Hoppa till huvudinnehåll

AI consulting that actually delivers.

Menu

Home
About
Services
Our cases
[5]
Blog
Contact

Contact us

ETEYA©
Get in touch
Copy email
Open mail client
Book a call
kontakt@eteya.ai
copied

Sweden (SE)

Social media

Privacy PolicyPrivacy Policy
TermsTerms
12 MIN READAI AGENTS

AI agents and the EU AI Act: what applies 2026?

Is your AI agent regulated by the EU AI Act? Most fall under limited risk with transparency duties, not high-risk. How to judge the level and what to do.

Filip ThaiBYFILIP THAI
A dark obsidian AI agent form encircled by concentric lime-green rings suggesting a regulatory framework around the technology, against deep black

The market is split into two camps that rarely meet. One explains the EU AI Act in detail but never mentions the word AI agent. The other celebrates the business value of AI agents but skips the rules entirely. This guide connects them: does your AI agent count as a regulated AI system, what risk level does it land in, and what does the law actually require of you?

The short answer is reassuring for most companies. A customer-facing AI agent is almost never high-risk. But there are duties you need to know, and a couple of traps once the agent starts acting on its own.

Are AI agents regulated by the EU AI Act?

Yes, but not as a category of their own. The EU AI Act has no dedicated clause for AI agents. They are assessed under the same rules as any other AI system: by what they are used for and what risk that use carries. The use decides everything, not the technology itself.

This is not our interpretation. The European Commission's own guidance states that AI agents are not a separate category under the regulation, and that the definition of an AI system is enough to cover them. The Commission's AI Act Service Desk writes plainly that the rules for AI systems and GPAI models also apply to AI agents. The Commission calls its own position preliminary, since the technology is moving fast.

The consequence matters: the same agent can be nearly unregulated in one setting and heavily regulated in another. An agent that suggests restock orders in a warehouse is one thing. An agent that screens job applications is another, even though the technology behind them may be identical.

The EU AI Act is Regulation (EU) 2024/1689. It entered into force on 1 August 2024 and applies directly in Sweden, without the parliament having to turn it into national law. For the basics of how an AI agent actually works, see our in-depth guide to AI agents for SMBs.

What risk level does an AI agent land in?

Most AI agents that companies use land in limited risk, the transparency tier, not in high-risk. A customer-service agent, a booking agent or an internal assistant is limited risk. It only becomes high-risk when the agent is used in one of the law's specifically flagged sensitive areas.

The regulation sorts AI into four levels: prohibited, high-risk, limited risk and minimal risk. For an AI agent, the two middle ones are what matter.

Where the common agents land

An agent that talks to customers lands in limited risk. Then the transparency duty in Article 50 applies, but not the heavy high-risk obligations. An agent that only works in the background against internal systems, without affecting decisions about people, often sits in minimal risk and is effectively unregulated.

High-risk is reserved for the areas in the law's Annex III. These include recruitment, credit scoring, education and health. An agent that screens job applications or scores borrowers is high-risk. An agent that answers questions about opening hours is not.

The method for classifying step by step, with roles and exemptions, is covered in our guide to risk classification under the EU AI Act. Here it is enough to know where an agent normally lands, and to decide whether yours belongs to the sensitive areas or not.

What does the law require of a customer-facing AI agent?

The most important duty is transparency. Article 50 requires that an AI agent interacting directly with people is built so the person understands they are dealing with an AI. It must be clear at the latest at the first interaction, unless it is already obvious to a reasonably observant person.

In practice it is one short line: "You are chatting with our AI assistant." The duty falls on whoever builds the agent, and the closer rule that the information must be clear and timely sits in Article 50. The transparency duties start to apply on 2 August 2026.

This is the duty that actually reaches most agents, and it is cheap to meet. We build the disclosure in from the start with our clients. It costs nothing, and it is a requirement you cannot get around anyway.

When does an AI agent become high-risk, and what applies then?

An AI agent becomes high-risk when it is used in one of the Annex III areas and actually affects decisions about people. Then far heavier requirements apply, with human oversight at the centre. This covers a small share of all agents, but where it hits, the difference is large.

There is an exemption that is often missed. Even within a sensitive area, an agent escapes the high-risk label if it only performs a narrow, preparatory or supplementary task and does not replace the human judgment. An agent that merely structures incoming applications ahead of a human review can fall outside. But there is a hard line: the agent always counts as high-risk if it profiles natural persons, however small the task looks. The rule is in Article 6.

What human oversight means in practice

If the agent is high-risk, Article 14 requires it to be built so a human can effectively oversee it throughout operation. The person must understand what the agent can and cannot do, be able to interpret what it does, be able to disregard a suggestion, and be able to stop the agent with a stop function. Autonomy is allowed, but never without a hand on the lever.

For the heaviest cases, such as remote biometric identification, the requirement tightens further: no decision may be taken on the agent's identification unless it is separately confirmed by at least two people.

Are you the provider or the user of the agent?

This decides which obligations you carry. If you buy a finished AI agent and use it in your operation, you are usually the user, or deployer, with lighter requirements. If you build your own, or put your own name on one, you can count as the provider with full responsibility for compliance.

The line is practical. Use a standard service you do not modify and you are the user. Order an agent built around your processes, or build it yourself, and you drift toward the provider role. The full breakdown of roles and what follows from each is in the risk classification guide. The point for an agent is to work out which side you are on before you sign anything.

Who is responsible when an autonomous agent makes a wrong decision?

Responsibility stays with the company, not with the agent. The law assumes a human can understand, oversee and if needed stop the agent, and that it is possible to see afterwards what it did and why. Autonomy does not remove responsibility. It raises the bar on traceability.

This is the question no other Swedish guide tackles, and it is worth pausing on.

Decision support or independent decision?

The most important line runs between an agent that suggests and an agent that acts. An agent that produces a draft a human then approves keeps you in the lighter part of the rules. An agent that makes and carries out a decision about a person on its own pulls in heavier requirements, both Article 14 oversight if it is high-risk, and the data protection rules.

If the agent makes fully automated decisions about a person, the GDPR can give that person the right to human involvement. How data protection and AI fit together is covered in our guide to AI and GDPR.

Traceability is your protection

What lets you answer for the agent is the log. For high-risk agents, automatic logging is an explicit requirement. For the rest it is not mandatory, but it is the only thing that lets you reconstruct what happened the day someone questions a decision. In practice we build agents with two things in place: a clear boundary for what they may do on their own, and a log of every action they take.

What applies in 2026, and what is about to change?

Three things have already happened. The prohibited AI practices have applied since 2 February 2025, and the rules for general-purpose AI models since 2 August 2025. The transparency duties and most high-risk rules apply from 2 August 2026. But a fresh proposal may postpone some of them.

In November 2025 the Commission tabled a reform package called the Digital Omnibus, and in May 2026 a political agreement was reached between the Council and Parliament. It would postpone the high-risk rules for stand-alone systems in the Annex III areas from 2 August 2026 to 2 December 2027. The European Parliament confirms the deal.

It is important to read this correctly: the agreement has not yet been adopted and published in the EU's Official Journal. Until it is, the original dates formally apply. But the direction is clear, and it gives high-risk systems more time, not less.

Break the rules and the fines can bite: up to EUR 35 million or 7 percent of global turnover for prohibited practices, and up to EUR 15 million or 3 percent for breaches of other requirements, under Article 99. In Sweden, a government inquiry, SOU 2025:101, proposes that the Swedish Post and Telecom Authority becomes the lead supervisory authority. The proposal is out for consultation and not yet enacted law. The full timeline, the sanctions and Swedish supervision are covered in our guide to the EU AI Act for companies.

How do you prepare your AI agents?

Start with a simple self-assessment. What does the agent do, who does it affect, and how independently does it act? For most agents you land in a few concrete actions, not in a compliance project.

Five questions go a long way:

  1. Is it an AI system? For an agent the answer is almost always yes.
  2. Which area? Everyday operations, or a sensitive Annex III area like recruitment or credit?
  3. Provider or user? Are you building it, or using a finished one?
  4. Does it talk to people? Then you add the notice that it is an AI.
  5. Does it affect decisions about people? Then it needs human oversight and a log.

A worked example

Say you have an AI agent that answers customers in chat and books meetings. Run the questions: it is an AI system, it works in everyday customer service and not in any Annex III area, you use a finished service, it talks to customers, and it does not affect decisions about people in the sense of the law. Result: limited risk, one single concrete action to take, namely the notice that it is an AI, plus a log as good practice.

Now swap the booking for the agent filtering job applications, and the picture changes completely. Recruitment is an Annex III area, the agent affects decisions about people, and profiling makes it high-risk however narrow the task looks. Same technology, an entirely different compliance burden. That is why you always start with the use, not with the agent itself.

Anyone wanting a broader checklist for the whole operation will find it in the EU AI Act guide. But for a single agent, this is enough to know where you stand.

The rules are younger than the technology, and they keep moving. The Digital Omnibus is proof of that. But the underlying logic is stable: know what the agent does, be honest that it is an AI, and make sure a human can take over. Do that and you are ready whatever date ends up applying.

Frequently asked questions

Yes, the law applies regardless of company size. As the user of a finished agent you have lighter requirements than whoever built it, but the transparency duty and the responsibility for how you use the agent apply to you. Smaller companies get some relief in the documentation, but not in the core requirements.

Yes, unless it is already obvious. Article 50 requires a customer-facing AI agent to be built so the person understands it is an AI, at the latest at first contact. A short line is enough, for example "You are chatting with our AI assistant". The duty starts to apply on 2 August 2026.

It depends on the decision. If the agent makes a fully automated decision with a legal or similarly significant effect on a person, the GDPR gives the right to human involvement. Build the agent so a human can step in and review, and keep logs of what it has done.

Small in regulatory terms. Both fall under the same transparency duty when talking to people. The difference is practical: an AI agent acts more independently, which raises the bar on oversight and traceability. What separates them technically is covered in our [guide on AI agent versus chatbot](/en/blog/ai-agents/ai-agent-vs-chatbot).

Up to EUR 35 million or 7 percent of global turnover for prohibited practices, and up to EUR 15 million or 3 percent for breaches of other requirements, under Article 99. For an ordinary customer-facing agent the practical risk is low if transparency and oversight are in place.

For high-risk agents, automatic logging is an explicit requirement. For other agents it is not mandatory by law, but it is what lets you answer for what the agent did the day a decision is questioned. Keep the logs as long as you need them for follow-up and accountability.

AUTHOR
Filip Thai
Filip ThaiCEO & Founder

AI consultant focused on automation and AI agents for SMBs. Builds solutions that actually deliver measurable savings.

LinkedIn
LinkedIn
RELATED
Ready to put 
AI to work?
© 2026 Eteya Consulting AB