without agreement on April 28, 2026; trilogue 3 scheduled May 13, 2026). This annex treats August 2, 2026 as the binding deadline. Any Omnibus-driven extension is treated as bonus runway, not as an active premise. The status reported reflects publicly available information as of May 5, 2026 and may evolve before final adoption.
What this annex is — and is not
This annex is not legal advice. It is not a conformity assessment under Article 43 AIA. It is not a certification of any kind. It is not a substitute for sector-specific guidance (MDCG for medical devices, EBA for banking, national employment law for HR). Specific classifications for any specific deployer require a tailored screening. Organizations recognising themselves in one of the three segments should consult qualified legal counsel and, where applicable, the relevant sector supervisor or Notified Body before making compliance decisions.
WHAT THIS ANNEX CONTAINS
Twelve sections, three segments, three figures
- §0
Scope notes — pivot from provider screening to deployer cascade, segment selection, anonymisation, parent reconciliation, Digital Omnibus contingency
- §1
Framing — the downstream multiplier (silence is not absence; three orders of magnitude; three business consequences; the three segments)
- §2
Method — the path-to-discovery model (four trigger types: incident, supervisor, contract, internal audit; Article 25 reverse-bascule check)
- §3
Article 26 §1–§12 deployer obligations reference (operational duties decomposed paragraph by paragraph)
- §4
Segment 1 — HRTech deployers (Annex III §4): profile, trigger, path-to-discovery, active Article 26 subset, Article 27 FRIA logic, Article 25 reverse-bascule, wake-up archetype
- §5
Segment 2 — Healthcare deployers (Article 6(1) via MDR/IVDR): same six-step decomposition; Article 27 FRIA inapplicability and what replaces it
- §6
Segment 3 — Retail-banking deployers (Annex III §5(b)): same decomposition; Article 27 FRIA automatic by activity; SCHUFA precedent integration
- §7
Cross-segment patterns — shared base cascade, dominant trigger map, provider-vs-deployer self-classification confusion, Article 25 reverse-bascule rate, asymmetric silence propagation
- §8
From multiplier to action — four operational outputs (Article 26 paragraph map, FRIA scope memo, Article 25 boundary log, Article 49 EU-database registration)
- §9
Positioning — what this annex contributes to the European deployer literature
- §10
References — primary sources (OJ L, MDCG, EBA, CJEU SCHUFA C-634/21) and secondary sources (Digital Omnibus trilogue reporting)
- §11
Limitations — illustrative segments, Digital Omnibus volatility, sample inheritance from parent report
- §12
Document metadata — version, DOI placeholder, license CC BY 4.0, suggested citation, OpenTimestamps proof, errata channel
Three figures embedded in the annex
Figure 1 — Deployer-cascade timeline (April 12 parent → May 5 annex → August 2, 2026 binding) with Digital Omnibus contingency window and trilogue events
Figure 2 — Three deployer segments at a glance (matrix: profile × AI Act gate × FRIA × dominant trigger × companion regime)
Figure 3 — Article 25(1)(b) reverse-bascule (healthcare worked example): BEFORE → TRIGGER → two parallel tests (AI Act Art. 3(23) + MDR Art. 120(3)) → AFTER
PARENT REPORT
This annex develops §3.1 of the parent report
The April 2026 EU AI Act Readiness Report identified that the regulatory exposure of European AI providers does not stop at the provider — it cascades onto the deployer. This annex names the three downstream segments where that cascade is most visible: HRTech, Healthcare, and Retail-banking deployers.
Read the parent reportINDEXED RESEARCH
Verify this annex in the public registry
This annex is indexed as an official Sprinkling Act research document. You can verify it at any time from the public AI Act registry by looking up the badge code below.
Badge code
SA-REPORT-ANNEX-A-2026-05
CRYPTOGRAPHIC TIMESTAMP
Independently verifiable date — anchored on Bitcoin
This annex is cryptographically timestamped via OpenTimestamps. The timestamp was created on May 5, 2026 and is attested by four independent calendar servers (Eternity Wall, Catallaxy, Alice OpenTimestamps, Bob OpenTimestamps), with the calendar commitments anchored on the Bitcoin blockchain. Anyone can verify the annex's integrity and date without contacting Sprinkling Act.
How to verify
- Download the annex PDF below.
- Download the matching .ots proof.
- Install the OpenTimestamps client: pip3 install opentimestamps-client
- Run: ots verify eu-ai-act-readiness-report-annex-a-may-2026.pdf.ots — the client returns the calendar attestations and Bitcoin block confirmation.
APPLY IT TO YOUR OWN POSITION
Are you a deployer under the AI Act?
The 9-question diagnostic identifies whether you trigger Article 26, 27, 49 or 50 obligations as a deployer. 60 seconds. Zero data collected.
Run the free diagnosticUSAGE
This annex is free to download, share, and reference with attribution. A permanent URL is provided above. If you cite it in a compliance note, a board deck, or a regulatory discussion, we simply ask that you link back to this page so readers can reach the full document.