{"id":32285,"date":"2026-07-10T08:00:00","date_gmt":"2026-07-10T06:00:00","guid":{"rendered":"https:\/\/pegamento.nl\/niet-gecategoriseerd\/which-omnichannel-ai-applications-fall-under-the-ai-act\/"},"modified":"2026-07-10T10:00:42","modified_gmt":"2026-07-10T08:00:42","slug":"which-omnichannel-ai-applications-fall-under-the-ai-act","status":"publish","type":"post","link":"https:\/\/pegamento.nl\/en\/contact-center\/which-omnichannel-ai-applications-fall-under-the-ai-act\/","title":{"rendered":"Which omnichannel AI applications fall under the AI Act?"},"content":{"rendered":"<p>Most omnichannel AI applications in contact centers fall under the <strong>\u201clow-risk<\/strong> \u201d category or are completely unregulated under the EU AI Act. Only systems that perform profiling, make decisions regarding access to essential services, or serve vulnerable groups are classified as \u201chigh-risk.\u201d In this article, you\u2019ll learn exactly how the risk categories work, which <a href=\"https:\/\/pegamento.nl\/en\/agentic-ai-for-customer-service\/\">AI applications for customer service<\/a> are used in which countries, and what your organization needs to do right now.  <\/p>\n<h2>What are the risk categories under the AI Act?<\/h2>\n<p>The AI Act classifies all AI systems into four risk levels: prohibited, high risk, limited risk, and minimal risk. Most AI applications in the business sector fall into the minimal-risk category and are therefore completely unregulated. The higher the potential risk to fundamental rights or safety, the more stringent the obligations.  <\/p>\n<p>The four levels work as follows:<\/p>\n<ul>\n<li><strong>Prohibited (unacceptable risk):<\/strong> Applications that are completely prohibited, such as social scoring by governments, manipulative techniques that influence behavior without a person\u2019s awareness, emotion recognition in the workplace outside of medical or safety exceptions, and real-time biometric identification in public spaces for law enforcement. These prohibitions have been in effect since February 2, 2025. <\/li>\n<li><strong>High risk:<\/strong> Systems that fall under the eight domains listed in Annex III, including biometrics, critical infrastructure, employment, access to essential services, and law enforcement. Strict requirements apply to these systems. <\/li>\n<li><strong>Limited risk:<\/strong> Systems such as chatbots and AI that generate synthetic content. These are subject to less stringent transparency requirements, such as the obligation to inform users that they are communicating with an AI. <\/li>\n<li><strong>Minimal or no risk:<\/strong> The vast majority of current AI applications, such as spam filters or recommendation algorithms. No specific obligations apply. <\/li>\n<\/ul>\n<p>In addition to these four levels, the law introduces a separate regime for <strong>General Purpose AI (GPAI) models<\/strong>, such as large language models. All providers of such models must maintain technical documentation and inform downstream providers about the models\u2019 capabilities and limitations. Models that exceed a certain computational capacity threshold (more than<sup>1,025<\/sup> FLOPs of training compute) are classified as models posing a systemic risk and are subject to additional obligations.  <\/p>\n<h2>Which omnichannel AI applications are classified as &#8220;low risk&#8221;?<\/h2>\n<p>Omnichannel AI applications that communicate directly with customers generally fall into the \u201climited risk\u201d category. Specifically, these include chatbots, virtual assistants, and AI-generated content. The primary requirement is transparency: users must know that they are communicating with an AI system, unless this is self-evident from the context.  <\/p>\n<p>Typical examples from the omnichannel contact center environment that are considered low-risk:<\/p>\n<ul>\n<li>Chatbots on websites, WhatsApp, or other channels that answer customer questions<\/li>\n<li>Virtual phone assistants that answer or route calls<\/li>\n<li>AI systems that automatically generate email replies for review by an employee<\/li>\n<li>Sentiment analysis that supports employees during a conversation, without making decisions on its own<\/li>\n<li>Agentic AI assistants that automate repetitive tasks within a predefined framework<\/li>\n<\/ul>\n<p>For these applications, you do not need to submit a conformity assessment or set up a risk management system. However, you must make it clear in the user interface that the customer is interacting with an AI system. This applies to all channels within your omnichannel setup, whether it\u2019s chat, phone, or email.  <\/p>\n<h2>When is a contact center AI system classified as high risk?<\/h2>\n<p>A contact center AI system is classified as high-risk if it falls under one of the eight domains listed in Annex III of the AI Act, or if it performs profiling of individuals. Systems that support or make decisions regarding access to essential services, creditworthiness, or insurance are always considered high-risk, regardless of the sector. <\/p>\n<p>Specifically, for omnichannel contact centers, this means you need to be extra vigilant in the following situations:<\/p>\n<ul>\n<li><strong>Customer profiling:<\/strong> Any system that profiles individuals is automatically classified as high-risk. This applies even if the primary purpose is a different task. <\/li>\n<li><strong>Access to essential services:<\/strong> AI that plays a role in determining whether a customer is granted access to emergency shelter, social benefits, or similar services is considered high-risk.<\/li>\n<li><strong>Credit and insurance decisions:<\/strong> Contact center AI that provides input for creditworthiness assessments or insurance premiums also falls into this category.<\/li>\n<li><strong>Employment and Human Resources:<\/strong> Using AI to screen job applicants or evaluate employees based on their performance in the contact center is high-risk.<\/li>\n<\/ul>\n<p>An Annex III system may be excluded from the high-risk category if it performs only a narrow procedural or preparatory task and does not pose a significant risk to fundamental rights. However, the provider must provide substantiated documentation to support this. Systems that perform profiling are never eligible for this exception.  <\/p>\n<p>Most of the requirements for high-risk Annex III systems take effect on <strong>August 2, 2026<\/strong>. That may seem far off, but given the scope of the required documentation and processes, it\u2019s wise to start identifying now which systems in your environment might fall into this category. <\/p>\n<h2>What are the obligations of AI providers versus AI users?<\/h2>\n<p>The AI Act draws a clear distinction between <strong>providers<\/strong> (the party that develops and markets an AI system) and <strong>deployers<\/strong> (the organization that uses the system under its own authority). Providers bear the heaviest obligations; deployers have fewer obligations, but they are by no means free from responsibility. <\/p>\n<h3>Requirements for Providers of High-Risk AI<\/h3>\n<p>As a provider of a high-risk AI system, you must, among other things:<\/p>\n<ul>\n<li>Establish and maintain a continuous risk management system throughout the entire lifecycle<\/li>\n<li>Working with training, validation, and test data that are representative and as free from bias as possible<\/li>\n<li>Prepare technical documentation in accordance with Annex IV of the AI Act<\/li>\n<li>Enable automatic event logging<\/li>\n<li>Adopt a design that effectively enables human oversight<\/li>\n<li>Conduct a conformity assessment, issue an EU declaration of conformity, and register the system in the EU database<\/li>\n<\/ul>\n<h3>Requirements for Deployers (Those Responsible for Use)<\/h3>\n<p>As a deployer\u2014that is, an organization that deploys an AI system from a third-party provider in its contact center\u2014you are subject to less stringent but specific obligations:<\/p>\n<ul>\n<li>Use the system in accordance with the provider&#8217;s instructions for use<\/li>\n<li>Assign human supervision to qualified and trained individuals<\/li>\n<li>Retain logs for at least six months<\/li>\n<li>Informing employees before the system is put into use (Article 26(7))<\/li>\n<li>Conduct a data protection impact assessment (DPIA) where applicable<\/li>\n<\/ul>\n<p>Please note: If your organization registers its name on a system, makes a substantial change to it, or alters its intended purpose in such a way that the system becomes high-risk, you will become a provider yourself, with all the associated obligations. This is a point that is often overlooked in practice. <\/p>\n<h2>How do you prepare your organization for AI Act compliance?<\/h2>\n<p>Preparing for AI Act compliance begins with a comprehensive inventory of all AI systems your organization uses or is considering implementing. Next, classify each system based on the risk categories, determine whether you are a provider or a deployer, and set up the necessary processes. Start well in advance of the deadlines, because high-risk systems in particular require substantial documentation and governance.  <\/p>\n<p>A practical step-by-step approach:<\/p>\n<ol>\n<li><strong>Create an AI inventory:<\/strong> Identify all AI applications, including chatbots, routing systems, sentiment analysis, and automation tools across all channels.<\/li>\n<li><strong>Classify each system:<\/strong> For each application, determine the risk level based on the Annex III domains and whether profiling occurs.<\/li>\n<li><strong>Determine your role:<\/strong> Are you a provider or a deployer? This determines what obligations you have. <\/li>\n<li><strong>Check transparency requirements:<\/strong> Make sure customers know when they are interacting with AI, on every channel within your omnichannel setup.<\/li>\n<li><strong>Establish logging and oversight:<\/strong> Determine who will provide human oversight of AI decisions and ensure that logs are retained for at least six months.<\/li>\n<li><strong>Train employees:<\/strong> AI literacy has been mandatory since February 2, 2025. Employees who work with AI systems must understand what the system does and what its limitations are. <\/li>\n<li><strong>Keep an eye on the timeline:<\/strong> Most requirements for high-risk Annex III systems take effect on August 2, 2026. For GPAI models, the requirements take effect as early as August 2, 2025. <\/li>\n<\/ol>\n<p>The penalty structure reflects how seriously the legislature takes this: violations of the prohibited practices can result in fines of up to 35 million euros or 7% of global annual revenue. Noncompliance with other obligations can result in fines of up to 15 million euros or 3%. For smaller organizations, the lower of the percentage or the fixed amount applies in each case, but even that can be substantial.  <\/p>\n<h2>How Pegamento Helps Ensure AI Act Compliance in Your Contact Center<\/h2>\n<p>Navigating the AI Act while simultaneously improving your customer interactions requires a partner who understands both worlds. At Pegamento, we combine <a href=\"https:\/\/pegamento.nl\/en\/ai-powered-intelligence\/\">AI-driven intelligence<\/a> with an approach that prioritizes transparency and human oversight. This allows you to deliver a better customer experience without unnecessary compliance risks.  <\/p>\n<p>What we specifically offer:<\/p>\n<ul>\n<li>Omnichannel AI solutions that comply with transparency requirements for low-risk systems by default<\/li>\n<li>Agentic AI assistants that take over repetitive tasks within a framework that ensures human oversight, in line with the deployer obligations under the AI Act<\/li>\n<li>Everything under one roof: from implementation to management and documentation, so you don&#8217;t have to coordinate with multiple vendors on compliance issues<\/li>\n<li>Customized solutions built using standard building blocks, certified under ISO 27001 (information security), ISO 9001, and ISO 26000, so you can operate on a solid foundation<\/li>\n<li>Understanding which systems in your environment can be classified as high-risk and how to address this in practice<\/li>\n<\/ul>\n<p>Would you like to know how your current or planned AI applications align with the AI Act? <a href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">Contact us<\/a>, and we\u2019d be happy to work with you to develop an approach that suits your organization.<\/p>\n        <div class=\"wp-block-seoaic-faq-block\">\n            <h2 class=\"seoaic-faq-section-title\">Frequently Asked Questions<\/h2>\n                            <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Does the AI Act also apply to small and medium-sized enterprises that use AI in their contact centers?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, the AI Act applies to all organizations that use or offer AI systems within the EU, regardless of their size. For smaller organizations, fines are capped at the lower of a fixed amount or a percentage of annual revenue, which offers some protection in practice. Nevertheless, the basic obligations\u2014such as transparency toward customers and AI literacy among employees\u2014are also mandatory for SMEs and have been in effect since February 2, 2025.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What if our AI vendor claims that their system is compliant\u2014does that automatically mean we\u2019re also compliant as a deployer?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        No, your vendor\u2019s (provider\u2019s) compliance does not automatically cover your obligations as a deployer. As a deployer, you remain responsible for matters such as establishing human oversight, retaining logs for at least six months, informing employees before deployment, and conducting a DPIA where required. Always ask your supplier for the necessary technical documentation and user manual so that you can fulfill your own obligations as a deployer.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How can I be sure whether our AI system engages in profiling and is therefore high-risk?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Profiling, as defined by the AI Act, means the automated processing of personal data to evaluate aspects of a natural person, such as behavior, preferences, or reliability. If your system combines customer data to make predictions or perform segmentation on an individual basis\u2014even if this is a byproduct of another function\u2014this constitutes profiling and is automatically considered high risk. If in doubt, consult a legal advisor or contact your AI vendor to assess whether the system\u2019s operation aligns with this definition.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Do we also need to inform customers that they are interacting with AI if the AI is used solely internally, such as for routing calls?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The transparency requirement for low-risk systems applies specifically to AI systems that communicate directly with people, such as chatbots and virtual assistants. Purely internal routing systems in which the customer has no direct interaction with the AI itself are generally not covered by this requirement. Still, it\u2019s wise to document and assess internal systems as well, especially if they provide input for decisions that affect customers.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What is the biggest practical mistake organizations make when preparing for the AI Act?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The most common mistake is underestimating the scope of the AI inventory: many organizations focus only on their primary chatbot but overlook routing systems, sentiment analysis tools, automated email solutions, and any AI features within their CRM or WFM platform. A second common mistake is assuming that, as a deployer, you have no obligations of your own. Therefore, start with a broad inventory of all channels and systems, and involve IT, legal, and operational teams in the classification process.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Does the AI literacy requirement apply to all employees in our contact center, or only to specific roles?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The AI literacy requirement (Article 4 of the AI Act, effective as of February 2, 2025) applies to employees who work with or manage AI systems, tailored to their specific role and the systems they interact with. In practice, this means that agents who work with an AI-supported system on a daily basis, as well as team leaders and administrators, must have an appropriate basic level of AI understanding. A one-size-fits-all training program is not sufficient; tailor the content to what each group of employees actually needs to understand about the system they use.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What happens if we make significant changes to an existing AI system\u2014do we then need to reassess whether it still poses a limited risk?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, a substantial change to an AI system requires a reassessment of its risk classification. Furthermore, a significant modification may result in your organization shifting, from a legal standpoint, from a \u201cdeployer\u201d to a \u201cprovider,\u201d with all the associated stricter obligations. Therefore, always document changes and explicitly assess each modification against the AI Act\u2019s risk criteria before putting it into production.                    <\/p>\n                <\/div>\n                        <\/div>\n        ","protected":false},"excerpt":{"rendered":"<p>Chatbots, virtual assistants, and sentiment analysis: Find out how your contact center\u2019s AI applications are affected by the EU AI Act.<\/p>\n","protected":false},"author":2,"featured_media":32286,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[500],"tags":[],"class_list":["post-32285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-contact-center"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=32285"}],"version-history":[{"count":1,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32285\/revisions"}],"predecessor-version":[{"id":32287,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32285\/revisions\/32287"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/32286"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=32285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/categories?post=32285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/tags?post=32285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}