AI phone assistants typically fall into the EU AI Act's "limited risk" class (Art. 50) — the main duty: callers must clearly learn, before the conversation begins, that they are speaking with an AI. On top of that come requirements from the GDPR, AI Act transparency, logging duties and, in some cases, high-risk extensions (recruitment, creditworthiness, public authorities). Fines up to €35M. Our 12-point checklist covers all the relevant requirements — vendor-neutral.
This guide is based on Regulation (EU) 2024/1689 (the AI Act), the GDPR, EDPB guidance and public publications of the European Commission and national supervisory authorities (as of May 2026). It does not replace case-by-case legal advice — for high-risk applications we recommend coordinating with your DPO and legal counsel.
What the EU AI Act is — and what it isn't
Regulation (EU) 2024/1689 — the EU AI Act for short — is the world's first comprehensive AI law. It doesn't regulate AI as such, but AI systems by their application and risk potential. Four classes: prohibited (Art. 5), high risk (Annex III), limited risk (Art. 50), minimal risk (standard AI applications).
The Act complements — and does not replace — existing law: the GDPR, national civil and product-liability law, and ePrivacy. If you're set up GDPR-compliant, you've already covered 60–70% of the AI Act obligations. The remaining 30% are the genuinely new requirements this guide is about.
Which risk class does an AI phone assistant fall into?
The short answer: typically **limited risk** (Art. 50(1)). The longer answer depends on the specific use case. Three scenarios, three classes:
Manipulative AI voice output designed to deceive people (e.g. a deepfake voice of a family member), social-scoring systems or covert emotional manipulation in the workplace are absolutely prohibited. Fines up to €35M or 7% of global annual turnover, whichever is higher.
The core duty: transparency under Art. 50
For AI phone assistants, Art. 50(1) is the key provision. Verbatim: "Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system."
In practice this means: the caller must know, before the first real exchange, that they're speaking with an AI. "Hello, I'm the digital assistant of Dr. Miller's office. How can I help?" is enough — "Hello, this is Anna from Dr. Miller's office…" is not. A voice that implies it's a real person is non-compliant and may also count as deception.
"Good day, this is the digital assistant of Dr. Miller's office. I'm happy to help with appointments, opening hours and standard information. In a medical emergency, please call the emergency number 112 immediately. How can I help you?" — contains the AI notice, identification, an escalation note and an open question.
The 12-point compliance checklist for AI phone vendors
You should get these points confirmed in writing by the vendor before signing — they are the minimum for an audit-proof compliance file:
Send these 12 points as a numbered list to your vendor with a request to confirm each one — in writing, not on a call. A vendor who can't clearly answer point 4, 6 or 7 isn't enterprise-ready in 2026. Vendors who answer all 12 points solidly signal compliance maturity.
Interplay with the GDPR — what else to check
The AI Act repeatedly says "without prejudice to the GDPR". So being AI-Act-compliant doesn't automatically make you GDPR-compliant — and vice versa. Four additional points the GDPR requires:
Fines, liability, reputation
The AI Act provides for a tiered fine regime (Art. 99). Three classes, each the higher value: up to €35M / 7% of global annual turnover (prohibited practices), up to €15M / 3% (breaches of obligations), up to €7.5M / 1.5% (misleading information to authorities). For SMBs these fines are painful — the reputational damage is often costlier.
Both. The **provider** (Art. 16) must ensure technical conformity. The **deployer** (Art. 26) must use the system as intended, follow instructions, inform employees and report serious incidents. In practice: whoever deploys an AI phone assistant shares responsibility — not just "the manufacturer".
Roadmap to 2 August 2026 — what to do now
1) Meet the AI-literacy duty (Art. 4) — use free training from national data-protection authorities and EU bodies. 2) Confront your existing AI phone vendor with the 12-point list. 3) Spot-check call recordings: is the transparency notice actually given?
Request the compliance pack
We'll send you our AI Act & GDPR compliance documentation (12-point answers, a DPA template, transparency-notice sample texts) — free and with no commitment.
Request the pack