Most AI applications in contact centers fall under the “low-risk” or “minimal-risk” categories under the EU AI Act. However, applications that make decisions regarding access to essential services or that involve the profiling of individuals are classified as “high-risk” and require strict compliance. In this article, we answer the most frequently asked questions about AI-driven contact center technology and the AI Act, so you know where your organization stands.
Under the AI Act, which risk category does contact center AI fall into?
Contact center AI generally falls into the “limited risk” or “minimal risk” category, but may be classified as “high risk” in specific cases. The risk category depends on what the system does, not on the technology itself. The AI Act has four levels: prohibited applications, high-risk AI, limited risk, and minimal risk.
Most chatbots, conversation summaries, and routing systems used daily in contact centers are classified as low-risk or minimal-risk. That does not mean there are no obligations, but the requirements are considerably less stringent than for high-risk applications.
It only becomes high-risk when you use AI for decisions that have direct consequences for people in vulnerable situations, such as assessing creditworthiness, handling emergency calls, or profiling individuals. These are situations that do indeed occur in some contact centers, for example, at insurance companies, utility companies, or government agencies.
Which AI applications in the contact center are considered high-risk?
A contact center AI application is considered high-risk if it falls under one of the eight domains listed in Annex III of the AI Act. For contact centers, three domains are most relevant: access to essential services, employment and workforce management, and biometrics. Systems that profile natural persons are always high-risk, without exception.
Specifically, this means that the following applications may be classified as high-risk:
- AI that assesses creditworthiness or insurance risk based on customer conversations or behavioral patterns
- AI that prioritizes or handles emergency calls, where delays can cause immediate harm
- Biometric identification systems that use voice recognition to identify or categorize individuals
- AI that evaluates or monitors employees for personnel decisions, such as performance reviews or termination
- Systems that profile individuals based on behavior, communication style, or other personal characteristics
It is important to distinguish between a system that supports decision-making and one that actually makes decisions. An AI that advises an employee on the best solution for a customer is different from an AI that independently determines whether a customer is entitled to compensation. The former may fall outside the high-risk category; the latter almost certainly does not.
Furthermore, emotion-recognition systems are prohibited in the workplace, unless a medical or safety exception applies. Therefore, AI that analyzes the emotional state of employees or customers to evaluate performance is simply not allowed.
Which AI applications are classified as posing a limited or minimal risk?
Most common contact center AI applications fall under the “limited” or “minimal” risk categories. “Limited” risk entails mild transparency requirements; “minimal” risk entails virtually no legal obligations. The distinction lies in the degree of interaction with people and the potential impact on their decisions.
Low-risk applications include:
- Chatbots and virtual assistants that interact with customers. In such cases, users must be informed that they are communicating with an AI system.
- AI-generated summaries of conversations that are shown to customers or employees
- Sentiment analysis used for reporting purposes, but not for individual decisions regarding people
Applications with minimal or no risk include:
- Automatic call routing based on keywords or menu options
- AI-powered knowledge bases that help employees find answers faster
- Quality monitoring of calls for internal training purposes, provided that no profiling takes place
- Predictive Analytics for Workforce Planning at the Aggregate Level
The transparency requirement for limited-risk scenarios is practical: customers need to know that they are talking to an AI. This is easy for most contact centers to implement, but it is a legal requirement that must not be overlooked.
What requirements apply to high-risk AI in contact centers?
For high-risk AI in contact centers, there are extensive obligations that depend on the role you play: provider or deployer. Providers bear the heaviest burden; deployers have fewer obligations, but they are certainly not exempt.
Requirements for Providers of High-Risk AI
If your organization develops or markets a high-risk AI system, the following requirements, among others, apply:
- A continuous risk management system throughout the entire system lifecycle
- Technical documentation in accordance with Annex IV of the AI Act
- Automatic logging of events, so that the system can be audited later
- A design that effectively enables human oversight, including awareness of automation bias
- A quality management system, a conformity assessment, and CE marking
- Registration in the EU database
Requirements for Deployers of High-Risk AI
If you use a high-risk AI system from a third-party provider in your contact center, you are considered a deployer. Your obligations are more limited, but not insignificant:
- Use the system only in accordance with the provider’s instructions for use
- Assign human supervision to qualified and trained individuals
- Retain logs for at least six months
- Informing employees before the system is put into use (Article 26(7))
- Conduct a data protection impact assessment (DPIA) where applicable
Furthermore, customers or employees who are subject to a decision made by a high-risk system have the right, under Article 86, to request an explanation of the factors that determined that decision. This means that, as a contact center, you must be able to provide that explanation.
Specifically, what steps do contact centers need to take now to become AI Act-compliant?
Contact centers must actively begin working on AI Act compliance in 2026, even though not all requirements are in effect yet. The most urgent step is to identify which AI systems you use and which risk category they fall into. Without that overview, targeted action is impossible.
A practical approach looks like this:
- Identify all AI applications. What systems do you use, what exactly do they do, and who developed them? Distinguish between systems you build yourself and systems you purchase from a vendor.
- Classify each system. Is it classified as minimal, moderate, or high risk? Use the criteria in Annex III as a guide, paying particular attention to profiling and decisions regarding essential services.
- Check transparency requirements. Do customers know they’re communicating with an AI system? If not, adjust your scripts and interfaces.
- Set up human oversight. Ensure that a trained employee is always responsible for supervising high-risk operations.
- Inform employees. Article 26(7) requires you to inform your employees before high-risk AI is put into use. Do this proactively and document it.
- Keep logs. For high-risk applications, a retention period of at least six months applies.
- Work together with your suppliers. As a deployer, you rely on the documentation and user manuals provided by your vendors. Be sure to actively request the necessary information and declarations of conformity.
Most of the requirements for high-risk Annex III systems will take effect on August 2, 2026. However, the prohibited practices and the AI literacy requirement have been in effect since February 2025. So don’t wait until the deadline—start your assessment now.
How Pegamento Helps Ensure AI Act Compliance in the Contact Center
Navigating the AI Act is complex, especially when you’re combining multiple AI applications in your contact center environment. We help organizations set up AI applications that are not only effective but also comply with applicable regulations. Our approach is built on smart combinations of proven modules, without costly custom development projects, and all under one roof.
Here’s what we specifically offer contact centers that want to operate in compliance with the AI Act:
- Transparent AI Communication: Our systems are configured by default to inform customers that they are communicating with an AI system
- Human oversight as a guiding principle: our Agentic AI assistants—the evolution from traditional RPA to self-thinking assistants that take the initiative on their own—are designed to support human employees, not to replace them
- Certified security: We are ISO 27001 certified (information security), supplemented by ISO 9001 and ISO 26000, which align with the security and documentation requirements of the AI Act
- A single point of contact: from implementation to management and compliance support—you don’t have to switch between multiple vendors
- Logging and reporting: Our solutions provide the data retention capabilities and reporting structures that deployers need for high-risk applications
Would you like to know how your current contact center AI applications align with the AI Act? Contact us, and we’d be happy to work with you to develop a compliant and future-proof solution.
Frequently Asked Questions
What happens if my contact center does not comply with the AI Act?
In the event of non-compliance with the AI Act, regulators may impose fines of up to 35 million euros or 7% of global annual revenue, depending on the severity of the violation. For organizations that deploy high-risk systems improperly, lower but still significant penalties apply. In addition to financial consequences, you also face reputational risks, especially if the violations directly affect customers or employees. So it’s not just a legal issue, but also a business risk that must be taken seriously.
Does the AI Act also apply to small contact centers, or only to large organizations?
In principle, the AI Act applies to all organizations that use or offer AI systems within the EU, regardless of their size. However, micro-enterprises and small businesses are subject to some relaxed obligations, particularly on the provider side. However, as a deployer—that is, if you use AI systems from an external supplier—the core obligations, such as transparency, human oversight, and log management, still apply to smaller contact centers as well. The size of your organization therefore does not determine whether you must comply, but it can influence how certain obligations are fulfilled.
How do I know if my AI supplier is providing the correct documentation for compliance?
Explicitly ask your provider for the technical documentation in accordance with Annex IV of the AI Act, the instructions for use, and—for high-risk systems—the EU declaration of conformity and proof of registration in the EU database. A reliable provider of high-risk AI can provide these documents upon request. If your supplier is unable or unwilling to provide this information, that is a serious indication that your compliance as a deployer is at risk. Always set out agreements regarding documentation and updates in a contract.
My contact center uses sentiment analysis on calls. Is that permitted under the AI Act?
Sentiment analysis is permitted, but its permissibility depends heavily on the purpose for which you use it. If you use it exclusively for aggregated reporting and quality improvement, it generally falls under limited or minimal risk. However, as soon as sentiment analysis is used to assess, profile, or make decisions about individual employees or customers, it may be classified as high-risk or even prohibited. Emotion recognition in the workplace for the purpose of evaluating employees is prohibited under the AI Act in any case, so be sure to thoroughly document and safeguard this distinction.
What is the AI literacy requirement, and what does that mean in practice for my contact center employees?
The AI literacy requirement (Article 4 of the AI Act) has been in effect since February 2025 and requires organizations to ensure that employees working with AI systems have sufficient knowledge and understanding of those systems. In practice, this means that your contact center agents must be trained on what AI tools do, what their limitations are, and when human judgment is necessary. This does not have to be extensive technical training, but targeted training tailored to the agent’s role is mandatory and must be documented.
Can customers object to a decision made by an AI system in my contact center?
Yes, under Article 86 of the AI Act, individuals subject to a decision made by a high-risk AI system have the right to request a meaningful explanation of the factors that determined that decision. As a contact center, you must therefore be able to explain in an understandable way why an AI system arrived at a particular outcome, such as a rejection or prioritization. This requires that your systems be designed to be sufficiently transparent and traceable. Combine this with a clear internal escalation process so that employees know how to handle such requests.
What is the difference between a provider and a deployer, and what role does my contact center play?
A provider is the party that develops and markets an AI system; a deployer is the organization that implements that system in its own operations. Most contact centers are deployers: they purchase or license AI solutions from technology vendors and use them for customer interactions. As a deployer, you are not responsible for the development and certification of the system, but you are responsible for its proper use, human oversight, log management, and informing employees. In exceptional cases—for example, if you customize or develop AI functionality in-house—your contact center may also be classified as a provider, resulting in significantly more stringent obligations.


