Most omnichannel AI applications in contact centers fall under the “low-risk ” category or are completely unregulated under the EU AI Act. Only systems that perform profiling, make decisions regarding access to essential services, or serve vulnerable groups are classified as “high-risk.” In this article, you’ll learn exactly how the risk categories work, which AI applications for customer service are used in which countries, and what your organization needs to do right now.
What are the risk categories under the AI Act?
The AI Act classifies all AI systems into four risk levels: prohibited, high risk, limited risk, and minimal risk. Most AI applications in the business sector fall into the minimal-risk category and are therefore completely unregulated. The higher the potential risk to fundamental rights or safety, the more stringent the obligations.
The four levels work as follows:
- Prohibited (unacceptable risk): Applications that are completely prohibited, such as social scoring by governments, manipulative techniques that influence behavior without a person’s awareness, emotion recognition in the workplace outside of medical or safety exceptions, and real-time biometric identification in public spaces for law enforcement. These prohibitions have been in effect since February 2, 2025.
- High risk: Systems that fall under the eight domains listed in Annex III, including biometrics, critical infrastructure, employment, access to essential services, and law enforcement. Strict requirements apply to these systems.
- Limited risk: Systems such as chatbots and AI that generate synthetic content. These are subject to less stringent transparency requirements, such as the obligation to inform users that they are communicating with an AI.
- Minimal or no risk: The vast majority of current AI applications, such as spam filters or recommendation algorithms. No specific obligations apply.
In addition to these four levels, the law introduces a separate regime for General Purpose AI (GPAI) models, such as large language models. All providers of such models must maintain technical documentation and inform downstream providers about the models’ capabilities and limitations. Models that exceed a certain computational capacity threshold (more than1,025 FLOPs of training compute) are classified as models posing a systemic risk and are subject to additional obligations.
Which omnichannel AI applications are classified as “low risk”?
Omnichannel AI applications that communicate directly with customers generally fall into the “limited risk” category. Specifically, these include chatbots, virtual assistants, and AI-generated content. The primary requirement is transparency: users must know that they are communicating with an AI system, unless this is self-evident from the context.
Typical examples from the omnichannel contact center environment that are considered low-risk:
- Chatbots on websites, WhatsApp, or other channels that answer customer questions
- Virtual phone assistants that answer or route calls
- AI systems that automatically generate email replies for review by an employee
- Sentiment analysis that supports employees during a conversation, without making decisions on its own
- Agentic AI assistants that automate repetitive tasks within a predefined framework
For these applications, you do not need to submit a conformity assessment or set up a risk management system. However, you must make it clear in the user interface that the customer is interacting with an AI system. This applies to all channels within your omnichannel setup, whether it’s chat, phone, or email.
When is a contact center AI system classified as high risk?
A contact center AI system is classified as high-risk if it falls under one of the eight domains listed in Annex III of the AI Act, or if it performs profiling of individuals. Systems that support or make decisions regarding access to essential services, creditworthiness, or insurance are always considered high-risk, regardless of the sector.
Specifically, for omnichannel contact centers, this means you need to be extra vigilant in the following situations:
- Customer profiling: Any system that profiles individuals is automatically classified as high-risk. This applies even if the primary purpose is a different task.
- Access to essential services: AI that plays a role in determining whether a customer is granted access to emergency shelter, social benefits, or similar services is considered high-risk.
- Credit and insurance decisions: Contact center AI that provides input for creditworthiness assessments or insurance premiums also falls into this category.
- Employment and Human Resources: Using AI to screen job applicants or evaluate employees based on their performance in the contact center is high-risk.
An Annex III system may be excluded from the high-risk category if it performs only a narrow procedural or preparatory task and does not pose a significant risk to fundamental rights. However, the provider must provide substantiated documentation to support this. Systems that perform profiling are never eligible for this exception.
Most of the requirements for high-risk Annex III systems take effect on August 2, 2026. That may seem far off, but given the scope of the required documentation and processes, it’s wise to start identifying now which systems in your environment might fall into this category.
What are the obligations of AI providers versus AI users?
The AI Act draws a clear distinction between providers (the party that develops and markets an AI system) and deployers (the organization that uses the system under its own authority). Providers bear the heaviest obligations; deployers have fewer obligations, but they are by no means free from responsibility.
Requirements for Providers of High-Risk AI
As a provider of a high-risk AI system, you must, among other things:
- Establish and maintain a continuous risk management system throughout the entire lifecycle
- Working with training, validation, and test data that are representative and as free from bias as possible
- Prepare technical documentation in accordance with Annex IV of the AI Act
- Enable automatic event logging
- Adopt a design that effectively enables human oversight
- Conduct a conformity assessment, issue an EU declaration of conformity, and register the system in the EU database
Requirements for Deployers (Those Responsible for Use)
As a deployer—that is, an organization that deploys an AI system from a third-party provider in its contact center—you are subject to less stringent but specific obligations:
- Use the system in accordance with the provider’s instructions for use
- Assign human supervision to qualified and trained individuals
- Retain logs for at least six months
- Informing employees before the system is put into use (Article 26(7))
- Conduct a data protection impact assessment (DPIA) where applicable
Please note: If your organization registers its name on a system, makes a substantial change to it, or alters its intended purpose in such a way that the system becomes high-risk, you will become a provider yourself, with all the associated obligations. This is a point that is often overlooked in practice.
How do you prepare your organization for AI Act compliance?
Preparing for AI Act compliance begins with a comprehensive inventory of all AI systems your organization uses or is considering implementing. Next, classify each system based on the risk categories, determine whether you are a provider or a deployer, and set up the necessary processes. Start well in advance of the deadlines, because high-risk systems in particular require substantial documentation and governance.
A practical step-by-step approach:
- Create an AI inventory: Identify all AI applications, including chatbots, routing systems, sentiment analysis, and automation tools across all channels.
- Classify each system: For each application, determine the risk level based on the Annex III domains and whether profiling occurs.
- Determine your role: Are you a provider or a deployer? This determines what obligations you have.
- Check transparency requirements: Make sure customers know when they are interacting with AI, on every channel within your omnichannel setup.
- Establish logging and oversight: Determine who will provide human oversight of AI decisions and ensure that logs are retained for at least six months.
- Train employees: AI literacy has been mandatory since February 2, 2025. Employees who work with AI systems must understand what the system does and what its limitations are.
- Keep an eye on the timeline: Most requirements for high-risk Annex III systems take effect on August 2, 2026. For GPAI models, the requirements take effect as early as August 2, 2025.
The penalty structure reflects how seriously the legislature takes this: violations of the prohibited practices can result in fines of up to 35 million euros or 7% of global annual revenue. Noncompliance with other obligations can result in fines of up to 15 million euros or 3%. For smaller organizations, the lower of the percentage or the fixed amount applies in each case, but even that can be substantial.
How Pegamento Helps Ensure AI Act Compliance in Your Contact Center
Navigating the AI Act while simultaneously improving your customer interactions requires a partner who understands both worlds. At Pegamento, we combine AI-driven intelligence with an approach that prioritizes transparency and human oversight. This allows you to deliver a better customer experience without unnecessary compliance risks.
What we specifically offer:
- Omnichannel AI solutions that comply with transparency requirements for low-risk systems by default
- Agentic AI assistants that take over repetitive tasks within a framework that ensures human oversight, in line with the deployer obligations under the AI Act
- Everything under one roof: from implementation to management and documentation, so you don’t have to coordinate with multiple vendors on compliance issues
- Customized solutions built using standard building blocks, certified under ISO 27001 (information security), ISO 9001, and ISO 26000, so you can operate on a solid foundation
- Understanding which systems in your environment can be classified as high-risk and how to address this in practice
Would you like to know how your current or planned AI applications align with the AI Act? Contact us, and we’d be happy to work with you to develop an approach that suits your organization.
Frequently Asked Questions
Does the AI Act also apply to small and medium-sized enterprises that use AI in their contact centers?
Yes, the AI Act applies to all organizations that use or offer AI systems within the EU, regardless of their size. For smaller organizations, fines are capped at the lower of a fixed amount or a percentage of annual revenue, which offers some protection in practice. Nevertheless, the basic obligations—such as transparency toward customers and AI literacy among employees—are also mandatory for SMEs and have been in effect since February 2, 2025.
What if our AI vendor claims that their system is compliant—does that automatically mean we’re also compliant as a deployer?
No, your vendor’s (provider’s) compliance does not automatically cover your obligations as a deployer. As a deployer, you remain responsible for matters such as establishing human oversight, retaining logs for at least six months, informing employees before deployment, and conducting a DPIA where required. Always ask your supplier for the necessary technical documentation and user manual so that you can fulfill your own obligations as a deployer.
How can I be sure whether our AI system engages in profiling and is therefore high-risk?
Profiling, as defined by the AI Act, means the automated processing of personal data to evaluate aspects of a natural person, such as behavior, preferences, or reliability. If your system combines customer data to make predictions or perform segmentation on an individual basis—even if this is a byproduct of another function—this constitutes profiling and is automatically considered high risk. If in doubt, consult a legal advisor or contact your AI vendor to assess whether the system’s operation aligns with this definition.
Do we also need to inform customers that they are interacting with AI if the AI is used solely internally, such as for routing calls?
The transparency requirement for low-risk systems applies specifically to AI systems that communicate directly with people, such as chatbots and virtual assistants. Purely internal routing systems in which the customer has no direct interaction with the AI itself are generally not covered by this requirement. Still, it’s wise to document and assess internal systems as well, especially if they provide input for decisions that affect customers.
What is the biggest practical mistake organizations make when preparing for the AI Act?
The most common mistake is underestimating the scope of the AI inventory: many organizations focus only on their primary chatbot but overlook routing systems, sentiment analysis tools, automated email solutions, and any AI features within their CRM or WFM platform. A second common mistake is assuming that, as a deployer, you have no obligations of your own. Therefore, start with a broad inventory of all channels and systems, and involve IT, legal, and operational teams in the classification process.
Does the AI literacy requirement apply to all employees in our contact center, or only to specific roles?
The AI literacy requirement (Article 4 of the AI Act, effective as of February 2, 2025) applies to employees who work with or manage AI systems, tailored to their specific role and the systems they interact with. In practice, this means that agents who work with an AI-supported system on a daily basis, as well as team leaders and administrators, must have an appropriate basic level of AI understanding. A one-size-fits-all training program is not sufficient; tailor the content to what each group of employees actually needs to understand about the system they use.
What happens if we make significant changes to an existing AI system—do we then need to reassess whether it still poses a limited risk?
Yes, a substantial change to an AI system requires a reassessment of its risk classification. Furthermore, a significant modification may result in your organization shifting, from a legal standpoint, from a “deployer” to a “provider,” with all the associated stricter obligations. Therefore, always document changes and explicitly assess each modification against the AI Act’s risk criteria before putting it into production.


