EU AI Act — Limited-Risk Classification
The EU AI Act classification for customer-service chatbots (Regulation EU 2024/1689). Limited-risk AI systems must inform users they are interacting with AI at first contact. Mandatory from August 2, 2026.
The EU AI Act (Regulation EU 2024/1689), fully applicable from August 2, 2026, classifies customer-service AI chatbots as limited-risk AI systems. This classification carries specific transparency obligations — not blanket bans or pre-approval requirements, but enforceable rules about user disclosure.
The core rule for chatbot operators
You must inform users they are interacting with an AI system at the first point of contact.
This means your chatbot cannot open with “Hi, I’m Sarah, how can I help you?” without disclosing it’s AI-backed. The disclosure must be:
- Clear — not buried in a privacy policy link
- Upfront — at the start of the conversation, not only when the user asks
- Understandable — in the language the user is communicating in
Standard-compliant implementation: “Hi, I’m an AI assistant for [Brand]. What can I help you with today?”
What this means for platform selection
In our reviews, we check whether each platform makes AI disclosure trivially configurable or hides it behind enterprise tiers:
| Platform | AI disclosure configurable on base plan? | Notes |
|---|---|---|
| Intercom Fin | Yes | System prompt configurable on all plans |
| Tidio Lyro | Yes | First-message template configurable |
| Freshchat Freddy | Yes | Widget greeting configurable |
| Zendesk AI | Yes | Answer Bot intro message configurable |
| Drift | Enterprise tier | Personalisation features gated |
All five platforms we reviewed support EU AI Act compliance at configuration level. The risk is operator error — not configuring the disclosure correctly.
What the EU AI Act does NOT require for limited-risk chatbots
- Pre-market conformity assessment (that’s for high-risk AI only)
- Registration in an EU database (high-risk only)
- Explainability of the underlying AI model
- Consent before engaging (disclosure is required, not consent)
- EU-based data storage (though GDPR separately may require it for PII)
The limited-risk classification is deliberately light-touch. The EU’s intent is transparency, not prohibition, for customer-service chatbots.
Enforcement
The EU AI Act is enforced by national market surveillance authorities (e.g., ICO in the UK, CNIL in France, BfDI in Germany). Penalties for limited-risk non-compliance are lower than for high-risk or unacceptable-risk violations — but “lower” in EU AI Act context means still up to 1.5% of global annual turnover.
For SMBs: the practical risk before August 2, 2026 is low — authorities will prioritise high-risk systems. After August 2, 2026, ensuring your chatbot greets with an AI disclosure is the minimum viable compliance action.
Related regulation
The EU AI Act limited-risk classification sits alongside (not instead of) GDPR obligations for chatbots processing personal data. If your chatbot collects names, email addresses, or order details, GDPR applies independently of the EU AI Act. The two regulations overlap but cover different things: EU AI Act governs AI transparency; GDPR governs personal data.