The EU AI Act’s high-risk obligations, including Article 26 deployer duties, become applicable on August 2, 2026 under the current legal text. The 7 May 2026 Digital Omnibus on AI provisional agreement will likely defer those dates to December 2027 and August 2028. Either way, anyone running an AI agent that calls MCP servers for high-stakes decisions is likely a deployer of a high-risk AI system. That covers employment, credit, education, critical infrastructure, and public-service workflows. So the MCP layer is part of the audit surface. This post is the procurement-grade reference for Article 26. It also maps MCP servers to the risk-tier map and gives the checklist a CISO or DPO needs before signing.
The compliance clock is now 90 days, give or take. On August 2, 2026, the high-risk system obligations under Articles 8 to 17 of the EU AI Act become enforceable for providers. That’s under the current legal text. At the same time, the Article 26 deployer obligations attach for any organisation using those systems professionally.
However, the 7 May 2026 Digital Omnibus on AI provisional agreement could change those dates. If formally adopted before 2 August 2026, it would defer stand-alone Annex III high-risk obligations to 2 December 2027. It would also defer Annex I embedded-system obligations to 2 August 2028. Either way, the architecture matters more than the date. Most of the decisions that determine whether a company is ready happen in the connector and MCP layer.
The current SERP for “EU AI Act MCP” is dominated by developer blogs and law-firm explainers. Right now, there’s no vendor-grade pillar that ties three things together. Those three things are the protocol layer (MCP), the regulatory layer (Article 26), and the architectural layer (where the agent’s data actually lives). That’s the gap this post closes. It builds on the data-residency and audit-logging arguments in the cross-source MCP cornerstone and the Peliqan MCP product page. Furthermore, it goes deep on the Article 26 obligations every deployer should already be auditing for.
The EU AI Act timeline, in plain English
The original timeline
The Act entered into force August 1, 2024. The obligations then phased in over two years. The most important date for anyone running an MCP server is August 2, 2026. That’s when the high-risk obligations and Article 26 deployer duties become fully applicable. It also lines up with conformity assessments, technical documentation, CE marking, and EU database registration for high-risk providers.
How the Digital Omnibus on AI changes things
However, the 7 May 2026 Digital Omnibus on AI provisional agreement reshuffles those dates if formally adopted in time. So procurement teams should plan for the original timeline. Then treat any deferral as a windfall.
The dates that matter
For procurement, the practical answer is the same either way. Assume the original August 2026 date holds, build for it, and treat any deferral as a windfall. That’s how every compliance officer with skin in the game is planning today.
What Article 26 actually requires of MCP deployers
Article 26 is the deployer-side counterpart to the provider obligations in Articles 8 to 17. A “deployer” under the Act is any natural or legal person using an AI system under its authority in a professional capacity. In practice, that means any organisation running an MCP-connected agent that touches high-risk use cases. Natural persons using AI for personal, non-professional activity, however, are excluded.
Article 26 contains twelve numbered paragraphs in total. Six of those drive most of the operational work for an MCP deployer. Each maps to a concrete artefact the deployer needs to produce on demand. Notably, the Fundamental Rights Impact Assessment lives in a separate, paired article, Article 27, and is covered in its own section further down.
1. Use the system in line with the provider’s instructions
First, deployers must operate the AI system in accordance with the documented instructions of use that accompany it. For an MCP context, that means the agent runtime must enforce the scopes and limits the upstream provider has declared. So it should not be a soft guideline, but a hard configuration the platform can attest to.
2. Assign human oversight to competent natural persons
Next, the deployer has to name a human reviewer, document their training, authority, and escalation route. The deployer must also prove the reviewer has the support they need to intervene. So the auditable artefact has four parts. They are the named reviewer, the decision authority, the intervention trigger, and the record of what happens when the AI system behaves abnormally. An MCP setup that doesn’t expose human-in-the-loop gates at the writeback layer therefore fails this obligation by default.
3. Ensure input data is relevant and representative
To the extent the deployer controls input data, that data has to be relevant and sufficiently representative for the intended purpose. In a warehouse-first MCP architecture, this becomes a question about the sync configuration. Specifically, which tables are exposed, which columns are masked, and which historical depth is preserved. For example, the Postgres MCP setup guide walks through the row-level and column-level controls that satisfy this obligation in practice.
4. Keep automatically generated logs
Deployers must retain logs generated by the AI system for at least six months, to the extent those logs are under their control. However, applicable Union or national law (in particular GDPR) can provide otherwise.
In practice, the log surface for an MCP server is broad. It includes every prompt, every translated SQL statement, every tool call, and every reverse-ETL writeback. The AI session ID and the human reviewer should attach to each entry. This sits in addition to whatever the high-risk AI system itself automatically generates. The Peliqan permissions help doc describes the role-based access controls and audit log structure that map directly onto this requirement.
5. Notify and inform affected people
Where the high-risk AI system is used in the workplace, deployers must inform workers’ representatives and the affected workers. This notice must come before the system is put into use. Furthermore, deployers must inform any natural person subject to a decision taken or assisted by the high-risk AI system. So for an MCP-driven HR or credit workflow, three artefacts matter. They are the disclosure copy, the notification timestamp, and the record of who received it.
6. Cooperate with national competent authorities
Finally, deployers must inform providers and authorities of incidents, malfunctions, or risks the system creates. They must also cooperate with the national competent authorities on any action taken in relation to the high-risk AI system. The artefact here is an incident-response playbook that names the timelines, the channels, and the people. Meanwhile, the MCP platform’s role is producing the evidence package on demand.
Where MCP use cases sit on the risk-tier map
Most MCP business workflows are not, in themselves, high-risk under the Act. Customer-service chatbots, product recommendation systems, and general personalisation algorithms typically fall under the lighter Article 50 transparency obligations. For example, the obligation might mean disclosing that a user is interacting with an AI system. That’s lighter than the full Article 26 deployer stack.
However, there’s an important exception. Personalisation used to rank job candidates, score creditworthiness, determine access to essential services, or assist law enforcement re-enters Annex III scope. So in those cases, the full deployer stack applies.
The Annex III categories that trigger high-risk status
High-risk systems are the ones listed exhaustively in Annex III. These categories include biometrics, critical infrastructure, education, employment and HR decisioning, essential services access, law enforcement, migration, and the administration of justice.
The three risk tiers and where typical MCP workflows sit
- Prohibited (Article 5): Never deploy via any MCP server. Manipulative or vulnerability-exploiting AI, social scoring, predictive policing by profiling alone, untargeted facial-image scraping, workplace and education emotion recognition, sensitive-attribute biometric categorisation, real-time remote biometric identification in public spaces for law enforcement.
- High-risk (Annex III, full Article 26 applies): HR decisioning via CV-screening on Notion or Workday MCPs, credit scoring with CRM plus bureau data joined through an MCP, biometric verification, critical-infrastructure operations, public-service eligibility, education access decisions.
- Limited or minimal risk (lighter transparency obligations): Most internal RevOps, CFO analytics, customer-success triage, marketing operations, and developer productivity workloads. Disclosure to the affected user is the headline obligation. Most of the MCP use cases inside the Claude MCP playbook sit here.
Why the risk-tier map matters for procurement
The risk-tier map matters for procurement because the answer changes the obligation set. Therefore, the architecture has to support whichever tier the deployment falls into.
For instance, a warehouse-first MCP that supports column-level masking, audit logging, and human-in-the-loop gates by default can serve all three tiers without architectural rework. On the other hand, an MCP server that exposes raw API actions with no log surface and no masking is limited. It can only serve the minimal-risk tier. Furthermore, that’s only true until the first scope creep.
The procurement checklist for MCP servers under Article 26
This is the strongest IP a CISO or DPO can take into the vendor conversation. So if the vendor cannot answer all six of these with documented evidence, the procurement should stop or shift to a vendor that can.
Six questions to ask every MCP vendor
The CLOUD Act paragraph that ends most US-hosted procurement
The 2018 US CLOUD Act, plus its amendments, requires US-headquartered service providers to disclose customer data to US authorities. This applies regardless of where the data physically sits. So it includes data held in Frankfurt, Dublin, Stockholm, or Amsterdam regions of AWS, GCP, and Azure.
A statutory provider-challenge mechanism does exist where disclosure would conflict with a qualifying foreign government’s laws. However, in practice it is narrow and slow.
Which MCP vendors carry CLOUD Act exposure
Composio (US), Pipedream (US, now a Workday subsidiary after the November 2025 acquisition), Zapier (US), Workato (US), Boomi (US), and CData (US) are all US-headquartered. As a result, their corporate entities remain CLOUD Act-reachable. This holds regardless of which AWS, GCP, or Azure region hosts EU customer data.
Apideck is Belgium-headquartered (Antwerp). However, its default production infrastructure has historically run on US hyperscaler regions, which carries the same CLOUD Act exposure at the sub-processor layer. For this reason, the European Commission has actively considered restricting US cloud providers from processing sensitive government data.
The structural answer for EU deployers
The structural answer is EU-headquartered, EU-hosted, EU-jurisdiction MCP infrastructure. Today, Peliqan (Belgium HQ, EU-hosted) and self-hosted n8n (Berlin HQ, run-anywhere) are the two clean answers in the current vendor map.
For deployers who need a managed service and a vendor relationship rather than a self-host, that narrows the field considerably. So that’s why the Article 26 procurement checklist starts with the jurisdiction question and works down.
Decision framework by industry
How urgency maps to industry
- EU public sector adjacent (govtech, education, public-service eligibility): EU-headquartered MCP non-negotiable. FRIA almost always applies. Annex III scope hits hardest here.
- Financial services: DORA already enforceable since January 17, 2025. Operational resilience plus Article 26 plus Member State sectoral rules. Sovereign-cloud MCP is the only safe answer.
- Healthcare-adjacent: NIS2, HIPAA-equivalent infrastructure, plus Article 26 for any clinical-decision-support tool. EU hosting plus a documented DPA is the minimum.
- HR and recruitment SaaS: Annex III high-risk applies to CV screening and employment decisions. Even SMEs running off-the-shelf tools owe the full Article 26 stack (human oversight, logs, candidate disclosure).
- Standard EU SMB and mid-market: Limited or minimal risk for most internal workflows. EU hosting is strongly recommended. Vendor compliance posture matters at the next SOC 2 renewal and any cyber-insurance review.
- US-only customer base: Less urgency under the EU AI Act. However, if you plan to expand into the EU, lock in the EU posture at the architectural layer now. That’s much cheaper than retrofitting in 2027.
Comparing eight MCP platforms on Article 26 readiness
Ratings reflect each vendor’s public posture as of May 2026. Therefore, you should re-verify them during procurement against the current Data Processing Agreement and sub-processor list. Article 26 readiness aggregates EU jurisdiction, audit-log surface, masking capability, and the breadth of attestations. So it’s not a single binary check, it’s a weighted scorecard.
Where the FRIA actually lands (Article 27, not Article 26)
The Fundamental Rights Impact Assessment lives in Article 27 of the AI Act. So it’s a separate provision that pairs with Article 26 but imposes its own narrower scope.
When a FRIA is mandatory
A FRIA is required where the deployer is a public body or private entity providing public services using an Annex III system. It’s also required for credit scoring (Annex III point 5(b)). The same applies for risk assessment and pricing in life and health insurance (Annex III point 5(c)).
For example, an SME running an AI CV-screening tool is a deployer of a high-risk system under Annex III point 4. So it owes the full Article 26 stack. That stack covers human oversight, logs, and candidate disclosure. However, Article 27 does not require it to run a formal FRIA. That’s because CV-screening is not on the Article 27(1) FRIA-mandatory list. The line matters because the FRIA artefact takes weeks to produce properly. Furthermore, getting the scope wrong is more expensive than not running the AI in the first place.
What the FRIA artefact looks like in practice
The FRIA documentation requirement covers several areas. These include the intended use, the affected populations, and the foreseeable risks to fundamental rights. It also covers the human oversight measures, the complaints handling, and the mitigation steps.
For an MCP-deployed AI agent, the FRIA artefact is typically a structured document of around 20 to 40 pages in practice. However, the AI Office has not yet published a standardised template. So length depends on the depth of the affected-rights analysis. None of that is unreasonable. What makes it hard is producing it from a vendor stack that wasn’t designed to generate the artefacts in the first place. In contrast, a warehouse-first MCP with native masking, audit logs, and RBAC simplifies the work. It turns the FRIA from a six-week scramble into a two-week assembly job.
The cost of getting it wrong
Article 99 penalties for breach of Article 26 or Article 27 deployer obligations run up to EUR 15,000,000. The alternative cap is 3% of worldwide annual turnover, whichever is higher. Meanwhile, breaches of the Article 5 prohibitions carry the higher tier of up to EUR 35,000,000 or 7%. SMEs and start-ups, however, are subject to the lower of the two amounts in each tier.
What changes for the financial-services and healthcare deployer
Two regulatory regimes intersect with the EU AI Act in 2026. First, DORA for financial services (enforceable since January 17, 2025). Second, NIS2 for essential and important entities.
EIOPA’s DORA page sets out the operational-resilience expectations on banks, investment firms, crypto-asset service providers, and crowdfunding platforms. On top of that, the AI Act adds the deployer obligations. So in practice, a CISO at a regulated EU financial entity in 2026 is reading both regimes side by side. They’re also looking for vendor stacks that satisfy both at once.
The same posture applies in healthcare and clinical decision support. For example, the MEWS hospitality MCP playbook covers a useful intersection. It pulls together GDPR, PCI DSS, and the EU AI Act where guest data flows through the AI agent layer. Although the playbook focuses on hospitality, the architectural patterns transfer cleanly. They apply to any regulated vertical that needs EU residency, column-level masking, and audit-logged writeback.
Peliqan’s posture on Article 26
We built the platform EU-hosted, GDPR-native, and warehouse-first from day one. So the procurement-checklist questions in the previous sections all have prebuilt answers rather than retrofitted ones.
The Peliqan Trust Center publishes the SOC 2 Type II report, the ISO 27001 progress, and the sub-processor list. Meanwhile, the Peliqan platform architecture covers the warehouse, the federated query engine, and the audit-log surface that produces the artefacts Article 26 demands.
What each Article 26 obligation maps to in the Peliqan stack
The connector-specific MCP pages inherit the same posture by default. For example, the Exact Online MCP server, the AFAS MCP server, and the Teamleader MCP server all share it. So the procurement conversation never has to be repeated per connector.
An Article 26-ready setup, end to end
For a deployer planning the August 2 deadline backwards from today, the steps look like this. None of them are theoretical. Every one has a concrete artefact at the end.
Step 1: Classify the AI use case against Annex III
First, classify the AI use case against Annex III. If it’s HR decisioning, credit assessment, or public-service eligibility, you owe the full Article 26 stack. The same applies to education access and the other Annex III categories. You’ll also owe an Article 27 FRIA if you sit in the narrower scope.
On the other hand, if it’s standard internal RevOps, finance, or marketing analytics, the lighter Article 50 transparency obligations apply. Either way, the architectural answer is the same.
Step 2: Audit the MCP vendor against the six-question checklist
Next, audit the MCP vendor against the six-question checklist. So that’s EU jurisdiction, audit log of read and writeback, sub-processor chain, column-level masking, granular RBAC for human oversight, and attestations. For reference, the Snowflake MCP governance reference walks through what an enterprise-grade answer to each looks like.
Step 3: Document the artefacts
Third, document the artefacts. This includes the named human reviewer with their training record, the role-based access control matrix, the log retention schedule, and the incident-response playbook. Furthermore, you’ll need the FRIA if Article 27 applies. For minimal-risk use cases, you’ll need the disclosure copy that goes to the affected user.
Step 4: Plug into the existing audit-evidence cycle
Finally, plug into the audit-evidence cycle that already exists for SOC 2 and ISO 27001 renewals. The same artefacts that satisfy Article 26 cover 80% of what the SOC 2 auditor wants at renewal. So investing in the EU AI Act readiness work also pays down the next SOC 2 cycle and the next cyber-insurance review.
Real-world example: CIC Hospitality
CIC Hospitality consolidated 50+ data sources into Peliqan’s EU-hosted warehouse. The team then ran AI workloads through one MCP server with role-based access control and column-level masking. As a result, they report more than 40 hours per month saved on board reporting that used to require manual joins. Furthermore, the same audit-log surface that supports the board pack feeds the SOC 2 evidence cycle and the EU AI Act log-retention obligation. Read the full CIC Hospitality case study.
The bottom line on EU AI Act and MCP
Article 26 is not an existential threat to most MCP deployments. Instead, it’s an organisational discipline applied at the architectural layer.
The deployers who will pass their first August 2026 audit chose carefully. They picked their MCP server based on jurisdiction, audit log, masking, RBAC, and attestation strength. So they didn’t pick it based on tool count or pricing footnote.
Meanwhile, the deployers who’ll scramble picked an MCP server because Claude could call it on day one. Then, six months later, they discovered problems. The audit log doesn’t reconstruct cross-source questions. The sub-processor list isn’t published. Furthermore, the EU region of a US hyperscaler still answers to the CLOUD Act.
The cheaper architectural decision
Therefore, the cheaper architectural decision is making the right call now. Connect to the warehouse-first MCP, document the artefacts, plug them into the SOC 2 cycle, and move on.
The next year of agentic work will compound on whatever foundation you set in May 2026. So Article 26 is one of the few cases where the regulatory deadline and the architectural best practice point in exactly the same direction.
This post is for informational purposes and is not legal advice. Article references reflect the consolidated text of Regulation (EU) 2024/1689 as of May 2026. They also reflect the 7 May 2026 Digital Omnibus on AI provisional agreement, which had not yet been formally adopted at the time of writing. For advice specific to your deployment, consult qualified counsel.
