If you read a headline this spring that said the EU had delayed the AI Act, and you filed customer-facing AI under “not urgent until 2027,” you have a problem opening in a few weeks rather than in eighteen months. The delay was real, but it applied to a part of the Act that probably doesn’t govern your contact centre. The part that does govern it — the rule that says you have to tell a customer when they’re talking to a machine — never moved. It applies from 2 August 2026, and most operations running a chatbot or a voice agent have not yet changed a single line of what that agent says when it picks up.
So it’s worth being precise about what actually lands on you, what slipped to 2027, and which of your AI systems is which. The honest version of this is shorter and less alarming than the compliance webinars suggest, and the few things that do matter are worth getting right.
The EU AI Act’s transparency rules (Article 50) apply from 2 August 2026 and were not delayed. From that date, any AI system that interacts with your customers must make clear they are dealing with AI, at the start of the interaction. The high-risk obligations that were postponed to December 2027 mostly don’t cover customer-service agents. They cover things like credit scoring and underwriting. The first job is knowing which of your AI systems is which.
What actually applies on 2 August, and what moved to 2027
The AI Act came into force in August 2024 and switches on in stages. Two of those stages are already live: the bans on a handful of prohibited uses, and the rules for general-purpose AI models. The next milestone is 2 August 2026, and it carries the obligations most contact centres will feel first.
Three things activate on that date, per the European Commission’s own implementation timeline: the transparency obligations under Article 50, the Commission’s power to penalise providers of general-purpose AI models, and national authorities’ power to investigate and sanction breaches. For a bank or an insurer running AI in customer service, the operative one is Article 50.
What moved is the high-risk regime. Under the Digital Omnibus on AI, a package of amendments the Council and Parliament provisionally agreed on 7 May 2026, the obligations for standalone high-risk systems are pushed from August 2026 to 2 December 2027, and for AI embedded in regulated products to August 2028. Worth holding onto: as of this writing that agreement is still provisional. It’s expected to be formally adopted and published over the summer, ahead of the August deadline, but until it appears in the Official Journal it isn’t law. The safe planning assumption for anything genuinely uncertain is therefore the original timetable. The transparency date isn’t uncertain, though. It didn’t move under any version of the proposal.
This is the distinction that decides how much of the Act touches you, so apply it to your own estate. A customer-service chatbot or voice agent is, in almost every case, a limited-risk system. Its obligation is transparency, and that obligation is live on 2 August. An AI system that scores creditworthiness, prices a policy, screens an insurance claim, or sits in a hiring decision is high-risk. Those obligations are heavier, and those are the ones that just bought you sixteen more months.
So the first task isn’t compliance in the abstract. It’s an inventory: list the AI systems touching your customers and sort each into limited-risk or high-risk, because the deadline, and the workload, are completely different for the two.
Job one: say so
Strip Article 50(1) of the legal language and it asks for one thing. If an AI system is talking to a person, the person has to know it’s an AI. That’s it. The reason it still trips people up is that the obvious-looking ways to satisfy it mostly don’t.
A line in your terms and conditions doesn’t count. A small “AI” badge that a caller can’t see because they’re on the phone doesn’t count. The Commission’s draft guidance on Article 50, published in May 2026, is clear that the disclosure has to be perceivable in the interaction itself, at the first moment of it. For a chat agent that means the opening message says so. For a voice agent it means an audible statement in the first few seconds, in the language of the call: something as plain as “This is an automated assistant from [firm], I can help you with [scope].” The obligation lands on the deployer, the firm running the agent. That’s you, not only the vendor who built it.
There’s an exemption, and it’s the part most people lean on and shouldn’t. Disclosure isn’t required where the AI nature is obvious from the circumstances. That sounds like a generous carve-out until you read how narrowly the Commission intends to apply it. A modern voice agent that handles natural turn-taking, hears an interruption and stops, and picks up on a change in tone is, almost by definition, not obviously a machine. If your vendor sells you on how human it sounds, you have just argued yourself out of the exemption. In practice, assume you have to disclose.
None of this is hard to do. It’s a change to an opening prompt, a consent log, and probably a clause in a vendor contract about who is responsible when a transferred call hands a customer from a human to an agent mid-conversation without re-disclosing. The cost of getting it wrong sits in the Act’s middle penalty tier, but the fine is not really the point and leading with it would miss the more useful one. The real point is what happens next. A customer who discovers, weeks later, that a machine quietly handled their bereavement claim or their fraud dispute doesn’t go to a regulator. They lose trust in you, and they tell people. The disclosure rule is asking you to do the thing that protects the relationship anyway.
The disclosure gets harder exactly where your calls are hardest
Here’s the part the generic compliance guidance skips, and it matters most for financial services and insurance specifically.
The Commission’s draft guidance notes that a single disclosure at the start of a conversation may not be enough in sensitive contexts, where a person is in distress, may be vulnerable, or might form an emotional attachment to the interaction. It also sets a lower bar for what counts as “obvious” when the likely audience includes elderly or vulnerable people. Read that against your actual call mix. The conversations where a customer is least likely to register, or remember, that they’re talking to a machine are precisely the ones an insurer or a bank handles when something has gone wrong: the claim after a death, the call from someone who can’t keep up with payments, the frightened first-time customer.
So the disclosure obligation is heaviest exactly where your hardest calls are. An agent handling a vulnerable customer may need to make its nature clear more than once, and clearly enough to land on someone who isn’t fully taking things in. Doing that well means designing how the agent behaves across the whole conversation, and it sits right next to the harder question of whether an AI agent should be taking that call at all, which is the same judgement we’ve written about in spotting and handling vulnerable customers well. The Act has effectively put a regulatory line under a thing good operations were already worried about.
Job two: you still own what it says
Transparency tells the customer what they’re dealing with. It does nothing about what the agent actually says, and that’s where the second job lives.
The agent’s words are yours the moment it speaks them. When an airline’s chatbot invented a bereavement refund policy that didn’t exist, a tribunal held the airline to what its agent had promised. The company didn’t get to disown the bot. That principle doesn’t wait for the AI Act; it’s already how consumer and contract law works, and in financial services the regulator’s expectation that you stand behind your customer outcomes points the same way. An AI agent doesn’t dilute your accountability. It concentrates it, because one wrong belief gets repeated identically across thousands of calls before anyone notices.
This is where the high-risk line comes back, because it changes what “owning it” requires. If your AI is only ever answering questions and routing calls, your legal duty is transparency plus the standing accountability you’d have for any agent. If your AI is making or materially shaping a decision about credit, eligibility, or pricing, you’re in high-risk territory, and the Act will eventually require formal human oversight, record-keeping, and the ability to show the system was monitored. That regime is deferred to December 2027, not cancelled. The sensible move is to know now which of your systems is heading into it, rather than discovering the classification in 2027. And whether or not a given agent is “good enough” to be in front of customers at all is a question you should be able to answer with evidence, which is the whole subject of how to know if your AI agents are actually any good.
Job three: be able to show it behaves
Look across all of it — the transparency duty, the accountability for output, the oversight and monitoring that high-risk use will demand — and the same requirement runs underneath. You have to be able to show what your AI did. Not assert that it behaved. Demonstrate it, on the specific interaction, after the fact, to someone entitled to ask.
That’s a higher bar than most AI monitoring clears today, because the thing regulators and your own board will want is the conversation itself, not a dashboard average. What did the agent actually say to this customer? Did it disclose its nature, give correct information, handle the vulnerable caller appropriately? With the moment attached, not a summary. A record you write once a year doesn’t produce that. Only continuous evidence does, captured as the conversations happen.
This is the part of the Act that lines up with what Future Ready was built to do, so it’s worth being straight about it. Scoring every conversation against your own quality criteria, with every score tied to the exact moment in the transcript that earned it, produces an audit trail as a by-product of doing quality properly. The same evidence that tells you the agent is improving is the evidence you’d put in front of a regulator. We’d add the obvious caveat we add everywhere, because we both build agents and grade them: any claim that an agent “behaves well” is worth nothing on our say-so. It’s worth something only when the standard is yours: scored on your rubric, every score traceable to the transcript, every score open to dispute, and any improvement measured causally rather than asserted. The customer owns the standard, or the evidence is just marketing. For an operation worried about where its conversation data sits, that scoring can run inside the EU, which is a supporting detail rather than the headline. The headline is that the proof exists at all.
To be careful about the language: none of this makes a firm “compliant” with the AI Act, and any vendor who tells you their product does is overselling. Compliance is a judgement about your whole operation that only you and your regulator can reach. What evidence-linked scoring does is generate the proof that supports it: the showing, not the certifying.
What to actually do before August
The list is shorter than the anxiety around it suggests.
Inventory your customer-facing AI and sort each system into limited-risk or high-risk, because that single split tells you what applies on 2 August and what you have until 2027 to build. Fix the disclosure on every chat and voice agent so it’s clear, perceivable in the interaction, and repeated where the call is sensitive. And stop relying on the “obvious” exemption if your agents sound human. Check the vendor contract for who carries the disclosure duty when calls transfer or hand off. And stand up the evidence trail now, so that when someone asks what your AI said to a particular customer, the answer is a specific conversation rather than a shrug.
The firms that will find August straightforward aren’t the ones that bought a compliance product. They’re the ones that could already show, conversation by conversation, what their agents were doing, to themselves first, and to a regulator if asked. The Act is mostly asking you to make that visible to other people. If you can’t yet make it visible to yourself, that’s the gap to close, and it’s a more useful thing to own than a certificate.
Deploying AI agents in front of regulated customers? We’ll run our scoring on a week of your real conversations — human and AI — and show you the evidence trail you’d be able to put in front of your board, or your regulator, on any call they ask about.