Chatbots and the EU AI Act: What Compliance Looks Like

Chatbots are the most common AI system most users actually interact with: customer-service bots, in-app assistants, AI-powered search interfaces, voice-driven helplines, and a growing population of "agentic" tools that can take actions on behalf of users. The EU AI Act regulates all of them — but for most, the regulatory load is much lighter than it first appears.

This article explains exactly how the regulation applies to chatbots: when they are high-risk, when they are limited-risk, what Article 50 transparency obligations actually require, and how to implement compliant disclosure in practice.

The Core Classification: Most Chatbots Are Limited-Risk

The EU AI Act uses a four-tier risk classification. Chatbots are generally limited-risk, not high-risk. This is the most important point in this article, because it determines the entire compliance posture you need to adopt.

Limited-risk systems are subject to Article 50 transparency obligations but not to the substantive requirements of Articles 8–15 (risk management, technical documentation, conformity assessment, etc.). The compliance lift is dramatically lower:

• No conformity assessment
• No CE marking
• No EU database registration
• No notified-body involvement
• No risk management system under Article 9
• No technical documentation per Annex IV

What remains is essentially one obligation: tell users they are talking to an AI.

When Does a Chatbot Become High-Risk?

A chatbot is reclassified as high-risk when it is deployed in a use case listed in Annex III. The most common high-risk chatbot scenarios:

Employment (Annex III, point 4). A chatbot that screens job applications, conducts interviews, scores candidates, or makes hiring recommendations is high-risk. See AI hiring compliance.

Access to essential services (Annex III, point 5). A chatbot that determines eligibility for credit, insurance pricing, public benefits, healthcare access, or emergency dispatch is high-risk. A chatbot that helps users find information about these services without making decisions typically is not.

Education (Annex III, point 3). A chatbot used to grade student work, determine course assignment, or detect prohibited behaviour during tests is high-risk. A study-support chatbot that does not affect formal evaluation usually is not.

Law enforcement (Annex III, point 6). Chatbots used in investigations to profile suspects, evaluate evidence reliability, or assess victim risk are high-risk.

Migration and border control (Annex III, point 7). Chatbots used to assess asylum or visa applications, or to support border-control risk decisions, are high-risk.

Administration of justice (Annex III, point 8). Chatbots assisting judicial authorities in interpreting facts or applying law to specific cases are high-risk.

For each, the high-risk classification triggers the full Article 8–15 regime, conformity assessment, and registration. The transparency obligation in Article 50 is additional to these requirements, not in place of them.

What Article 50 Requires

Article 50 imposes transparency obligations on specific categories of AI systems. For chatbots, the relevant provision is Article 50(1):

Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate or prosecute criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties.

Several elements deserve attention:

The Obligation Sits with the Provider

The "provider" — the developer who places the chatbot on the market or puts it into service under its own name or trademark — is responsible for designing the chatbot so that disclosure happens. Deployers (the companies using the chatbot) typically configure how and where the disclosure appears, but the design responsibility starts upstream.

In practice, providers will usually offer a default disclosure that deployers can adapt within bounds. White-label chatbot platforms must ensure their default behaviour meets the requirement, since downstream deployers may not know how to configure compliance themselves.

"Reasonably Well-Informed, Observant and Circumspect" — the No-Disclosure Carve-Out

Article 50(1) exempts disclosure where it would be obvious to a "reasonably well-informed, observant and circumspect" person that they are talking to an AI. In practice, this carve-out is narrow. A friendly conversational interface — even one named "Eva" or "Max" — does not automatically signal AI. Voice assistants, branded chatbots embedded in a company site, and AI-driven phone systems all generally require disclosure.

The carve-out exists for systems where the AI nature is structurally obvious — for example, an AI-art generator where the user has explicitly chosen to use AI tools. It is not a shortcut for the vast majority of customer-facing chatbots.

"At the Latest at the Time of the First Interaction or Exposure"

Article 50(5) clarifies the timing: information shall be provided to the persons concerned in a clear and distinguishable manner at the latest at the time of the first interaction or exposure. This means:

• Web chatbots: an initial system message or visible label at the start of the conversation
• Voice assistants: a spoken disclosure at the start of the call or when AI handling begins
• Email auto-reply or AI-drafted email: a disclosure in the message itself
• In-product copilots: a label, badge, or onboarding flow that establishes the AI nature before substantive interaction

Repeating the disclosure on every message is not required, though some implementations choose to include a persistent label for clarity.

Accessibility Requirements

Article 50(5) further requires that the information be provided "in accordance with the applicable accessibility requirements." This typically means following the European Accessibility Act standards: text disclosures must be screen-reader compatible, voice disclosures must be transcribed for users with hearing impairments, and the disclosure must be perceivable across input modalities.

Vulnerable Groups

Article 50(5) instructs deployers to take vulnerable groups into account. For chatbots used by minors, elderly users, or other populations with reduced ability to understand technological context, disclosure must be especially clear and age-appropriate.

Designing Compliant Disclosure: Examples

The regulation does not prescribe exact wording. Reasonable patterns include:

Web chatbot — first message:

"Hi! I'm an AI assistant. I can help you with [scope]. A human team member can join the chat at any time if you ask."

Voice assistant — opening:

"Thanks for calling [Company]. I'm an AI assistant. To speak with a human, say 'representative' at any time."

Embedded copilot — onboarding badge:

A persistent badge marked "AI" or "AI-assisted" alongside the response area, plus an onboarding tutorial explaining the AI nature on first use.

AI-drafted email — header line:

A signature line like: "Drafted with AI assistance and reviewed by [name]" or a footer indicating AI generation.

Avoid disclosures that are technically present but easy to miss: a single italic line in a four-paragraph footer, or a small tooltip hidden behind an info icon, generally does not meet the "clear and distinguishable manner" standard.

Interaction with GDPR and Other Regulations

Chatbots often process personal data. The EU AI Act applies in parallel with the GDPR: both regimes must be satisfied independently.

Practical GDPR-related considerations for chatbots:

• Article 13/14 GDPR notices about data processing remain mandatory. The Article 50 AI disclosure is additional, not a replacement.
• Article 22 GDPR (right not to be subject to a decision based solely on automated processing) applies if the chatbot makes decisions with legal or similarly significant effects. A high-risk chatbot under Annex III will almost certainly trigger Article 22 GDPR.
• Data minimisation: store only what is necessary. Logging full chat history by default may exceed proportionality.
• Special categories of data: if your chatbot handles health, financial, biometric, or other sensitive information, expect stricter requirements under GDPR Articles 9 and 10.

For specific sectors, additional rules apply. Financial-services chatbots are subject to DORA and consumer-protection rules. Healthcare chatbots may interact with MDR/IVDR (see AI in healthcare compliance). E-commerce chatbots must respect the Unfair Commercial Practices Directive.

When the Chatbot Is Also a GPAI Application

If your chatbot is built on a general-purpose AI model — almost any modern LLM-based chatbot — there is a layered relationship with the regulation:

• The GPAI model provider has obligations under Chapter V and Articles 51–56: technical documentation, training-data summary, copyright compliance, downstream-provider information, and (for systemic-risk models) additional safety obligations.
• You as the chatbot provider have your own obligations under the regulation: Article 50 transparency, and if applicable, the high-risk regime.

The downstream-provider information that the GPAI model provider must make available (Article 53(1)(b)) is what enables your chatbot's compliance: capabilities, limitations, evaluation results, and acceptable-use policies. You should retain and reference this material in your own documentation.

Practical Compliance Checklist for Chatbot Operators

1. Classify the use case. Is the chatbot used in any Annex III area? If yes, plan for the high-risk regime.
2. Implement disclosure. Ensure the first interaction makes the AI nature clear.
3. Document compliance. Even for limited-risk chatbots, keep a short compliance memo: classification, disclosure implementation, training-data summary (from your GPAI provider), and any deployer-side configuration limits.
4. Train your team. Article 4 AI literacy applies to chatbot operators: customer-service teams should understand the chatbot's limits and when to escalate to humans.
5. Set up monitoring. Even outside the high-risk regime, monitor for accuracy issues, harmful outputs, and disclosure failures. Article 50 disclosure failure is the most easily detected violation.
6. Coordinate with GDPR. Confirm that your Article 50 disclosure does not contradict your Article 13/14 GDPR notices, and that data minimisation applies to chat logs.
7. Plan for Article 22 GDPR. If decisions made by the chatbot have legal or similarly significant effects, provide human review paths and explanations.
8. Consider sector-specific rules for financial services, healthcare, or any other regulated area.

Conclusion

For most operators, complying with the EU AI Act for chatbots is straightforward: classify the use case, disclose the AI nature at the first interaction, and maintain a light compliance file. The trap is treating high-risk use cases as if they were limited-risk — a chatbot that screens job applicants or determines benefit eligibility is high-risk regardless of its conversational packaging, and the consequences of getting that wrong include substantial fines and product-level enforcement action.

For deeper context on the transparency regime applied to other limited-risk systems, see transparency obligations under the EU AI Act. For an overview of where your chatbot fits in the broader regulatory landscape, the complete EU AI Act overview is the best starting point.