EU AI Act – Deployer Only Certification Scheme v1.5

⚡ Quick Summary

The Deployer Only Certification Scheme v1.5 offers a structured approach for organizations that deploy AI systems but are not involved in their development. Built around the obligations outlined in Article 24 of the EU AI Act, it translates legal mandates into auditable controls, creating a pathway for deployers to demonstrate compliance. The scheme emphasizes proportionality, modularity, and verifiability, and it integrates risk management, data governance, and human oversight. This version also clarifies the use of conformity indicators, introduces optional risk-mitigation controls, and aligns with global standards like ISO 42001.

🧩 What’s Covered

The document begins by positioning the scheme within the EU AI Act compliance landscape, noting that Article 24 allows voluntary certification for high-risk AI deployers. The scheme is designed for those who only deploy, not develop, AI systems. It identifies four major thematic areas:

Governance and Accountability
Human Oversight and Use Phase Risk Management
Transparency and Information
Incident Response and Monitoring

For each area, it lays out both mandatory and optional controls. These controls are organized using a matrix structure (see Tables 1–5 on pages 14–18) that includes the control identifier, a short description, rationale, references to the EU AI Act, and links to other frameworks like ISO 42001 or NIST AI RMF. The scheme includes ‘conformity indicators’ (e.g., policies, procedures, logs, evidence of training), making the certification auditable.

The annex includes a full mapping to Article 24 (Annex I) and a glossary (Annex II). Certification aims to be both product-agnostic and organization-specific, promoting flexibility for different sectors and AI system types.

💡 Why it matters?

This scheme fills a critical gap: most AI governance efforts have centered on providers (developers), while deployers—who ultimately shape how AI is used in practice—have often lacked tailored compliance tools. The scheme operationalizes deployer responsibilities in a way that is understandable, implementable, and certifiable. It aligns with international standards, easing the burden for global companies. By focusing on practical controls (e.g., user training, risk registers, documented overrides), it supports real-world accountability. For companies preparing for the EU AI Act’s full enforcement, this scheme offers an early compliance and market differentiation opportunity.

❓ What’s Missing

No auditing methodology: While conformity indicators are suggested, there’s little guidance on how certification bodies should conduct evaluations.
No sector-specific tailoring: The scheme is intentionally general, which may limit its practical utility in high-risk fields like healthcare or finance.
Limited guidance on SMEs: Although proportionality is emphasized, practical examples for small organizations are lacking.
No public registry model: There is no discussion of how certified deployers could be listed or recognized by EU authorities or the public.