As a customer service organization, the first step toward AI Act compliance is to identify which AI systems you use, which risk category they fall into, and what obligations apply to them. The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive AI regulation and applies to anyone who creates, uses, or deploys AI systems within the EU. In this article, we answer the most frequently asked questions about what compliance specifically means for your organization, from risk classification to documentation and liability. Also check out our page on AI-driven intelligence for more context on how AI is used in practice in customer interactions.
Which AI systems used in customer service are covered by the AI Act?
Most AI systems used by customer service organizations fall under the AI Act, but the risk level varies greatly depending on the application. Chatbots and virtual assistants that transparently disclose that they are automated generally fall into the low-risk category. Systems that profile customers or make decisions regarding access to services may be classified as high-risk.
Specifically, there are four risk levels: unacceptable risk (prohibited), high risk (strictly regulated), limited risk (minimal transparency requirements), and minimal risk (largely unregulated). For customer service, the most relevant categories are:
- Chatbots and virtual assistants: limited risk, but you are required to inform users that they are communicating with an AI system.
- Systems that score or profile customers: always high-risk, regardless of the purpose. Think of tools that analyze customer behavior to determine priority or access.
- AI for human resources management or scheduling: falls under the high-risk category of Annex III (employment and human resources management).
- Emotion recognition among employees or customers: prohibited in the workplace, except for strictly defined exceptions for medical or safety purposes.
- Systems for emergency calls or access to essential services: high risk under Annex III.
A system that performs only a narrow procedural or preparatory task and does not pose a significant risk to fundamental rights may fall outside the high-risk category. However, this requires that your organization document this in a well-reasoned manner.
What are the requirements for high-risk AI applications?
If an AI system used in your customer service is classified as high-risk, extensive obligations apply regarding transparency, documentation, human oversight, and risk management. These obligations apply to both the provider and the user (deployer) of the system, each in their respective roles.
The key obligations for high-risk AI are:
- Risk Management System: You must identify, analyze, and mitigate risks throughout the system’s entire lifecycle.
- Technical documentation: a detailed description of the system, its intended purpose, training data, and performance.
- Logging and traceability: automatic logging of events so that regulators can review how decisions were reached after the fact.
- Transparency for users: clear instructions on how the system works, what its limitations are, and how human oversight is organized.
- Human oversight: A person must always be able to intervene, pause the system, or correct decisions.
- Accuracy, robustness, and cybersecurity: the system must be demonstrably accurate and resistant to errors and misuse.
Systems that profile natural persons are always high-risk. This is a strict rule with no exceptions, so it is important to thoroughly assess whether your systems do this.
When must an organization comply with the AI Act?
The AI Act will take effect in phases. Starting February 2, 2025, the prohibitions on unacceptable AI practices and the requirement for AI literacy within your organization will take effect. Most of the requirements for high-risk systems will take effect on August 2, 2026.
The timeline that is most relevant to customer service organizations is as follows:
- February 2, 2025 (already in effect): Prohibited practices are no longer allowed, and you are required to ensure that employees who work with AI have sufficient AI literacy.
- August 2, 2025 (already in effect): Requirements for providers of General Purpose AI models (such as large language models) are in effect. Penalty provisions are also already in effect.
- August 2, 2026: Most of the requirements for high-risk systems listed in Annex III will take effect. This is the most important deadline for most customer service organizations.
- August 2, 2027: Requirements for high-risk AI used as a safety component in regulated products take effect.
So in 2026—the current year—it’s important to get serious about your compliance efforts if you use high-risk systems. Don’t wait until the deadline, because setting up documentation, risk management, and internal processes takes more time than you might think.
Who is responsible for AI Act compliance: the supplier or the user?
Both the provider (the party that develops or markets the AI system) and the deployer (the organization that deploys the system) have their own obligations under the AI Act. As a customer service organization, you are typically the deployer, but that does not exempt you from responsibility.
The division of responsibilities works as follows:
- The supplier is responsible for the conformity assessment, technical documentation, CE marking (for high-risk systems), and informing deployers about the system’s capabilities and limitations.
- The deployer (your organization) is responsible for using the system correctly in accordance with the provider’s instructions, organizing human oversight, informing employees and customers, and reporting serious incidents.
There is one important point to note: if, as an organization, you substantially modify an AI system, brand it with your own name, or change its intended purpose in such a way that it becomes high-risk, you yourself become the provider, with all the associated obligations. This is a common misconception that can lead to unexpected liability.
For every AI tool you purchase, verify that the supplier is demonstrably compliant. Ask for technical documentation, declarations of conformity, and details on how they address the obligations under the AI Act.
How do you document AI usage for regulators?
As an organization, you must be able to demonstrate to regulators which AI systems you use, for what purposes, how human oversight is organized, and how you manage risks. Proper documentation is the backbone of AI Act compliance and begins with a clear inventory of all AI applications within your organization.
A practical approach to documentation involves the following steps:
- AI Inventory: Create a list of all the AI systems you use, including chatbots, routing algorithms, analytics software, and any built-in AI in your CRM or contact center platform.
- Risk classification by system: Determine the risk level for each system based on the criteria set forth in the AI Act. Document your reasoning, even if you conclude that a system does not pose a high risk.
- Usage log: Keep track of how and for what purpose each system is used, who has access to it, and how decisions are made or supported.
- Incident and Complaint Log: Document any errors, complaints from customers or employees, and how you responded to them.
- Human oversight: Specify who is responsible for overseeing each system and how intervention works in practice.
- Retention Requirement: You must retain technical documentation and declarations of conformity from suppliers for ten years.
Employee AI literacy is also a documentation requirement. You must be able to demonstrate that employees who work with AI systems have sufficient knowledge to evaluate the output and understand when human intervention is necessary.
What are the consequences of noncompliance with the AI Act?
The fines for noncompliance with the AI Act are substantial and are already in effect. Violations of the prohibited practices listed in Article 5 may result in a fine of up to 35 million euros or 7% of global annual revenue, whichever is higher.
The penalty structure has three levels:
- Prohibited practices (Article 5): up to 35 million euros or 7% of global annual revenue.
- Non-compliance with other obligations: up to 15 million euros or 3% of global annual revenue.
- Inaccurate or misleading information provided to authorities: up to 7.5 million euros or 1% of global annual revenue.
In addition to financial penalties, there are also reputational risks. Regulators may decide to make enforcement actions public, which could damage trust among customers and employees. In the Netherlands, enforcement powers are vested in national market supervisory authorities, which means that interpretation and prioritization may vary by member state.
For smaller organizations, the lower of the percentage-based amount or the fixed amount always applies when it comes to fines. Even so, a lower fine is still a significant financial blow, aside from the operational disruption caused by an investigation.
How Pegamento Helps Ensure AI Act Compliance in Customer Service
AI Act compliance is not a one-time project but an ongoing process that requires the right technology, clear processes, and demonstrable oversight. We help customer service organizations use AI responsibly, with solutions built from proven modules that eliminate the need for costly customization. Our Agentic AI for customer service is a good example: whereas traditional RPA relied on executional bots that followed instructions, we now position this as Agentic AI—self-thinking assistants that take initiative on their own, understand context, and act without every step needing to be pre-programmed.
Here’s what you can expect from us in terms of AI compliance:
- Transparent systems: Our solutions are designed with human oversight as a core principle, not as an afterthought.
- Everything under one roof: from implementation to management and support—a single point of contact without the complexity of supplier management.
- Documentation support: We’ll help you map out your AI usage and set up the necessary records.
- ISO 27001 certified: Information security is our top priority, complemented by ISO 9001 and ISO 26000 for quality and social responsibility.
- Risk Classification: Together, we’ll assess which systems fall into which category and what that means for your organization.
Would you like to know where your organization stands in terms of AI Act compliance and how to take the right steps, one by one? Contact us, and we’d be happy to help you figure it out.
Frequently Asked Questions
As a small or medium-sized customer service organization, do I also have to comply with the AI Act?
Yes, the AI Act applies to all organizations that use AI systems within the EU, regardless of size. There is a limited exemption for micro-enterprises regarding certain obligations, but the core obligations—such as complying with prohibited practices and ensuring AI literacy—also apply to small organizations. It’s especially wise for smaller organizations to start early, since their capacity to set up documentation and processes is typically more limited.
How do I know if the AI that’s already built into my CRM or contact center platform is also covered by the AI Act?
Yes, built-in AI functionalities in platforms such as your CRM or contact center solution are also subject to the AI Act if they meet the definition of an AI system. Ask your vendor explicitly which AI components are incorporated into the platform, how they are classified, and whether the vendor can provide a statement of compliance. As a deployer, you are jointly responsible for the proper use of these systems, even if you did not build them yourself.
What is the difference between an AI system and regular automation, and how do I know which category my tool falls into?
The AI Act uses a specific definition: an AI system is a system that, based on input, reasons, makes predictions, provides recommendations, or makes decisions in a way that goes beyond simple rule-based automation. Traditional RPA that follows fixed rules without learning or reasoning generally falls outside this definition. Are you unsure about a specific system? Consult the official definition in Article 3 of the AI Act and document your reasoning, even if you conclude that it is not an AI system.
What practical steps do I need to take regarding the AI literacy requirement that has been in effect since February 2025?
The AI literacy requirement means you must demonstrably ensure that employees who work with AI systems have sufficient knowledge to understand the output, critically assess it, and recognize when human intervention is necessary. In practical terms, this means: develop a basic training program on the AI tools you use, document who has completed which training, and ensure that employees know how to identify and escalate errors or anomalies. An internal knowledge session or e-learning module is already a good first step that you can document.
What should I do if a customer asks whether they are talking to an AI system, and how do I properly document this?
Under the AI Act, you’re required to inform users when they’re interacting with an AI system, such as a chatbot or virtual assistant. This must be done clearly, comprehensibly, and in a timely manner—preferably at the start of the interaction. Document in your records how and when this notification is provided, through which channel, and using what wording. Also ensure that customers always have the option to reach a human representative, and document how this is organized in practice.
How do I handle an AI system that I purchase from a supplier but am unsure whether it is compliant?
Proactively ask your supplier for a declaration of conformity, technical documentation, and an explanation of how they fulfill the obligations under the AI Act. Record this information in your own documentation and make compliance requirements part of your procurement contracts and Service Level Agreements. If a supplier cannot provide clarity on compliance, that is a serious red flag: as the deployer, you can also be held liable if you continue to use a non-compliant system.
Can I reuse my existing privacy documentation (GDPR) for AI Act compliance, or do I have to start from scratch?
You can certainly use existing GDPR documentation as a starting point, but the AI Act sets additional and, in some cases, different requirements. For example, the AI Act requires specific technical documentation about the AI system itself, a risk management system focused on fundamental rights and safety, and decision-logging that goes beyond what the GDPR requires. Practical advice: use your existing records and DPIA methodology as a foundation, but supplement them with AI Act-specific elements such as risk classification, human oversight, and a ten-year retention requirement for technical documentation.


