On 2 August 2026, the EU AI Act becomes fully applicable. If you run a chatbot, voice agent, or any customer-facing AI system in the EU — or serve EU users from outside it — you now have concrete legal obligations. The good news: for most companies they are manageable, and most of them come down to being honest with users. Here is what actually changed, whether your agents count as “high-risk,” and a practical deployer checklist you can work through this quarter.
What changed on 2 August 2026
The AI Act did not arrive all at once. It entered into force on 1 August 2024 and has been phasing in ever since:
- 2 February 2025: the bans on prohibited AI practices (social scoring, manipulative techniques, and similar) took effect, along with the AI literacy obligation — organisations must ensure the people operating AI systems on their behalf have a sufficient level of AI understanding.
- 2 August 2025: obligations for providers of general-purpose AI (GPAI) models applied, together with the governance framework, including the European AI Office.
- 2 August 2026: the regulation becomes fully applicable. This is the general application date most businesses have been watching.
For the majority of companies deploying AI agents — chat on the website, a voice agent answering calls, an assistant drafting replies — the practical centre of gravity from August 2026 is Article 50: transparency obligations. It has three parts that matter day to day:
- Tell people they are talking to AI. Users interacting with an AI system such as a chatbot or voice agent must be informed of that fact, unless it is already obvious from the context to a reasonably informed person.
- Mark AI-generated content. AI-generated or AI-manipulated content — synthetic audio, images, video, and certain published text — must be marked as such in a machine-readable, detectable way.
- Extra duties for sensitive systems. Deployers of emotion-recognition or biometric-categorisation systems must inform the people exposed to them, on top of existing data-protection rules.
Enforcement is shared between the European AI Office at EU level (particularly for general-purpose AI models) and national market-surveillance authorities in each member state. Penalties are tiered: up to €35 million or 7% of worldwide annual turnover for prohibited-practice violations, with lower tiers — such as up to €15 million or 3% — for most other breaches.
One honest caveat. Under the European Commission’s Digital Omnibus discussions, some of the more extensive high-risk (Annex III) requirements are expected to shift to late 2027 or 2028. That timeline is genuinely still in motion, and anyone who tells you the high-risk regime is fully settled is ahead of the facts. What is not moving: the transparency duties. Plan around those first.
Are AI agents “high-risk” under the EU AI Act?
The Act sorts AI systems into four buckets: prohibited, high-risk, limited-risk (transparency obligations), and minimal risk. The question we hear most from clients is whether their agent lands in the high-risk bucket — because that is where the heavy compliance machinery lives. Here is the honest triage:
- Most sales, support, booking, and FAQ agents are limited-risk. A website chatbot that answers product questions, a voice agent that books appointments, an assistant that qualifies leads — these are not Annex III use cases. Your main duty is Article 50 transparency: disclose, mark, and document. (If you are still deciding between a scripted bot and a full agent, our comparison of AI agents vs chatbots explains the difference — note that the AI Act treats both as AI systems for transparency purposes.)
- High-risk territory starts when the agent influences consequential decisions about people. Annex III covers, among other areas: employment (CV screening, ranking candidates, scoring interviews), creditworthiness and credit scoring, access to education and exam scoring, eligibility for essential public and private services, and law-enforcement or migration uses.
Classification follows function, not label. An agent that collects a candidate’s details and hands them unfiltered to a recruiter is doing intake. An agent that scores, ranks, or filters those candidates is doing employment screening — and that is Annex III territory, with provider-side requirements for risk management, data governance, logging, and conformity assessment, plus deployer duties: using the system according to its instructions, assigning trained human oversight, monitoring it in operation, and keeping its logs.
And yes, this applies beyond the EU’s borders. Like the GDPR, the AI Act has extraterritorial reach: it covers providers and deployers established outside the EU when their system, or the output it produces, is used in the EU. A US or Indian company running a chatbot that serves European customers is in scope. “We are not a European company” is not an exemption.
If your roadmap includes HR screening, lending decisions, or education scoring, treat the high-risk framework as your design target now, even if parts of its timeline slip to 2027–2028. Retrofitting oversight and logging into a live decision system is far more expensive than building them in.
The deployer’s checklist
The AI Act distinguishes providers (who build AI systems or place them on the market) from deployers (who use them under their own authority). If you bought or commissioned an agent and run it in your business, you are a deployer. Here is what that means in practice:
- Inventory your AI systems. List every chatbot, voice agent, and AI-assisted workflow that touches EU users or staff, and note what each one actually does. You cannot classify what you have not catalogued.
- Disclose to users, by default. Add a clear notice at the start of every chat and voice interaction that the user is dealing with AI. “Unless obvious from context” is a narrow escape hatch — do not build your compliance position on it.
- Mark AI-generated output. Where your agents produce content that leaves the conversation — emails, summaries, published text, synthetic audio — ensure it carries machine-readable marking. This is largely a tooling question, so put it in your vendor requirements.
- Log interactions and decisions. Deployers of high-risk systems must retain the logs the system generates (at least six months, longer where other law requires it). For limited-risk agents, logging is not the headline duty — but it is how you prove disclosure happened and how you audit agent behaviour. Build it anyway.
- Keep a human in the loop. Define which actions the agent may complete autonomously and which require human review, and give users a working path to a person. For high-risk systems, oversight by trained, competent staff is mandatory.
- Demand documentation from vendors. Instructions for use, model information, marking capabilities, and the vendor’s own AI Act posture. Your obligations as a deployer depend partly on their paperwork — collect it before you sign, not after.
- Train your staff. The AI literacy duty has applied since February 2025. Anyone operating or supervising your agents should understand what the system can and cannot do, where it fails, and how to escalate.
- Align with GDPR. The AI Act sits alongside data-protection law, not instead of it. Update privacy notices, records of processing, and retention schedules to reflect what your agents collect and store.
Three mistakes we see deployers make
Relying on “it’s obviously a bot.” The exemption for context-obvious AI was written with clearly labelled, clearly artificial systems in mind. A fluent agent with a human name and a natural voice does not qualify, and arguing the point with a regulator after a complaint is a bad position to be in. Disclosure costs one sentence; skip the debate.
Treating compliance as the vendor’s problem. Providers carry the heavier build-side obligations, but deployer duties — disclosure, oversight, logging, staff training — are yours and cannot be outsourced by contract. What you can do is choose vendors whose tooling makes your duties easy, and collect their documentation up front.
Waiting for the high-risk timeline to settle before doing anything. The Digital Omnibus may move Annex III deadlines; it will not move Article 50. Companies that ship disclosure, marking, and logging now are finished with the part of the law that is certain — and better placed for the part that is not.
What this means for voice agents specifically
Voice is where transparency gets most concrete. A caller cannot see a “powered by AI” badge, so the disclosure has to be spoken — and designed in from the start:
- Say it up front. The agent should identify itself as an AI assistant in its opening line, before the caller starts sharing information. Burying the disclosure mid-call, or hoping a robotic cadence makes it “obvious,” is not a strategy — modern voice agents are precisely not obvious, which is why the rule exists.
- Synthetic voice is AI-generated audio. The output of a voice agent falls under the content-marking obligations, so your platform should support machine-readable marking of generated audio — and your documentation should record that capability.
- Design recording and logging deliberately. Call recording needs a lawful basis and notice under GDPR and national telecom rules; the AI Act adds the expectation that you can reconstruct what the agent said and did. Store transcripts, disclosure timestamps, and escalation events with a defined retention period.
- Make the human handoff real. A caller who asks for a person should reach one, and the transfer should be logged. That is both good compliance evidence and good customer experience.
None of this makes voice agents impractical in Europe. It makes them auditable — which, for regulated industries, is exactly what buyers have been asking for anyway.
How we build AI-Act-ready agents at Inwizards
We treat the AI Act as a set of design requirements, not an afterthought. Every agent we ship for EU-facing use includes disclosure by default (chat banners and spoken voice introductions), audit logs that capture conversations, decisions, and handoffs, human-in-the-loop controls with configurable escalation rules, and a documentation pack — system description, intended purpose, oversight design, and vendor attestations — that your compliance team can hand to a regulator or an enterprise customer. Our scoping approach is covered in our guide to custom AI agent development, and we build region-aware deployments for European clients through our AI agents for Europe practice.
This article is educational content about the EU AI Act as commonly understood in July 2026, not legal advice. Obligations depend on your specific systems and use cases — consult qualified legal counsel before making compliance decisions.