Skip to main content
Back to Blog
Guides

The EU AI Act & AI Phone Assistants: 2026 Compliance Guide

From August 2026 the EU AI Act applies in full — and AI phone assistants are one of the first applications regulators will scrutinise. Which risk class applies, what you must do now, and the 12 points to put to your vendor.

bhomy
bhomy Team
May 4, 2026
13 min read
TL;DR — In 30 Seconds

AI phone assistants typically fall into the EU AI Act's "limited risk" class (Art. 50) — the main duty: callers must clearly learn, before the conversation begins, that they are speaking with an AI. On top of that come requirements from the GDPR, AI Act transparency, logging duties and, in some cases, high-risk extensions (recruitment, creditworthiness, public authorities). Fines up to €35M. Our 12-point checklist covers all the relevant requirements — vendor-neutral.

A note on transparency

This guide is based on Regulation (EU) 2024/1689 (the AI Act), the GDPR, EDPB guidance and public publications of the European Commission and national supervisory authorities (as of May 2026). It does not replace case-by-case legal advice — for high-risk applications we recommend coordinating with your DPO and legal counsel.

02 Aug 2026
full applicability of the AI Act for GPAI & general duties
up to €35M
maximum fine for prohibited practices (Art. 99)
Art. 50
the relevant provision for AI phone: transparency duty
12 points
minimum compliance check per vendor
01

What the EU AI Act is — and what it isn't

Regulation (EU) 2024/1689 — the EU AI Act for short — is the world's first comprehensive AI law. It doesn't regulate AI as such, but AI systems by their application and risk potential. Four classes: prohibited (Art. 5), high risk (Annex III), limited risk (Art. 50), minimal risk (standard AI applications).

The Act complements — and does not replace — existing law: the GDPR, national civil and product-liability law, and ePrivacy. If you're set up GDPR-compliant, you've already covered 60–70% of the AI Act obligations. The remaining 30% are the genuinely new requirements this guide is about.

02

Which risk class does an AI phone assistant fall into?

The short answer: typically **limited risk** (Art. 50(1)). The longer answer depends on the specific use case. Three scenarios, three classes:

01**Standard reception (limited risk, Art. 50)** — booking appointments, standard information, escalation. Main duty: a transparency notice before the conversation begins ("You're speaking with an AI…").
02**Outbound marketing/cold calling (limited risk + ePrivacy)** — additionally: consent under ePrivacy/national marketing rules, clear identification of the advertiser, an opt-out in every call.
03**Credit scoring, lending, applicant screening (high risk, Annex III)** — full conformity assessment, technical documentation, logging, human oversight. Do **not** deploy without a prior legal review.
Prohibited applications (Art. 5)

Manipulative AI voice output designed to deceive people (e.g. a deepfake voice of a family member), social-scoring systems or covert emotional manipulation in the workplace are absolutely prohibited. Fines up to €35M or 7% of global annual turnover, whichever is higher.

03

The core duty: transparency under Art. 50

For AI phone assistants, Art. 50(1) is the key provision. Verbatim: "Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system."

In practice this means: the caller must know, before the first real exchange, that they're speaking with an AI. "Hello, I'm the digital assistant of Dr. Miller's office. How can I help?" is enough — "Hello, this is Anna from Dr. Miller's office…" is not. A voice that implies it's a real person is non-compliant and may also count as deception.

A compliant opening line — template

"Good day, this is the digital assistant of Dr. Miller's office. I'm happy to help with appointments, opening hours and standard information. In a medical emergency, please call the emergency number 112 immediately. How can I help you?" — contains the AI notice, identification, an escalation note and an open question.

04

The 12-point compliance checklist for AI phone vendors

You should get these points confirmed in writing by the vendor before signing — they are the minimum for an audit-proof compliance file:

01**Transparency notice** — where, how and in which languages is it played? Adjustable or fixed?
02**The vendor's risk classification** — a written assessment of whether the system is "limited risk" or "high risk".
03**Logging & retention** — are call recordings/transcripts stored? For how long? Where? Who has access?
04**EU hosting** — server location documented (with a concrete data centre, not "EU region")? A DPA under Art. 28 GDPR.
05**Sub-processors** — a full list with third-country transfers, standard contractual clauses, and a TIA (transfer impact assessment) where needed.
06**Model card / technical docs** — which language model does the AI use? Which provider? Training-data status? Updates and versioning?
07**Data separation** — is call data used to improve the model? Can that be excluded contractually (a "no-train" clause)?
08**Bias & speech-quality testing** — was the system evaluated for accents, older people and hearing impairments? Are reports available?
09**Human oversight (Art. 14)** — who monitors the system? Which escalation paths? A stop mechanism for misbehaviour?
10**Incident reporting (Art. 73)** — who reports serious incidents, and within what deadline?
11**Right to explanation (Art. 86)** — how can an affected person understand what happened (transcript, logging, explanation)?
12**EU database entry (Art. 49/71)** — if high risk: proof of registration. If not: a written statement.
Template for a vendor request

Send these 12 points as a numbered list to your vendor with a request to confirm each one — in writing, not on a call. A vendor who can't clearly answer point 4, 6 or 7 isn't enterprise-ready in 2026. Vendors who answer all 12 points solidly signal compliance maturity.

05

Interplay with the GDPR — what else to check

The AI Act repeatedly says "without prejudice to the GDPR". So being AI-Act-compliant doesn't automatically make you GDPR-compliant — and vice versa. Four additional points the GDPR requires:

01**Legal basis (Art. 6 GDPR)** — performance of a contract (Art. 6(1)(b)) for client/customer calls; legitimate interest (Art. 6(1)(f)) for standard information; consent (Art. 6(1)(a)) for marketing.
02**Data-processing agreement (DPA, Art. 28)** — in writing or electronically, with a sub-processor list and an audit right.
03**Data protection impact assessment (DPIA, Art. 35)** — required for systematic monitoring of calls or high-risk applications.
04**Information duties (Art. 13/14)** — alongside the AI Act transparency notice, a data-protection notice on the processing during the call must be given (a reference to the privacy policy at the IVR entry is sufficient).
06

Fines, liability, reputation

The AI Act provides for a tiered fine regime (Art. 99). Three classes, each the higher value: up to €35M / 7% of global annual turnover (prohibited practices), up to €15M / 3% (breaches of obligations), up to €7.5M / 1.5% (misleading information to authorities). For SMBs these fines are painful — the reputational damage is often costlier.

Who is liable — provider or deployer?

Both. The **provider** (Art. 16) must ensure technical conformity. The **deployer** (Art. 26) must use the system as intended, follow instructions, inform employees and report serious incidents. In practice: whoever deploys an AI phone assistant shares responsibility — not just "the manufacturer".

07

Roadmap to 2 August 2026 — what to do now

01**Q2 2026:** create an AI inventory (which AI applications are used in the company?). Classify each system (prohibited/high/limited/minimal).
02**Q2 2026:** confront vendors with the 12-point list, collect written answers, document gaps.
03**Q3 2026:** check transparency notices in live operation — are they actually at the start of every call? In every language?
04**Q3 2026:** extend process documentation: AI inventory, DPIA updates, escalation and incident-reporting routes to the DPO.
05**Before 02 Aug 2026:** train employees (the Art. 4 duty on "AI literacy") — mandatory even without a high-risk application.
06**From 02 Aug 2026:** ongoing monitoring: a monthly sample of 5–10 recordings, an incident log, an annual review.
What you can do today

1) Meet the AI-literacy duty (Art. 4) — use free training from national data-protection authorities and EU bodies. 2) Confront your existing AI phone vendor with the 12-point list. 3) Spot-check call recordings: is the transparency notice actually given?

In stages. Most obligations — including the transparency duty (Art. 50), GPAI duties and the fine regime — become fully applicable from 2 August 2026. High-risk duties (Annex III) phase in through August 2027.

Request the compliance pack

We'll send you our AI Act & GDPR compliance documentation (12-point answers, a DPA template, transparency-notice sample texts) — free and with no commitment.

Request the pack

Discover bhomy

Experience the difference with your own AI phone assistant.