The AI Act imposes specific AI transparency obligationson customer service organizations, depending on the risk level of the system you use. If your AI makes decisions about customers, assesses access to services, or performs profiling, you’ll likely fall into the high-risk category, which comes with corresponding documentation and reporting requirements. In this article, we answer the most frequently asked questions about what the AI Act specifically means for your customer service department.
Which customer service systems are covered by the AI Act?
Customer service systems fall under the AI Act if they use AI to support or make decisions that directly affect customers. Chatbots and virtual assistants that merely provide information are subject to less stringent transparency requirements. Systems that assess, profile, or determine customers’ access to services are classified as high-risk.
The AI Act distinguishes between four risk levels. For customer service, two levels are particularly relevant:
- High-risk AI: systems that make decisions regarding access to essential services, assess creditworthiness, or perform customer profiling. Examples include automated scoring models for customer segmentation or systems that determine which offers are made to which customers.
- Low-risk AI: chatbots, voicebots, and other AI systems that communicate directly with customers. There is a transparency requirement here: customers must know that they are talking to an AI system.
Systems that perform purely procedural or preparatory tasks and do not pose a significant risk to fundamental rights may fall outside the high-risk category. However, systems that profile customers are always considered high-risk, regardless of how limited that profiling may seem.
What exactly must a company report if it uses AI in customer interactions?
If you use AI in customer interactions, you must actively inform customers when they are communicating with an AI system. This applies to chatbots, voicebots, and other automated systems that engage directly with people. Customers must be informed of this before or at the start of the conversation.
If you use high-risk AI, your obligations go even further. As the deployer—the party that deploys the system under its own authority—you must:
- Use the system in accordance with the provider’s instructions for use
- Assign human supervision to qualified and trained individuals
- Retain logs for at least six months
- Informing employees before the system is put into use (Article 26(7))
- Conduct a data protection impact assessment (DPIA) where applicable
Customers who are subject to a decision made by a high-risk system have the right, under Article 86, to request an explanation of the factors that determined that decision. So if you use an AI system that determines whether a customer is eligible for a service or offer, you must be able to provide that explanation.
Does the AI Act also apply to AI systems from third-party vendors?
Yes, the AI Act applies even if you use AI systems from third-party providers. As an organization that uses the system under its own authority, you are a deployer with your own obligations. You cannot place the entire responsibility on the provider.
In addition, there is an important point to keep in mind: you can become a provider yourself without even realizing it. This happens when you:
- Put your own name or brand on an AI system
- Makes a substantial change to the system
- Adjusts the intended purpose in such a way that the system becomes high-risk
In such cases, you assume all of the provider’s obligations, including technical documentation, conformity assessment, and CE marking. It is therefore advisable, when purchasing AI tools for customer service, to specify in the contract who is responsible for what and to verify that the provider has the appropriate documentation and declarations of conformity.
What are the consequences of failing to meet the transparency requirements?
Failure to comply with the transparency requirements of the AI Act can result in substantial fines. Noncompliance with the general obligations, including transparency, may be punishable by a fine of up to 15 million euros or 3% of global annual revenue, whichever is higher.
The penalty structure has three levels:
- Violations of prohibited practices: up to 35 million euros or 7% of global annual revenue
- Non-compliance with other obligations: up to 15 million euros or 3%
- Inaccurate or misleading information provided to authorities: up to 7.5 million euros or 1%
For smaller organizations, the lower of the percentage or the fixed maximum amount always applies. Most obligations for high-risk systems will become enforceable as of August 2, 2026. However, the transparency requirement for chatbots and the prohibited practices have been in effect since February 2, 2025. Supervision and enforcement are the responsibility of national market surveillance authorities, which may mean that priorities differ by Member State.
How does the AI Act differ from the GDPR for customer service organizations?
The AI Act and the GDPR complement each other, but address different risks. The GDPR protects personal data and governs how it may be processed. The AI Act regulates the behavior and operation of AI systems themselves, regardless of whether personal data is involved.
In practice, they overlap in several ways:
- Both require a DPIA for high-risk processing operations or high-risk AI systems
- Both give those affected the right to an explanation of automated decisions
- Both set requirements for the quality and representativeness of data
The difference lies in the focus. The GDPR asks: What data do you process, and on what legal basis? The AI Act asks: How does the system work, what risks does it pose, and is there sufficient human oversight? For customer service organizations, this means you must consider both frameworks side by side. A chatbot that processes customer data is subject to the GDPR for data processing and to the AI Act for the transparency requirement toward the customer.
What steps can a customer service department take right now?
A customer service department can already take concrete steps to become AI Act-compliant, even though most high-risk obligations will not be fully enforceable until August 2026. This is because the transparency requirement for chatbots and virtual assistants is already in effect.
Practical steps you can take right away:
- Create an AI registry: identify which AI systems you use in customer interactions, what they do, and what role you play in them (deployer, provider, or distributor).
- Monitor customer communications: Ensure that customers always know when they are interacting with an AI system by displaying a clear notification at the start of a chat or phone call.
- Assess the risk level: determine for each system whether it is high-risk, particularly if it performs profiling or makes decisions regarding access to services.
- Review supplier contracts: specify who is responsible for what, and ask suppliers to provide documentation regarding compliance.
- Train employees: The AI literacy requirement (Article 4) is already in effect. Ensure that employees who work with AI systems understand what those systems do and what their limitations are.
- Retain logs: Establish processes to retain interaction logs for at least six months for high-risk systems.
The sooner you start, the less you’ll have to adjust later. The compliance requirements for high-risk Annex III systems will become enforceable as of August 2, 2026, but preparation takes time.
How Pegamento Helps with AI Compliance in Customer Service
Compliance with the AI Act requires a clear understanding of which systems you use, how they work, and the responsibilities associated with them. We help customer service organizations deploy AI in a responsible and transparent manner, without getting bogged down in complex supplier management or an unclear division of responsibilities.
What we offer specifically:
- Streamlined AI solutions for customer service that build transparency with customers right in from the start
- Agentic AI assistants that not only follow instructions but also take the initiative on their own—an evolution from executive RPA bots to self-thinking assistants that we position as Agentic AI
- Everything under one roof: from implementation to management and support, so you have a single point of contact and no silos between systems and vendors
- Customized solutions using standard building blocks, so you can scale quickly without costly customization
- Support in setting up human oversight and logging, in accordance with the requirements of the AI Act
- ISO 27001-certified information security as a foundation, supplemented by ISO 9001 and ISO 26000
Would you like to know how your customer service department is currently performing and what steps are needed to become compliant? Contact us, and we’d be happy to help you figure it out.
Frequently Asked Questions
How do I know if my chatbot is classified as 'high-risk' under the AI Act?
A chatbot is considered high-risk if it not only provides information but also supports or makes decisions that directly affect customers, such as determining access to services, performing profiling, or assessing creditworthiness. A simple FAQ bot that answers questions generally falls under the less stringent transparency requirements. If you’re unsure about your system’s classification, have a specialist conduct a risk analysis, as an incorrect assessment could result in failure to comply with mandatory documentation and oversight measures.
What is the minimum requirement to comply with the transparency obligation for chatbots, which takes effect in February 2025?
The minimum requirement is that customers be clearly and promptly informed that they are communicating with an AI system, and this must occur before or at the start of the conversation. In practice, this means a brief, understandable notification at the start of a chat conversation or phone interaction, such as: ‘You are speaking with a virtual assistant.’ Please note: the notification must be genuine and unambiguous—a hidden mention in the terms and conditions is not sufficient.
What should I do if a customer asks for an explanation of a decision made by an AI system?
Under Article 86 of the AI Act, a customer has the right to request an explanation of the factors that influenced a decision made by a high-risk AI system. You must be able to explain in plain language which factors influenced the decision, without having to disclose the model’s full technical workings. Therefore, ensure that you have access to sufficient information about the decision-making logic from the supplier or internal administrator, and train employees to provide this explanation.
How do I contractually define responsibilities with my AI supplier?
Ensure that the contract with your supplier explicitly states who is the provider and who is the deployer, and which obligations rest with which party. Ask the supplier for technical documentation, statements of conformity, and information on how the system was trained and how it works. Also include provisions regarding what happens in the event of a substantial change to the system, as this could mean that you unexpectedly assume the provider role, along with all associated obligations.
Does the AI literacy requirement also apply to employees who only use AI tools indirectly?
Article 4 of the AI Act requires organizations to ensure that employees who work with AI systems have a sufficient level of AI literacy, commensurate with their role and the risks posed by the system. This applies primarily to employees who work directly with AI systems or oversee automated decisions. For employees who are only indirectly affected by AI, a basic level of understanding is desirable but less strictly required—however, it is wise to inform them as well about what the systems do and where the limits lie.
What are the most common mistakes customer service organizations make when implementing AI Act compliance?
A common mistake is assuming that the entire responsibility lies with the vendor, while as the deployer, you always have your own obligations. Other common mistakes include: failing to maintain an AI register, posting the transparency notice too late or in an unclear manner, and forgetting that the AI literacy requirement and the transparency obligation for chatbots are already in effect. Organizations also often wait too long to prepare for the high-risk obligations taking effect in August 2026, even though creating a thorough AI register and conducting a risk analysis can take months.
Do I need to conduct a new DPIA if I’ve already done one under the GDPR?
Not necessarily, but your existing DPIA likely doesn’t cover all the requirements of the AI Act. The GDPR DPIA focuses on risks to personal data, whereas the AI Act also requires an assessment of the system’s operation, the quality of training data, and the presence of human oversight. It is advisable to supplement your existing DPIA or conduct a combined assessment that covers both frameworks, so that you don’t miss any overlaps or leave any gaps.


