Compliance

EU AI Act and voice AI: enterprise compliance guide

EU AI Act and voice AI: what enterprises must do before 2 August 2026. Article 50, emotion AI obligations, and a compliance checklist for contact centres.

DILR.AI — COMPLIANCE EU AI Act and voice AI What your contact centre must do before 2 August 2026 COMPLIANCE DEADLINE 97 days · Article 50 enforced Article 50 · Annex III high-risk · GPAI documentation · Fines: up to €15M or 3% global turnover

On 2 August 2026, a set of enforceable obligations under the EU AI Act comes into effect that directly affects enterprise voice AI deployments. Contact centres running AI-powered outbound campaigns, inbound call handling, or AI-assisted sales and collections are caught by two specific provisions: Article 50 (mandatory AI disclosure) and Annex III (high-risk classification for emotion AI and automated routing systems).

This is not a distant regulatory shift. With 97 days remaining, it is an active compliance deadline carrying fines of up to €15 million or 3% of global annual turnover — whichever is higher. More immediately, EU AI Act readiness is becoming a procurement gate: enterprise buyers in financial services, healthcare, and professional services are requesting compliance documentation as a contract condition before signing.

This guide covers the specific articles that apply to voice AI, which contact centre use cases trigger high-risk classification, and a practical compliance readiness framework for enterprise contact centre teams. For the cost implications of building a compliant voice programme, see our analysis of AI voice cost per call economics.

Key obligations at a glance
  • Article 50: Mandatory disclosure that a caller is speaking to an AI — required at the start of every call, before any interaction begins.
  • Annex III (high-risk): Sentiment analysis, emotion detection, and automated routing based on inferred emotional state trigger the high-risk classification with full conformity assessment obligations.
  • GPAI: Foundation models underpinning voice agents must be documented under the General Purpose AI provisions where systemic risk potential applies.
  • Extraterritorial scope: UK enterprises serving EU citizens are in scope regardless of where the platform is hosted or the company is incorporated.
Compliance Factor Non-Compliant Deployment (risks from 2 Aug 2026) EU AI Act Ready (✓ compliant by deadline) Call start disclosure (Art. 50) No AI disclosure at call start AI identity disclosed before interaction Emotion AI / sentiment scoring No risk classification completed DPIA filed; conformity assessment done Audit trail and decision logging No structured decision logging Full audit trail; 10-year retention Technical documentation (GPAI) No component-level documentation Technical file per AI component Human handover pathway Optional; undocumented Mandatory; tested; documented Fines up to €15M or 3% global turnover from 2 Aug 2026 ✓ Audit-ready · enterprise procurement cleared

What the EU AI Act means for voice AI deployments

The EU AI Act establishes a risk-tiered framework that classifies AI systems by the potential harm they could cause. Most enterprise voice AI deployments sit in one of two tiers: limited risk (governed by Article 50 transparency obligations) or high risk (governed by Annex III conformity requirements). Understanding which tier applies to your deployment is the foundation of any compliance programme — and it depends less on the channel and more on what the AI is actually doing during the call.

Article 50: mandatory disclosure at the start of every call

Article 50 applies to all AI systems that interact with natural persons — which covers every AI voice agent making or receiving calls. The obligation is unambiguous: the person must be informed they are interacting with an AI system at the point of contact, before the interaction begins.

For outbound AI voice campaigns, this means the disclosure must appear in the opening seconds of the call — before any qualifying question, before any data collection, before any transactional interaction. A disclosure buried midway through a call, or delivered only when a caller explicitly asks whether they are speaking to a human, does not satisfy Article 50.

The practical change for most deployments: the voice agent's opening script must be updated. Enterprises currently running agents that open with a personal name ("Hi, this is Alex from [Company]...") without an AI disclosure will need to redesign their call flows before 2 August 2026. The disclosure does not need to be elaborate — "You are speaking with an AI assistant" followed by the agent's name and purpose meets the requirement in most implementations. However, legal teams should review the specific wording against national implementation guidance from their relevant competent authority, as member states have flexibility in how they apply the Article 50 requirements.

Article 50(4) adds a synthetic audio obligation: AI-generated audio content — including synthesised voice and voice cloning — must be labelled as machine-generated where technically feasible. Contact centres using custom voice synthesis should confirm their watermarking or labelling mechanism is in place. DILR.AI's compliance documentation covers Article 50 disclosure configuration and audio labelling posture in detail.

For context on how consent capture obligations under GDPR and PECR interact with the EU AI Act disclosure requirements — particularly for outbound campaigns — our guide to consent capture in AI voice calls covers the full picture for UK enterprise contact centres.

When voice AI becomes high-risk: emotion AI and automated routing

Not every voice AI deployment triggers the heavier Annex III obligations. But two categories in Annex III directly apply to enterprise contact centre technology:

Biometric categorisation (Annex III, point 1): Systems that infer emotional state, psychological characteristics, or behavioural patterns from voice signals. This captures real-time sentiment analysis engines, emotion detection during calls, and voice stress analysis. If your voice AI platform scores caller sentiment in real time and uses that score to influence call routing, escalation priority, or agent response strategy, it is likely classified as high-risk under this provision.

Employment and worker management (Annex III, point 4): AI systems that monitor employee performance or allocate tasks based on AI assessment. Contact centre AI tools that evaluate agent performance against AI-generated call quality scores may also be captured under this category.

High-risk classification carries substantially heavier obligations than Article 50 alone:

  • A conformity assessment — an internal or third-party audit of the system against Annex III requirements before the system goes live, or before the August deadline for existing deployments
  • A technical file documenting system architecture, training data provenance, model validation results, accuracy metrics, and risk mitigation controls
  • Real-time human oversight: a human operator must be able to monitor AI decisions, intervene, and override outcomes during active calls
  • Structured logging with defined retention periods — current guidance points to a minimum of 10 years for high-risk systems
  • EU database registration: high-risk systems must be registered in the EU's public AI system database before deployment

The CX Today analysis of the August 2026 emotion AI compliance deadline estimates that a significant share of enterprise contact centre deployments using sentiment scoring are not yet compliant with Annex III. The compliance gap is widest in mid-market deployments where AI voice was introduced rapidly without a formal governance review.

AI voice agents deployed in regulated sectors — particularly AI voice for financial services, where real-time sentiment scoring drives collections and KYC call flows — face the highest scrutiny and should treat Annex III compliance as the most urgent item in their programme.

See it in action

DILR.AI's platform includes configurable Article 50 disclosure scripts, structured audit logging, and human handover controls built to enterprise compliance standards — explored in detail on our inbound solutions page or live in the Dilr Voice platform.

Building an EU AI Act compliant voice programme

For most enterprise contact centres, EU AI Act readiness is a phased programme rather than a single configuration change. The following framework addresses obligations in order of urgency — Article 50 items first (lower effort, immediate deadline impact), Annex III controls following — and can be completed before the August deadline for deployments that start now.

The four-step compliance readiness framework

EU AI Act compliance programme — four phases
  • Phase 1 Script audit. Review all voice agent opening scripts for Article 50 disclosure compliance. Update every outbound and inbound call flow to include an unambiguous AI identity statement at the start. Lowest effort, highest urgency — start here regardless of your Annex III status.
  • Phase 2 Risk mapping. Document each AI component in your voice stack. Assess whether any component uses sentiment analysis, emotion inference, or automated routing based on inferred caller state. Determine whether Annex III applies and file a DPIA if so.
  • Phase 3 Technical documentation. Produce technical files for each AI component in scope. Cover model architecture, training data provenance, validation results, and error rate benchmarks. Request equivalent documentation from your voice AI vendor for every foundation model in the stack.
  • Phase 4 Oversight and logging. Implement real-time human monitoring capability for live AI voice calls. Enable structured audit logging with defined retention periods. Test the human handover pathway and document it formally in your contact centre operating procedures.

GPAI and foundation model obligations for voice vendors

Enterprise voice AI platforms built on foundation models — large language models handling conversation logic, intent detection, and response generation — are subject to additional GPAI (General Purpose AI Model) provisions under the EU AI Act. Providers of GPAI models with systemic risk potential must publish technical documentation and conduct adversarial testing before making those models available.

For enterprise buyers, the practical implication is vendor due diligence. When evaluating or renewing contracts with voice AI vendors ahead of August, procurement teams should ask four questions:

  1. Which foundation models power the platform's conversation logic, and does the vendor have GPAI technical documentation for each of them?
  2. Is Article 50 disclosure available as a configurable, platform-level feature — or does compliance require custom development work on every deployment?
  3. Does the platform provide structured audit logging sufficient to satisfy Annex III retention requirements?
  4. Is there a documented and testable human handover mechanism, and can it be demonstrated in a staging environment before contract sign-off?

Extraterritoriality is a critical consideration for UK enterprises: the EU AI Act applies to any AI system placed on the EU market, or whose outputs are used by EU citizens — regardless of where the system is hosted or the company is registered. A UK enterprise running AI voice campaigns targeting customers in Germany, France, or Ireland is in scope from 2 August 2026. Enterprise legal teams at firms with any EU customer exposure are treating EU AI Act compliance as the de facto standard for all voice AI deployments, not just EU-facing ones.

The thoughtstuff.co.uk detailed breakdown of Article 50 obligations provides a practical walk-through of exactly what disclosure language must appear and when — recommended reading before your script audit.

Review your enterprise security posture alongside your AI Act compliance programme — the technical controls required for Annex III logging and oversight will largely map to controls already documented for ISO 27001 or SOC 2 purposes, reducing the incremental effort significantly for enterprises with mature security programmes.

Next step

Deploy voice AI that is EU AI Act ready from day one

DILR.AI's enterprise voice platform includes configurable Article 50 disclosure scripts, structured audit logging, and documented human oversight controls — built for the compliance requirements your legal and procurement teams need cleared before the August deadline.

EU AI Act voice AIEU AI Act compliance 2026EU AI Act contact centrevoice AI EU compliance August 2026enterprise AI voice regulationDILR.AI voice complianceArticle 50 AI voice disclosure
AP
Aarav Pundir
Founder, DILR.AI

Related articles

Compliance

Consent capture in AI voice calls: GDPR and PECR guide

Consent capture in AI voice calls governs your entire outbound programme under GDPR and PECR. Get the lawful basis framework UK enterprises use pre-launch.

12 min readDilr Engineering
← Previous
Consent capture in AI voice calls: GDPR and PECR guide

One email, once a month. No hype. Just what we learned shipping.

Subscribe →