Disclaimer: This playbook is provided for informational purposes only and does not constitute legal advice. Organisations should seek qualified legal counsel for their specific compliance obligations.
Executive Summary
The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive legal framework governing artificial intelligence. It entered into force on 1 August 2024 and applies progressively through to 2 August 2027. For customer experience (CX) operations, contact centres, and the platforms that serve them — including AI chatbots, virtual agents, quality assurance tools, workforce management systems, and analytics platforms — compliance is no longer a future concern.
This playbook provides a structured readiness checklist and conformity pathway mapped to the Act’s phased timeline. It is designed specifically for CX operators who deploy AI systems built by third-party vendors, placing them in the role of deployer under the Act — a role that carries its own distinct legal obligations independent of the software provider.
Three dates define the compliance landscape for CX teams:
- 2 February 2025 — Prohibited practices (Article 5) already in force
- 2 August 2026 — Transparency rules (Article 50) and most high-risk obligations apply
- 2 August 2027 — High-risk AI embedded in regulated products fully applies
Part 1: Understanding Your Role
Provider vs. Deployer — Why It Matters
The Act distinguishes between two primary roles, and most CX teams occupy the deployer position.
| Role | Definition | Typical CX Example |
|---|---|---|
| Provider | Places an AI system on the market or puts it into service under their own name | Zendesk, Intercom, Genesys, NICE building AI features |
| Deployer | Uses an AI system in a professional context under their own authority | A business deploying Zendesk AI in their contact centre |
| Importer | Brings an AI system from outside the EU into the EU market | Resellers of non-EU AI tools |
| Distributor | Makes an AI system available in the market without substantially modifying it | Marketplace resellers |
As a deployer, you are not simply a passive user. The Act assigns you specific obligations including human oversight, staff notification, log retention, and — critically — transparency disclosures to customers. Penalties under Article 99 can apply to deployers directly.
The Deployer’s Core Obligations (Article 26)
For any high-risk AI system you deploy, Article 26 requires:
- Use the AI system in accordance with the provider’s instructions of use
- Assign human oversight to a qualified individual
- Ensure that input data is relevant and representative for the intended purpose
- Monitor operation and report serious incidents to the provider and national authority
- Retain automatically generated logs for a minimum period (where technically possible)
- Inform and consult workers’ representatives before deploying AI that affects employees
- Conduct a Data Protection Impact Assessment (DPIA) where required by GDPR
Part 2: The Compliance Timeline
Phase 1 — Already in Force: 2 February 2025
Article 5: Prohibited AI Practices
These are not future obligations. They applied from 2 February 2025 and enforcement is active.
The following AI practices are completely prohibited in a CX or workforce context:
| Prohibited Practice | CX Relevance | Article |
|---|---|---|
| AI systems that infer emotions of employees in workplace settings | Agent tone scoring, empathy scoring, stress detection in QA tools | Art. 5(1)(f) |
| Subliminal manipulation techniques that distort behaviour | Manipulative chatbot persuasion flows | Art. 5(1)(a) |
| Exploitation of vulnerabilities of persons | Targeting distressed customers with automated high-pressure tactics | Art. 5(1)(b) |
| Social scoring by public authorities | Not directly CX-relevant | Art. 5(1)(c) |
| Real-time remote biometric identification in public spaces | Not typically CX-relevant | Art. 5(1)(h) |
What this means for your QA platform: If your quality assurance software automatically scores agent “empathy,” “friendliness,” or “emotional tone” using AI inference — not keyword rules, but actual emotional state inference — it may be operating in violation of Article 5(1)(f). Audit this immediately.
Important nuance: Not all tone analysis is prohibited. Keyword-based flagging and rule-based sentiment scoring are different from AI systems that infer emotional states. The distinction depends on the technical mechanism of the system.
Phase 2 — Already in Force: 2 August 2025
General-Purpose AI (GPAI) Model Obligations
If your organisation deploys AI systems built on top of large language models (e.g., GPT-4, Claude, Gemini), the providers of those underlying models have had obligations since 2 August 2025. As a deployer, your obligations here are indirect — but you should verify that your vendors are compliant:
- Providers must maintain technical documentation of their GPAI models
- Providers must publish a summary of model training content
- Providers of high-capability models (trained on >10²³ FLOP) must comply with the GPAI Code of Practice
Deployer action: Request written confirmation from your AI vendors that their underlying models comply with GPAI obligations under Article 53 and, where applicable, Article 55.
Phase 3 — Critical Deadline: 2 August 2026
This is the primary compliance deadline for CX operations. The following obligations come into force:
3a. Transparency Obligations (Article 50)
Article 50(1) — AI Chatbot & Virtual Agent Disclosure
If you deploy an AI virtual agent, chatbot, or automated response system that interacts directly with customers, you must inform those customers that they are interacting with an AI system.
- The disclosure must be made before or at the start of the conversation
- The disclosure must be clear and distinguishable — not buried in a privacy policy
- The obligation does not apply where the AI nature is obvious from the context
- The deployer (your organisation) is responsible for implementing this disclosure
In practice for Zendesk, Intercom, Freshdesk, and similar platforms: Add a clear banner or opening message to your chat widget at the start of every AI-handled conversation. For example: “You’re now chatting with our AI assistant. A human agent is available if you prefer.”
Article 50(3) — Emotion Recognition & Biometric Categorisation Disclosure
Where a system performs emotion recognition or biometric categorisation on customers, an additional, separate disclosure is required. This is distinct from the Article 50(1) AI chatbot disclosure and must specifically inform customers that such analysis is occurring.
Article 50(5) — The Standard
Both disclosures must be “clear and distinguishable.” Disclosure buried in terms of service or a privacy policy does not meet this standard.
3b. High-Risk AI System Obligations (Annex III)
For AI systems classified as high-risk under Annex III — specifically those involving biometric identification or emotion recognition based on biometric data — deployers must comply with the full suite of obligations from 2 August 2026.
Important: Not all CX AI tools are high-risk. The high-risk classification under Annex III applies to specific categories. Generic sentiment analysis, churn prediction, and frustration scoring are not automatically high-risk — the classification depends on whether the system uses biometric data and the specific use case.
For any system you believe may be high-risk, the conformity pathway requires:
- Risk management system — documented identification, analysis, and mitigation of risks across the AI lifecycle
- Data governance — quality, representativeness, and bias mitigation of training and operational data
- Technical documentation — complete documentation sufficient for assessing compliance per Annex IV
- Automatic event logging — the system must log events throughout its lifecycle
- Human oversight — design features enabling appropriate human understanding and intervention
- Accuracy, robustness, and cybersecurity — verified throughout the lifecycle
Phase 4 — Final Deadline: 2 August 2027
High-Risk AI Embedded in Regulated Products
AI systems embedded in regulated products covered by EU harmonisation legislation (e.g., medical devices, machinery) face their full compliance deadline on 2 August 2027. For most CX operations, this phase is less directly relevant unless you operate in a regulated sector such as healthcare or financial services.
Annex III biometrics and employment systems — certain categories of high-risk AI systems in Annex III, including biometric identification and employment-related systems, have their compliance deadline extended to 2 December 2027 under the Commission’s simplification package.
Part 3: Risk Classification for CX Tools
Use this table to classify your AI tools before 2 August 2026.
| CX Tool Category | Likely Classification | Primary Obligation | Deadline |
|---|---|---|---|
| AI chatbot / virtual agent | Minimal risk (with transparency obligation) | Art. 50(1) disclosure | 2 Aug 2026 |
| Agent-assist / co-pilot (no emotion inference) | Minimal risk | Vendor GPAI compliance | 2 Aug 2026 |
| Sentiment analysis (keyword/rule-based) | Minimal risk | None specific | — |
| Customer emotion recognition (biometric-based) | Likely high-risk (Annex III) | Full HRAIS obligations + Art. 50(3) disclosure | 2 Aug 2026 |
| Agent emotion/tone inference in workplace | Prohibited | Deactivate immediately | In force since 2 Feb 2025 |
| Workforce scheduling AI | Assess against Annex III point 4 | Employment-related HR assessment | 2 Dec 2027 |
| Automated customer credit/risk scoring | Likely high-risk (financial context) | Full HRAIS obligations | 2 Aug 2026 |
| IVR / call routing (no emotion inference) | Minimal risk | None specific | — |
| Deepfake/synthetic voice generation | Transparency obligation | Art. 50(4) disclosure | 2 Aug 2026 |
Part 4: Conformity Pathways
Pathway A — Minimal Risk Tools
Applies to: AI chatbots, virtual agents, agent-assist tools, sentiment analysis (non-biometric)
Steps required:
- Implement Article 50(1) disclosure in all customer-facing AI interactions
- Verify vendor GPAI compliance documentation (if tool is built on a large language model)
- Document your classification assessment under Article 6(4)
- Maintain records of the disclosure implementation for audit purposes
Estimated effort: Low — primarily a configuration and documentation task.
Pathway B — High-Risk AI Tools (Annex III, Points 2–8)
Applies to: Customer emotion recognition systems (biometric-based), employment-related AI
Conformity Assessment Procedure: Internal Control (Annex VI) — no third-party notified body required for most Annex III categories (points 2–8).
Steps required:
- Confirm high-risk classification with your legal counsel and AI vendor
- Establish a risk management system covering the full AI lifecycle
- Implement data governance procedures for all data inputs
- Obtain or create technical documentation meeting Annex IV requirements
- Verify the system generates automatic event logs
- Establish human oversight procedures and designate a responsible person
- Implement Article 50(3) disclosure to customers
- Register the system in the EU database for high-risk AI systems (Article 49)
- Conduct DPIA under GDPR where personal data is processed
Estimated effort: High — requires cross-functional involvement of legal, IT, HR, and operations teams.
Pathway C — Prohibited Tools
Applies to: Any system inferring employee emotions in workplace settings
Steps required:
- Immediately audit all QA, workforce management, and analytics tools
- Deactivate any system performing emotion inference on employees
- Engage vendor to confirm whether emotion inference is part of their scoring model
- Document the deactivation and retain for regulatory audit
- Review vendor contracts for compliance warranties and liability provisions
Estimated effort: Urgent — this obligation is already in force. Delay creates direct legal exposure.
Part 5: Vendor Management Checklist
As a deployer, you cannot outsource your compliance obligations to your vendor. However, you can contractually require vendors to support your compliance. Use this checklist when evaluating or renegotiating vendor agreements.
Documentation to Request from Every AI Vendor
- ☐ Classification statement — written confirmation of how the vendor classifies their system under the Act (prohibited, high-risk, limited risk, minimal risk)
- ☐ Technical documentation — full documentation per Annex IV for any high-risk system
- ☐ Conformity declaration — EU Declaration of Conformity for high-risk systems
- ☐ GPAI compliance confirmation — for tools built on large language models, confirmation of compliance with Article 53 obligations
- ☐ Log access — confirmation that event logs are generated and accessible to you as deployer
- ☐ Human override capability — confirmation that the system supports human intervention and override
- ☐ Incident reporting procedure — the vendor’s process for notifying you of serious incidents
- ☐ Emotion inference disclosure — written confirmation of whether the system infers emotional states of employees or customers, and on what technical basis
Contractual Provisions to Include
- Obligation on vendor to notify you of any changes to AI functionality that may affect risk classification
- Warranty that the system does not perform prohibited practices under Article 5
- Indemnification provisions for vendor-side compliance failures
- Right to audit or request updated compliance documentation annually
- Clear allocation of provider vs. deployer responsibilities for high-risk obligations
Part 6: The Master Readiness Checklist
Phase 1 — Immediate Actions (Complete by 1 August 2026)
Governance
- ☐ Designate a named individual responsible for EU AI Act compliance within your organisation
- ☐ Brief senior leadership on the Act’s scope and enforcement timeline
- ☐ Identify all AI systems currently deployed across CX and contact centre operations
AI Stack Audit
- ☐ Map every customer-facing AI system (chatbots, virtual agents, IVR, analytics)
- ☐ Map every employee-facing AI system (QA tools, coaching platforms, scheduling)
- ☐ Classify each system using the risk tier table in Part 3 of this playbook
- ☐ Flag any system that may perform emotion inference on employees for immediate review
Prohibited Practice Review
- ☐ Confirm whether QA tools use AI to infer agent emotional states (not just keyword scoring)
- ☐ Deactivate any system confirmed to perform employee emotion inference
- ☐ Document the deactivation and notify affected vendor(s)
Vendor Documentation
- ☐ Send compliance documentation requests to all AI vendors using the checklist in Part 5
- ☐ Review vendor contracts for compliance clauses and liability allocation
- ☐ Escalate gaps in vendor documentation to legal counsel
Phase 2 — Pre-Enforcement Actions (Complete by 2 August 2026)
Transparency Implementation
- ☐ Implement Article 50(1) disclosure in all AI chatbot/virtual agent chat widgets
- ☐ Test disclosure visibility across all customer touchpoints (web, mobile, app)
- ☐ Implement Article 50(3) disclosure where emotion recognition or biometric systems are in use
- ☐ Document disclosure implementation with screenshots and configuration records
High-Risk System Compliance (where applicable)
- ☐ Establish risk management system documentation for any confirmed high-risk tools
- ☐ Verify event logging is active and accessible
- ☐ Designate human oversight responsible person for each high-risk system
- ☐ Register high-risk systems in the EU AI database (Article 49) if required
- ☐ Complete DPIA for any high-risk system processing personal data
Worker Notification
- ☐ Notify workers’ representatives before deploying high-risk AI systems that affect employees
- ☐ Document the notification and consultation process
Phase 3 — Ongoing Compliance (Post 2 August 2026)
- ☐ Establish a quarterly AI compliance review cycle
- ☐ Monitor for substantial modifications to deployed AI systems (triggering re-assessment)
- ☐ Retain event logs for the minimum required period
- ☐ Monitor European Commission guidance updates (Article 50 guidelines consultation closes 3 June 2026)
- ☐ Review Annex III biometrics/employment system compliance ahead of 2 December 2027 deadline
Part 7: Key Dates Reference Card
| Date | What Applies | Who Is Affected |
|---|---|---|
| 1 August 2024 | Act enters into force | All |
| 2 February 2025 | Article 5 prohibited practices enforceable | All deployers and providers |
| 2 August 2025 | GPAI model obligations apply | GPAI model providers |
| 2 August 2026 | Article 50 transparency, Annex III high-risk rules, enforcement begins | All CX deployers |
| 3 June 2026 | EC consultation on Article 50 draft guidelines closes | Stakeholders wishing to comment |
| 2 August 2027 | High-risk AI in regulated products fully applies | Regulated sector operators |
| 2 December 2027 | Annex III biometric, employment, and migration AI rules fully apply | Biometric/HR AI deployers |
Part 8: Penalty Reference
| Violation Type | Maximum Fine | Article |
|---|---|---|
| Prohibited practice (Art. 5 breach) | €35,000,000 or 7% of global annual turnover, whichever is higher | Art. 99(3) |
| High-risk system non-compliance | €15,000,000 or 3% of global annual turnover, whichever is higher | Art. 99(4) |
| Transparency obligation breach (Art. 50) | €15,000,000 or 3% of global annual turnover, whichever is higher | Art. 99(4) |
| Incorrect or misleading information to authorities | €7,500,000 or 1% of global annual turnover, whichever is higher | Art. 99(5) |
Note: Fines are applied by national supervisory authorities and take proportionality factors — including company size — into account. SMEs and startups may face reduced penalties.
Glossary
Deployer — A natural or legal person, public authority, agency or other body that uses an AI system under its own authority in the course of its professional activities (Art. 3(4)).
Provider — A natural or legal person that develops or has an AI system developed and places it on the market or puts it into service under its own name or trademark (Art. 3(3)).
High-Risk AI System (HRAIS) — An AI system classified under Annex I or Annex III of the Act as posing significant risk to health, safety, or fundamental rights.
GPAI Model — A general-purpose AI model trained on large amounts of data, capable of serving multiple tasks, such as large language models (Art. 3(63)).
Conformity Assessment — The formal process of demonstrating that a high-risk AI system complies with the mandatory requirements in Chapter III, Section 2 of the Act (Art. 3(20)).
Emotion Recognition System — An AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data (Art. 3(39)).
This playbook reflects the EU AI Act as in force on 27 May 2026, including the European Commission’s draft guidelines on Article 50 transparency obligations (published 7 May 2026, consultation open until 3 June 2026) and the Commission’s guidelines on high-risk AI classification (published 21 May 2026). It does not constitute legal advice.
