On this page
EU AI Act
EU AI Act
The EU AI Act (Regulation (EU) 2024/1689) is the EU's horizontal, risk-based law governing the placing on the market and use of AI systems. It entered into force in Aug 2024 and applies in phases, reaching most of its substantive obligations across 2025–2027. For ecommerce it bites on the AI that retailers already run every day — Recommendation Engines, Personalisation, Dynamic Pricing, chatbots, AI-generated marketing content, and creditworthiness scoring behind BNPL — by sorting each use into a risk tier with matching obligations (artificialintelligenceact.eu; European Commission, as-of 2026-06-28).
Firewall: every claim here is what a source reports. See
../../CONTEXT.mdRule 1.
Phased application timeline (as-of 2026-06-28)
Sources report the following schedule (artificialintelligenceact.eu implementation timeline):
| Date | What applies |
|---|---|
| Aug 2024 | Entry into force |
| 2 Feb 2025 | Prohibited practices (Article 5) + AI-literacy duties |
| 2 Aug 2025 | GPAI (general-purpose AI model) provider obligations |
| 2 Aug 2026 | Most remaining obligations — Annex III high-risk + Article 50 transparency |
| 2 Aug 2027 | High-risk AI embedded in regulated products (Annex I) |
The high-risk deadline is contested. The artificialintelligenceact.eu timeline frames 2 Aug 2026 as the high-risk application date. A "Digital Omnibus" provisional agreement (reported 7 May 2026) would defer high-risk obligations — stand-alone Annex III systems to 2 Dec 2027 and Annex I embedded systems to 2 Aug 2028 — while leaving Article 50 transparency largely on the 2 Aug 2026 schedule (Gibson Dunn, 2026). DLA Piper stresses the deferral is a proposal not yet enacted, advising enterprises to treat the original deadlines as operative until adoption (DLA Piper, 2026). Status unsettled as-of 2026-06-28.
The four risk tiers
The Act sorts AI into unacceptable (prohibited), high, limited, and minimal risk, each with different obligations (artificialintelligenceact.eu high-level summary). Where common ecommerce AI uses land, per the sources harvested:
| Ecommerce AI use | Tier reported | Source note |
|---|---|---|
| Product Recommendation Engine | Minimal risk | Vendor (scandiweb) — fact-specific, not a blanket exemption |
| FAQ / customer-service chatbot | Limited risk — Article 50 disclosure | Vendor (scandiweb) |
| Dynamic Pricing | Mostly minimal risk; not prohibited | Vendor (scandiweb) — COI |
| Creditworthiness / credit scoring behind BNPL | High risk (Annex III 5(b), except fraud detection) | artificialintelligenceact.eu Annex III |
| Biometric categorisation inferring race/religion (e.g. in-store cameras) | Prohibited | Future of Privacy Forum |
| Subliminal / manipulative AI that distorts behaviour and causes harm | Prohibited (Article 5) | Orrick |
The Commission's guidance states AI personalising ads on user preferences is "not inherently manipulative" unless it subverts autonomy or exploits vulnerabilities (Orrick, 2025-04) — the line between lawful Personalisation and prohibited manipulation under Article 5.
High-risk obligations
For systems that fall in the high-risk tier (e.g. credit scoring behind store finance), sources report full requirements: a risk-management system, data governance with representative, bias-checked training data, technical documentation, automatic logging, transparency, human oversight (Article 14), accuracy/robustness, and registration in the EU database. Under Article 86 a person affected by a high-risk decision has a right to a meaningful explanation (regulatoryai.eu, corroborated by Annex III; as-of 2026).
Article 50 transparency — the part that hits most retailers first
Article 50 transparency obligations are reported to become enforceable 2 Aug 2026 and are the provisions a typical retailer is most likely to trigger (artificialintelligenceact.eu, as-of 2026-06-28):
- Chatbots: deployers must disclose users are interacting with AI unless it is obvious.
- Deepfakes / synthetic media: deployers must disclose content is artificially generated or manipulated.
- Generative AI providers: must embed machine-readable markings in AI-generated audio, image, video, and text.
The European Commission published a draft Code of Practice on marking and labelling AI-generated content, proposing a harmonised EU icon with a visual "AI" label as interim solution and a taxonomy distinguishing fully AI-generated vs AI-assisted content (European Commission, as-of 2026-01). Trade press reports a 22 July 2026 deadline to sign the AI Office's Code of Practice on Transparency to secure a presumption of conformity ahead of 2 Aug 2026 — single trade-press source, exact date to verify (TechTimes, 2026-06-22).
Deploying third-party LLMs
GPAI provider obligations applied from 2 Aug 2025 (European Commission GPAI guidelines). Sources describe a chain-of-responsibility model: a retailer deploying a third-party LLM is a deployer, cannot inherit the provider's compliance, and must exercise due diligence — retaining vendor documentation such as the model card and public training-data summary — while meeting direct deployer obligations including AI-content disclosure (EthicaLogic [VENDOR/consultancy — COI], 2026).
Penalties (as-of 2026-06-28)
Sources report tiered maximum fines, whichever is higher in each tier (artificialintelligenceact.eu Article 5):
| Breach | Maximum |
|---|---|
| Prohibited practices | €35m or 7% of global annual turnover |
| Other obligations (high-risk, Article 50) | €15m or 3% |
| Supplying incorrect information to regulators | €7.5m or 1.5% |
Overlap with other regimes
The Future of Privacy Forum analyses overlap between the AI Act's prohibited practices and the GDPR and Digital Services Act (DSA) on manipulation, Dark Patterns, and biometric processing (FPF, 2025). The EBA published a Nov 2025 analysis of the Act's implications for the EU banking and payments sector, relevant where retailers run payments/BNPL/credit functions (EBA, 2025-11).
What practitioners report retailers should do
Practitioner guidance (legal-tech consultancy, corroborated by Articles 14/72): inventory every AI system including vendor AI, classify each by risk tier, determine the provider/deployer role per system, and for high-risk systems close gaps in risk management, data governance, human oversight and documentation; deployers retain automated logs (commonly cited as ≥6 months) and conduct Fundamental Rights Impact Assessments where required (Legal Nodes, 2026).
Key terms
| Term | Meaning (as sources describe) |
|---|---|
| Provider | Entity that develops/places an AI system on the market under its own name |
| Deployer | Entity using an AI system under its authority — e.g. a retailer running a third-party LLM |
| GPAI | General-purpose AI model; provider obligations apply from 2 Aug 2025 |
| Annex III | List of high-risk use cases — includes creditworthiness scoring (5(b)) |
| Article 5 | Prohibited practices — manipulation, certain biometric categorisation |
| Article 50 | Transparency duties — chatbot and AI-content disclosure |
| Digital Omnibus | 2026 proposal that would defer high-risk deadlines (not yet law) |
Gaps
- No primary EUR-Lex fetch — article text via official Service Desk + explanatory mirror.
- No authoritative retail-body (e.g. Ecommerce Europe) position on chatbot-disclosure mechanics.
- Interaction with the EU Consumer Rights Directive specifically not surfaced.
- Reddit and YouTube streams empty this run (MCP/Apify not connected) — practitioner-sentiment and conference-talk angles unfilled; candidate videos logged in the source page for a future pass.