On this page
concept

EU AI Act

Created 2026-06-28 21 connections

EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) is the EU's horizontal, risk-based law governing the placing on the market and use of AI systems. It entered into force in Aug 2024 and applies in phases, reaching most of its substantive obligations across 2025–2027. For ecommerce it bites on the AI that retailers already run every day — Recommendation Engines, Personalisation, Dynamic Pricing, chatbots, AI-generated marketing content, and creditworthiness scoring behind BNPL — by sorting each use into a risk tier with matching obligations (artificialintelligenceact.eu; European Commission, as-of 2026-06-28).

Firewall: every claim here is what a source reports. See ../../CONTEXT.md Rule 1.

Phased application timeline (as-of 2026-06-28)

Sources report the following schedule (artificialintelligenceact.eu implementation timeline):

DateWhat applies
Aug 2024Entry into force
2 Feb 2025Prohibited practices (Article 5) + AI-literacy duties
2 Aug 2025GPAI (general-purpose AI model) provider obligations
2 Aug 2026Most remaining obligations — Annex III high-risk + Article 50 transparency
2 Aug 2027High-risk AI embedded in regulated products (Annex I)

The high-risk deadline is contested. The artificialintelligenceact.eu timeline frames 2 Aug 2026 as the high-risk application date. A "Digital Omnibus" provisional agreement (reported 7 May 2026) would defer high-risk obligations — stand-alone Annex III systems to 2 Dec 2027 and Annex I embedded systems to 2 Aug 2028 — while leaving Article 50 transparency largely on the 2 Aug 2026 schedule (Gibson Dunn, 2026). DLA Piper stresses the deferral is a proposal not yet enacted, advising enterprises to treat the original deadlines as operative until adoption (DLA Piper, 2026). Status unsettled as-of 2026-06-28.

The four risk tiers

The Act sorts AI into unacceptable (prohibited), high, limited, and minimal risk, each with different obligations (artificialintelligenceact.eu high-level summary). Where common ecommerce AI uses land, per the sources harvested:

Ecommerce AI useTier reportedSource note
Product Recommendation EngineMinimal riskVendor (scandiweb) — fact-specific, not a blanket exemption
FAQ / customer-service chatbotLimited risk — Article 50 disclosureVendor (scandiweb)
Dynamic PricingMostly minimal risk; not prohibitedVendor (scandiweb) — COI
Creditworthiness / credit scoring behind BNPLHigh risk (Annex III 5(b), except fraud detection)artificialintelligenceact.eu Annex III
Biometric categorisation inferring race/religion (e.g. in-store cameras)ProhibitedFuture of Privacy Forum
Subliminal / manipulative AI that distorts behaviour and causes harmProhibited (Article 5)Orrick

The Commission's guidance states AI personalising ads on user preferences is "not inherently manipulative" unless it subverts autonomy or exploits vulnerabilities (Orrick, 2025-04) — the line between lawful Personalisation and prohibited manipulation under Article 5.

High-risk obligations

For systems that fall in the high-risk tier (e.g. credit scoring behind store finance), sources report full requirements: a risk-management system, data governance with representative, bias-checked training data, technical documentation, automatic logging, transparency, human oversight (Article 14), accuracy/robustness, and registration in the EU database. Under Article 86 a person affected by a high-risk decision has a right to a meaningful explanation (regulatoryai.eu, corroborated by Annex III; as-of 2026).

Article 50 transparency — the part that hits most retailers first

Article 50 transparency obligations are reported to become enforceable 2 Aug 2026 and are the provisions a typical retailer is most likely to trigger (artificialintelligenceact.eu, as-of 2026-06-28):

  • Chatbots: deployers must disclose users are interacting with AI unless it is obvious.
  • Deepfakes / synthetic media: deployers must disclose content is artificially generated or manipulated.
  • Generative AI providers: must embed machine-readable markings in AI-generated audio, image, video, and text.

The European Commission published a draft Code of Practice on marking and labelling AI-generated content, proposing a harmonised EU icon with a visual "AI" label as interim solution and a taxonomy distinguishing fully AI-generated vs AI-assisted content (European Commission, as-of 2026-01). Trade press reports a 22 July 2026 deadline to sign the AI Office's Code of Practice on Transparency to secure a presumption of conformity ahead of 2 Aug 2026 — single trade-press source, exact date to verify (TechTimes, 2026-06-22).

Deploying third-party LLMs

GPAI provider obligations applied from 2 Aug 2025 (European Commission GPAI guidelines). Sources describe a chain-of-responsibility model: a retailer deploying a third-party LLM is a deployer, cannot inherit the provider's compliance, and must exercise due diligence — retaining vendor documentation such as the model card and public training-data summary — while meeting direct deployer obligations including AI-content disclosure (EthicaLogic [VENDOR/consultancy — COI], 2026).

Penalties (as-of 2026-06-28)

Sources report tiered maximum fines, whichever is higher in each tier (artificialintelligenceact.eu Article 5):

BreachMaximum
Prohibited practices€35m or 7% of global annual turnover
Other obligations (high-risk, Article 50)€15m or 3%
Supplying incorrect information to regulators€7.5m or 1.5%

Overlap with other regimes

The Future of Privacy Forum analyses overlap between the AI Act's prohibited practices and the GDPR and Digital Services Act (DSA) on manipulation, Dark Patterns, and biometric processing (FPF, 2025). The EBA published a Nov 2025 analysis of the Act's implications for the EU banking and payments sector, relevant where retailers run payments/BNPL/credit functions (EBA, 2025-11).

What practitioners report retailers should do

Practitioner guidance (legal-tech consultancy, corroborated by Articles 14/72): inventory every AI system including vendor AI, classify each by risk tier, determine the provider/deployer role per system, and for high-risk systems close gaps in risk management, data governance, human oversight and documentation; deployers retain automated logs (commonly cited as ≥6 months) and conduct Fundamental Rights Impact Assessments where required (Legal Nodes, 2026).

Key terms

TermMeaning (as sources describe)
ProviderEntity that develops/places an AI system on the market under its own name
DeployerEntity using an AI system under its authority — e.g. a retailer running a third-party LLM
GPAIGeneral-purpose AI model; provider obligations apply from 2 Aug 2025
Annex IIIList of high-risk use cases — includes creditworthiness scoring (5(b))
Article 5Prohibited practices — manipulation, certain biometric categorisation
Article 50Transparency duties — chatbot and AI-content disclosure
Digital Omnibus2026 proposal that would defer high-risk deadlines (not yet law)

Gaps

  • No primary EUR-Lex fetch — article text via official Service Desk + explanatory mirror.
  • No authoritative retail-body (e.g. Ecommerce Europe) position on chatbot-disclosure mechanics.
  • Interaction with the EU Consumer Rights Directive specifically not surfaced.
  • Reddit and YouTube streams empty this run (MCP/Apify not connected) — practitioner-sentiment and conference-talk angles unfilled; candidate videos logged in the source page for a future pass.
Research agent · 2026-06-28