Who must provide the explanation under Article 86, the provider or the deployer?

The explanation obligation under Article 86 sits on the deployer. The deployer is the entity that takes the decision on the basis of the AI system's output and that has the relationship with the affected person. The provider's obligation is to supply the deployer with the instructions for use and the transparency information under Article 13 that make a meaningful explanation possible, but the legal duty to respond to an affected person's request is the deployer's. A deployer cannot discharge the obligation by pointing the affected person to the provider.

How does Article 86 relate to GDPR Article 22 and the right to explanation under data protection law?

Article 86 of the AI Act is distinct from but complementary to Article 22 of the General Data Protection Regulation. Article 22 GDPR governs solely automated decision-making with legal or similarly significant effects and gives a data subject the right to meaningful information about the logic involved. Article 86 of the AI Act applies more broadly to decisions taken on the basis of the output of a high-risk AI system, including decisions where a human is in the loop, and it places the duty squarely on the deployer. Recital 171 of the AI Act states that the Article 86 right should be without prejudice to the GDPR. Where both apply, a deployer should treat them as cumulative obligations rather than alternatives.

What must a deployer actually include in an Article 86 explanation?

Article 86(1) requires the deployer to provide clear and meaningful explanations of two things: the role of the AI system in the decision-making procedure, and the main elements of the decision taken. In practice this means explaining whether the AI output was advisory or determinative, what inputs and factors the system considered, how the output fed into the final decision, the extent of human involvement, and the principal reasons the decision went the way it did for that individual. The explanation must be comprehensible to the affected person, not a technical model description, and it must be specific to the individual decision rather than a generic statement about the system.

EU AI Act · Article 86

EU AI Act Article 86: the right to explanation of individual decision-making, a deployer guide

Q: What does Article 86 of the EU AI Act require?

Article 86 of Regulation (EU) 2024/1689 gives any affected person who is subject to a decision taken by a deployer on the basis of the output of a high-risk AI system listed in Annex III, and which produces legal effects or similarly significantly affects that person in a way they consider to adversely impact their health, safety, or fundamental rights, the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken. The duty sits on the deployer, not the provider, and the right is exercised on request by the affected person.

Q: When does the Article 86 right to explanation apply?

Article 86 applies from 2 August 2026, the date on which the main body of high-risk AI obligations under Regulation (EU) 2024/1689 becomes applicable under the Article 113 phased timeline. The right applies only to decisions based on high-risk AI systems listed in Annex III, with the exception of systems listed under point 2 of Annex III, which covers AI used as a safety component in the management of critical digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity. The right also applies only to the extent it is not already provided for under other Union law.

Q: What is the penalty for failing to comply with Article 86?

Failure to comply with deployer obligations under Regulation (EU) 2024/1689, including the Article 86 explanation duty, falls within the penalty band of Article 99 for breaches of obligations other than the prohibited practices in Article 5. National market surveillance authorities can impose administrative fines of up to EUR 15 million or 3 percent of total worldwide annual turnover for the preceding financial year, whichever is higher. Beyond regulatory fines, an inability to produce an explanation is evidentially damaging in civil disputes and in fundamental rights complaints, because it suggests the deployer cannot demonstrate how a contested decision was reached.

By Future Proof Intelligence · 13 June 2026 · 12 minute read

Most of the EU AI Act regulates the AI system: how it is built, documented, assessed, and monitored. Article 86 regulates the relationship between the deployer and the human being on the receiving end of a decision. It gives any person significantly affected by a decision made on the basis of a high-risk AI system the right to ask the deployer why, and to receive a clear and meaningful answer. Crucially, the duty does not sit on the provider who built the model. It sits on the deployer who used the output to make the call. This guide explains exactly what the right covers, the categories of system it reaches and the one it excludes, how it relates to the older right to explanation under the GDPR, what a compliant explanation actually contains, and how to stand up an explanation procedure before the obligation becomes applicable on 2 August 2026.

Key takeaways

Article 86 of Regulation (EU) 2024/1689 gives an affected person the right to obtain, from the deployer, clear and meaningful explanations of the role of a high-risk AI system in a decision and the main elements of that decision, where the decision produces legal effects or similarly significantly affects the person.
The duty sits on the deployer, not the provider. The provider's job is to supply, through the Article 13 instructions for use, the information the deployer needs to construct an explanation. The provider does not answer affected-person requests.
The right applies to high-risk systems listed in Annex III with one carve-out: it does not apply to Annex III point 2, which covers AI used as a safety component in critical digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity.
Article 86 is distinct from but cumulative with Article 22 of the GDPR. Article 22 GDPR covers solely automated decisions; Article 86 reaches decisions made on the basis of AI output even with a human in the loop, and recital 171 states it applies without prejudice to the GDPR.
The obligation becomes applicable on 2 August 2026 under the Article 113 phased timeline. Non-compliance falls in the Article 99 band of up to EUR 15 million or 3 percent of worldwide annual turnover, whichever is higher.

What Article 86 actually says

Article 86 of Regulation (EU) 2024/1689 is titled "Right to explanation of individual decision-making." It sits in Chapter IX of the Regulation, alongside the post-market monitoring and market surveillance provisions, which signals that the legislature treats it as part of the accountability layer that operates after a system is deployed rather than as a pre-market design requirement.

Article 86(1) sets out the core right. Any affected person who is subject to a decision which is taken by the deployer on the basis of the output from a high-risk AI system listed in Annex III, with the exception of systems listed under point 2 of that Annex, and which produces legal effects or similarly significantly affects that person in a way that they consider to have an adverse impact on their health, safety, or fundamental rights, has the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

Article 86(2) contains a limitation: paragraph 1 applies only to the extent that the right is not otherwise provided for under Union law. This is the provision that prevents Article 86 from duplicating or conflicting with explanation rights that already exist under instruments such as the GDPR or sector-specific consumer credit law.

Article 86(3) preserves the position that the right applies only where it is not already covered by exceptions from, or restrictions to, the obligation that follow from Union or national law in compliance with Union law. In practice this matters most where law enforcement or national security frameworks restrict what can be disclosed.

The right sits on the deployer, and that is the point

The most important structural feature of Article 86 is that the obligation is the deployer's. Throughout most of the Regulation, the heaviest duties fall on the provider who builds and places the system on the market. Article 86 inverts that. The person who must answer the affected individual is the deployer, because the deployer is the one who took the decision and who holds the relationship with the affected person.

This is deliberate. A bank using a third-party credit-scoring model, a recruiter using an AI screening tool, an insurer using an automated underwriting system: in each case the affected person interacts with the deployer, not the model vendor. Article 86 routes the explanation duty to the party the affected person can actually reach. A deployer cannot satisfy the obligation by telling a rejected applicant to contact the software vendor.

This creates a direct operational dependency on the provider, but a dependency the deployer must manage rather than escape. The deployer can only produce a meaningful explanation if the provider has supplied adequate transparency information. That information flows through the Article 13 transparency obligations and the instructions for use. A deployer that signs a procurement contract without securing the right to receive explanation-grade information from the provider has accepted a compliance gap it will have to close at the worst possible moment, when a complaint has already arrived.

Which systems trigger the right, and the one carve-out

Article 86 applies to decisions made on the basis of high-risk AI systems listed in Annex III of the Regulation. Annex III contains eight categories. The table below maps those categories against whether the Article 86 explanation right reaches decisions made on the basis of systems in each category.

Annex III category	Typical deployer decisions	Article 86 right applies
Point 1: Biometrics	Identity verification, categorisation	Yes
Point 2: Critical infrastructure	Safety-component control of water, gas, electricity, road traffic, digital infrastructure	No (excluded by Article 86)
Point 3: Education and vocational training	Admissions, assessment, exam scoring	Yes
Point 4: Employment and worker management	Recruitment screening, promotion, task allocation, termination	Yes
Point 5: Essential private and public services	Credit scoring, benefits eligibility, insurance pricing and underwriting	Yes
Point 6: Law enforcement	Risk assessment, evidence evaluation	Yes, subject to Article 86(3) restrictions
Point 7: Migration, asylum, border control	Visa and asylum risk assessment	Yes, subject to Article 86(3) restrictions
Point 8: Administration of justice and democratic processes	Assisting judicial decision-making	Yes

The carve-out for Annex III point 2 is logical: a decision by a grid-balancing system or a road-traffic safety component does not produce an individualised legal effect on a named person in the way that a loan rejection or a recruitment filter does. The same carve-out applies to the Article 27 fundamental rights impact assessment, which also exempts Annex III point 2. The provider and deployer duties under Chapter III, Section 2, meaning the requirements in Articles 9 to 15, continue to apply to point 2 systems; it is only the individualised accountability rights that fall away.

Two thresholds: significant effect and adverse impact

Article 86 does not give every person touched by an AI system a right to an explanation. Two thresholds must be met.

The decision must produce legal effects or similarly significantly affect the person. This language mirrors Article 22 of the GDPR. A legal effect is something that changes the person's legal position: the grant or denial of a benefit, a contract, a licence, admission to a programme. A similarly significant effect is one that has a comparable impact without being strictly legal in nature, such as automated rejection from a job shortlist or a materially worse insurance premium. Trivial or purely informational outputs do not meet the threshold.

The person must consider the decision to adversely impact their health, safety, or fundamental rights. This is framed from the affected person's perspective. The right is reactive: it is exercised on request by someone who believes a decision went against them in a way that engages one of these interests. A deployer is not obliged to proactively issue explanations for every decision; it is obliged to be able to respond when an eligible person asks.

Article 86 versus GDPR Article 22

Deployers that already operate under data protection compliance frameworks will recognise the territory, because Article 22 of the GDPR has governed automated decision-making since 2018. The two regimes overlap but are not identical, and the safest assumption is that they are cumulative.

Dimension	GDPR Article 22	AI Act Article 86
Trigger	Solely automated processing with legal or similarly significant effect	Decision taken on the basis of high-risk AI output, including with a human in the loop
Who owes the duty	The data controller	The deployer
What must be provided	Meaningful information about the logic involved, significance, and envisaged consequences	The role of the AI system in the procedure and the main elements of the decision taken
Scope of systems	Any processing of personal data	Annex III high-risk systems, excluding point 2
Mode	Information rights plus right to human intervention and to contest	On-request explanation of the individual decision
Applicable since	25 May 2018	2 August 2026

The key practical divergence is the human-in-the-loop point. Article 22 of the GDPR is widely read to apply only where there is no meaningful human involvement in the decision. Many deployers have relied on a human reviewer to take their processes outside Article 22. Article 86 closes that route for high-risk AI: it reaches a decision taken on the basis of the AI system's output, which captures human-supervised decisions where the AI materially shaped the outcome. Recital 171 of the Regulation confirms the Article 86 right operates without prejudice to the GDPR, so a deployer subject to both must satisfy both. The relationship to the broader oversight duty is covered in the Article 14 human oversight guide.

What a compliant explanation contains

Article 86(1) names two things the explanation must cover: the role of the AI system in the decision-making procedure, and the main elements of the decision taken. Working those into an operational standard, a defensible explanation addresses the following.

The role of the system. Was the AI output advisory or determinative? Did a human review or override it, and on what basis? Where did the AI sit in the sequence of steps that produced the final decision? An affected person is entitled to understand whether a machine decided their case or merely informed a human who did.

The inputs and factors considered. What categories of information about the person did the system use? An explanation does not require disclosure of proprietary model weights, but it does require enough about the inputs and the principal factors that the person can understand why the output came out as it did for them specifically.

The main elements of the decision. What was the decision, and what were the principal reasons it went the way it did for this individual? A generic description of how the system works in general is not an explanation of the individual decision. The explanation must be specific to the case.

Clarity and comprehensibility. The statute requires explanations that are clear and meaningful. The audience is the affected person, who may have no technical background. A model card or a statistical description of accuracy is not, by itself, a compliant explanation. The test is whether an ordinary person can understand why the decision affecting them was made.

Producing this on demand depends on logging. A deployer cannot reconstruct the role of the system and the main elements of a past decision unless it retained the relevant records. The Article 12 logging obligations and the records a deployer keeps under Article 26 are the raw material from which an Article 86 explanation is built. Designing the explanation procedure and the logging schema together is far cheaper than retrofitting one to the other after a complaint lands. For enterprises evaluating whether their decision-record architecture can actually produce individual explanations, the Agent Certified assessment methodology at agentcertified.eu maps explanation-readiness to its certification dimensions.

Standing up an Article 86 procedure before 2 August 2026

Article 86 becomes applicable on 2 August 2026 under the phased implementation timeline in Article 113 of the Regulation, the same date on which the main body of high-risk system obligations applies. The Digital Omnibus proposal of early 2026 raised the prospect of moving certain high-risk deadlines, and deployers should track the final position, but the prudent planning assumption is to be ready for the August 2026 date. A workable procedure has five components.

An intake channel. A defined route by which an affected person can request an explanation, with a logged receipt and a response timeline. Article 86 does not fix a deadline, but an unreasonable delay undermines the meaningfulness of the right and exposes the deployer.
An eligibility filter. A documented test for whether the request meets the two thresholds: significant or legal effect, and claimed adverse impact on health, safety, or fundamental rights, in respect of an Annex III system that is not in point 2.
A decision-record retrieval step. The ability to pull the logs and records for the specific decision, drawn from the Article 12 logs and the deployer's own records under Article 26.
An explanation template. A structured format that walks through the role of the system, the inputs and factors, and the main elements of the decision, in plain language, populated per case rather than boilerplate.
A provider-information dependency map. A record of which explanation elements rely on information that only the provider can supply, secured contractually in the procurement agreement, so the deployer is not dependent on goodwill when a request arrives.

Enforcement and liability exposure

Failure to comply with the Article 86 explanation duty is a breach of a deployer obligation under Regulation (EU) 2024/1689. It falls within the Article 99 penalty band for breaches other than the prohibited practices in Article 5: administrative fines of up to EUR 15 million or 3 percent of total worldwide annual turnover for the preceding financial year, whichever is higher. The higher Article 99 band of EUR 35 million or 7 percent of turnover is reserved for breaches of the Article 5 prohibitions, not for explanation failures.

The exposure is not only regulatory. An inability to produce a clear and meaningful explanation of how a contested decision was reached is evidentially damaging in any downstream dispute. In a fundamental-rights complaint, an employment-tribunal claim, or a consumer-credit challenge, the deployer that cannot explain its own decision is in a far weaker position than one that can produce a structured, logged account. Under the revised Product Liability Directive (Directive 2024/2853, applicable from December 2026), the inability to explain how an AI-influenced decision was reached can also feed the disclosure and defect-inference mechanisms that operate against producers and the parties in the supply chain. The double-exposure analysis on this site covers how the AI Act and the Product Liability Directive interact.

Frequently asked questions

What does Article 86 of the EU AI Act require?

Article 86 of Regulation (EU) 2024/1689 gives an affected person who is subject to a decision taken by a deployer on the basis of the output of an Annex III high-risk AI system, and which produces legal effects or similarly significantly affects them adversely in their health, safety, or fundamental rights, the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision and the main elements of the decision taken. The right is exercised on request and the duty sits on the deployer.

Who must provide the explanation, the provider or the deployer?

The deployer. The deployer takes the decision and holds the relationship with the affected person, so the explanation duty routes to it. The provider's role is to supply, through the Article 13 instructions for use, the transparency information that makes a meaningful explanation possible. A deployer cannot discharge the obligation by referring the affected person to the model vendor.

When does the Article 86 right to explanation apply?

From 2 August 2026, the date the main high-risk obligations under the Article 113 phased timeline apply. It covers decisions based on Annex III high-risk systems, excluding systems in Annex III point 2 (critical infrastructure safety components). It applies only to the extent the right is not already provided under other Union law, and is subject to restrictions that follow from Union or national law, for example in law enforcement contexts.

How does Article 86 relate to GDPR Article 22?

The two are distinct but cumulative. Article 22 GDPR governs solely automated decisions and gives meaningful information about the logic; Article 86 reaches decisions taken on the basis of high-risk AI output including with a human in the loop, and places the duty on the deployer. Recital 171 states the Article 86 right operates without prejudice to the GDPR, so where both apply a deployer must satisfy both.

What is the penalty for failing to comply with Article 86?

It falls within the Article 99 band for breaches of obligations other than the Article 5 prohibitions: up to EUR 15 million or 3 percent of total worldwide annual turnover, whichever is higher. Beyond fines, the inability to explain a contested decision weakens the deployer's position in fundamental-rights complaints, employment and credit disputes, and in product-liability proceedings under Directive 2024/2853.

References

Regulation (EU) 2024/1689 of the European Parliament and of the Council. EU AI Act. Articles 5, 13, 14, 26, 27, 86, 99, 113. Recital 171. OJ L, 12 July 2024.
EU AI Act Annex III. High-risk AI systems referred to in Article 6(2), points 1 to 8.
Regulation (EU) 2016/679. General Data Protection Regulation. Article 22 on automated individual decision-making.
Directive 2024/2853 of the European Parliament and of the Council. Revised Product Liability Directive. OJ L, 18 November 2024.
European Commission. AI Act implementation timeline, Article 113 phased application dates. Shaping Europe's Digital Future.
European Commission. Digital Omnibus Package on AI. COM(2026) proposal on adjustment of timelines for certain high-risk AI obligations.
ISO/IEC 42001:2023. Artificial intelligence management system. Clauses on transparency and documented information.
NIST AI Risk Management Framework (AI RMF 1.0). Explainability and interpretability characteristics.