Quick answer

Customer service chatbots fall under the transparency rules in Article 50 of the EU AI Act: people must be informed they are talking to AI, unless that is obvious from the context. This duty applies from August 2, 2026. A chatbot only faces heavier rules if it is used for a high-risk purpose, such as deciding who qualifies for credit.

Updated June 2026 · MmowW AI Compliance

EU AI Act Rules for Customer Service Chatbots (FAQ)

Are Customer Service Chatbots Regulated by the EU AI Act?

Yes, but lightly. Under Regulation (EU) 2024/1689, a typical customer service chatbot is not high-risk AI. It sits in the limited-risk category, where the law asks for one main thing: honesty about the fact that the customer is talking to a machine. Article 50 requires that AI systems intended to interact directly with people be designed and developed so that those people are informed they are interacting with an AI system, unless that is obvious to a reasonably well-informed, observant, and circumspect person given the circumstances and context of use. For most businesses running a support widget on their website, compliance is measured in days of work, not months. The harder part is knowing where the boundaries of that light treatment lie, which is what the rest of this article maps out.

What Article 50 Actually Requires

The core duty falls on the provider, the organisation that develops the chatbot or offers it under its own name: the system must be built so users are told they are dealing with AI. The information must be given in a clear and distinguishable manner at the latest at the time of the first interaction. The exception for obviousness is real but narrower than wishful reading suggests. A robot-styled avatar with a name like AssistBot, greeting users with a message that says it is a virtual assistant, is plainly disclosed. A chat window that opens with a human name, a human photo, and typing indicators designed to feel human is the opposite of obvious, and that design choice is exactly what the rule targets. The simplest compliant pattern is also the cheapest: an opening line that states the assistant is AI-powered, plus a visible label on the chat window.

Provider or Deployer: Whose Job Is Disclosure?

Most companies do not build their chatbot; they configure one from a vendor. The vendor, as provider, must design the system so disclosure is possible and present. The business deploying the bot has a strong interest in checking that the disclosure actually appears in its own implementation, because configuration choices can strip it out. There is also a trap worth flagging: a company that rebrands a chatbot under its own name or substantially modifies it can be treated as the provider and inherit the provider's duties. The practical division of labour looks like this.

RoleTypical companyMain transparency task
ProviderThe chatbot vendorDesign the system so users are informed they are talking to AI
DeployerThe business running the bot on its siteConfigure and present the bot so the disclosure is not hidden or undone
RebranderA business offering the bot under its own nameMay count as provider and carry the full design duty

When a Chatbot Stops Being Low Risk

The risk category follows the use, not the interface. A chatbot that answers questions about opening hours is limited risk. The same conversational interface becomes part of a high-risk system the moment it is used to make or materially influence decisions in an Annex III area. The clearest examples for customer-facing bots: a bot that evaluates creditworthiness or decides whether a customer qualifies for a loan touches Annex III point 5, and a bot that screens job applicants touches Annex III point 4. In those cases the full high-risk regime applies to the system, including conformity assessment for the provider and Article 26 duties for the deployer. Separately, Article 5 bans certain practices outright regardless of category: a chatbot deliberately using manipulative or deceptive techniques that materially distort a person's behaviour and cause or are reasonably likely to cause significant harm, or one that exploits the vulnerabilities of children or other vulnerable groups, is prohibited. Ordinary persuasion and marketing tone do not cross that line; engineered deception that causes significant harm does.

Voice Bots and AI-Generated Speech

Phone-based voice assistants follow the same logic: callers must be informed they are speaking with an AI system, unless it is obvious in context. Synthetic speech adds a second layer. Article 50 requires providers of systems that generate synthetic audio, image, video, or text content to ensure outputs are marked in a machine-readable format and detectable as artificially generated, so the audio stream itself carries technical marking duties for the provider of the voice technology. For the business running the voice bot, the practical rule of thumb is an upfront spoken disclosure at the start of the call. It costs three seconds and removes the entire question of whether the AI nature was obvious.

A Practical Compliance Checklist

CheckWhat good looks like
Disclosure at first contactThe bot identifies itself as AI in its opening message or greeting
Persistent labellingThe chat window carries a visible AI label, not only a one-time line that scrolls away
No fake humanityNo human names, photos, or claims to be a person; staged typing effects are not used to imply a human agent
Human escalation honestyWhen the conversation is handed to a real agent, the handover is clear, and vice versa
Use-case reviewThe bot does not decide credit, employment, or other Annex III matters; if it does, the high-risk regime is triggered
Vendor confirmationThe vendor confirms in writing how its product meets Article 50

Edge Cases Businesses Commonly Misread

Four situations generate most of the confusion in practice. First, hybrid support, where AI drafts replies that a human agent reviews and sends. There the customer is corresponding with a human who uses AI as a writing tool, which is a different situation from an autonomous bot; the conversation partner is the agent, and the Article 50 interaction duty is aimed at systems that interact with people directly. Companies that want zero ambiguity simply disclose AI assistance anyway. Second, internal chatbots used only by employees. Article 50 protects natural persons interacting with the system, and employees are natural persons, so an internal helpdesk bot should identify itself as AI too; the cost of doing so is nil. Third, email and messaging channels. The duty is not limited to web chat widgets: an AI system answering customer emails autonomously is interacting with people and should be disclosed in the same way, for example through a signature line stating that the reply was generated by an AI assistant. Fourth, multilingual bots. Disclosure works only if customers can understand it, so the AI notice should appear in each language the bot itself supports, not only in English. None of these edge cases requires sophisticated analysis; they all resolve the same way, by disclosing early, plainly, and in the channel where the conversation actually happens.

Deadline and Penalties

The transparency obligations in Article 50 apply from August 2, 2026, the same date as the bulk of the Act. Breaching them is not a token offence: under Article 99, non-compliance with the Act's obligations, including transparency duties, can draw administrative fines of up to 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher, with the lower of the two applying for SMEs. Operating a prohibited manipulative system rises to 35 million euros or 7 percent. For comparison, the fix for a standard support chatbot is one disclosure line and a label, which makes this one of the cheapest risk-to-remedy ratios anywhere in the regulation.

What to Do Before August 2026

Open your own website and start a conversation with your bot as a customer would. If a first-time visitor could reasonably believe a human is typing, add an explicit disclosure. List every conversational interface you run, including phone bots and in-app assistants, and check each one. Ask your vendor two questions in writing: how does the product meet Article 50, and does any feature evaluate customers in ways that could fall under Annex III. Then record the answers. That single afternoon of work puts a typical small business on the right side of the chatbot rules with room to spare.

There is also a quiet commercial upside. Surveys of consumer attitudes repeatedly show that people resent being tricked far more than they resent talking to a machine, and a bot that introduces itself honestly sets expectations it can actually meet. Customers forgive a disclosed assistant for not knowing an answer; they do not forgive a fake human. In other words, the behaviour Article 50 requires is the behaviour that protects your reviews and your repeat business anyway, which makes this one regulation where compliance and good service point in exactly the same direction.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.