Most commentary on the EU AI Act focuses on foundation model providers and large tech companies. That framing has led many SMB owners and operations managers to file it under “not our problem” — and then carry on building or buying AI agents without giving the regulation a second thought.
That is a mistake worth correcting before it becomes an expensive one.
The EU AI Act applies to any organisation deploying an AI system in the EU or in contexts that affect people in the EU. That includes a Swiss company using an AI agent to screen job applications, a retail business using one for customer interactions, or a logistics firm whose AI system influences routing decisions that affect workers. If you’re deploying AI agents — or planning to — the Act is already your business.
This article translates the regulation’s risk framework into a practical decision tree: which agent use cases are affected, what compliance actually requires in practice, and when obligations kick in.
Why “AI Agent” and “AI System” Are Not the Same Under the Act
The EU AI Act uses the term AI system, defined broadly as a machine-based system that, given inputs, infers how to generate outputs such as content, decisions, recommendations, or predictions. An AI agent — a system that perceives its environment, makes decisions, and takes actions to achieve goals — sits squarely within that definition.
What matters for compliance is not the label you put on the system. It is what the system does and who it affects. A chatbot that answers FAQ questions occupies a different regulatory position than an agent that scores loan applications, evaluates job candidates, or monitors employee performance. The same architecture; entirely different compliance profiles. Understanding the difference starts with the Act’s four risk categories.
The Four Risk Tiers — and Where AI Agents Land
Unacceptable Risk: Prohibited Outright
These are systems the Act bans entirely: social scoring by governments, real-time biometric surveillance in public spaces, systems that exploit vulnerabilities to manipulate behaviour. Very few commercial agent deployments come close to this tier. If yours does, you already have bigger problems than compliance.
High Risk: Significant Obligations Apply
This is where the Act’s weight falls hardest — and where many businesses are surprised to find their agents sitting.
High-risk AI systems include those used in:
- Employment and HR: hiring, shortlisting, promotion, performance monitoring, task allocation
- Education: admission decisions, assessment of learning outcomes
- Access to essential services: credit scoring, insurance risk assessment, benefits eligibility
- Critical infrastructure: systems affecting utilities, water, transport
- Law enforcement and justice: predictive policing, evidence assessment, sentencing support
- Migration: border control, asylum processing
If your AI agent operates in any of these areas — even as a supporting tool, not the final decision-maker — it will likely qualify as high-risk.
What high-risk compliance actually requires:
- Risk management system: documented, ongoing process for identifying and mitigating risks throughout the lifecycle
- Data governance: training, validation, and test datasets meeting quality and representativeness standards
- Technical documentation: a record of design, capabilities, and limitations sufficient for regulatory review
- Transparency and human oversight: users must know they’re interacting with AI; meaningful human oversight must be built in before high-stakes decisions
- Accuracy, robustness, and cybersecurity: consistent performance and protection against adversarial interference
- Registration: registration in the EU’s AI database (Article 71) is required before deployment of Annex III high-risk systems. Under the original Act this applied from 2 August 2026; the Digital Omnibus provisional agreement (7 May 2026) proposes deferral to 2 December 2027, pending formal publication in the Official Journal
Limited Risk: Transparency Obligations
This tier covers systems with narrower interaction risks — primarily chatbots and AI that generates synthetic content. The main obligation is disclosure: users must know they are interacting with an AI system, not a human. An agent handling customer service conversations, booking confirmations, or support queries falls here if it is not making high-stakes decisions about individuals.
Many customer-facing AI agents built by SMBs land in this tier. The compliance overhead is low, but the disclosure requirement is not optional.
Minimal Risk: No Specific Obligations
Spam filters, AI-recommended playlists, basic content optimisation tools. These are out of scope for significant compliance requirements, though general product liability and consumer protection law still apply.
A Practical Decision Tree for Your Agent Use Cases
Run each of your deployed or planned agents through these four questions:
1. Does the agent make or meaningfully contribute to decisions about individual people? If yes, continue. If no (e.g., internal data processing, system-to-system automation with no human impact), the risk level is likely minimal.
2. Do those decisions affect employment, credit, essential services, education, or law enforcement? If yes, it is almost certainly high-risk. Start the documentation and oversight requirements now.
3. Does the agent interact directly with people in a human-like way (text, voice)? If yes and it’s not high-risk, you are in the limited-risk tier. You need clear, upfront disclosure that users are talking to an AI.
4. Is the agent autonomous enough to take consequential actions without human review? Even if the use case doesn’t fall in a named high-risk category, agentic autonomy — especially in agentic workflows that chain multiple decisions together — can attract scrutiny. The more consequential and irreversible the actions, the more you should treat the system as if it were high-risk from a governance standpoint, regardless of formal classification.
Timelines: When Do Obligations Apply?
The EU AI Act entered into force in August 2024 and rolls out in phases:
- Prohibited practices: banned from February 2025
- GPAI models and general obligations: from August 2025
- High-risk systems (Annex I — regulated sectors): under the original Act, requirements apply from August 2026; a provisional political agreement reached on 7 May 2026 (the “Digital Omnibus”) proposes deferral to 2 August 2028, pending formal publication in the Official Journal
- High-risk systems (Annex III — employment, education, services): under the original Act, requirements apply from August 2026; the Digital Omnibus provisional agreement proposes deferral to 2 December 2027, pending formal publication in the Official Journal — see the EU AI Act implementation timeline for current status
- Transparency obligations (Article 50 — limited risk disclosure): August 2026, unchanged — the Omnibus does not defer these
- Full application: August 2026 remains the operative headline date for transparency and governance obligations; Annex III high-risk obligations are deferred to 2 December 2027 and Annex I embedded-product obligations to 2 August 2028 under the provisional agreement, pending formal adoption
Until the Digital Omnibus is formally published in the Official Journal, August 2026 remains the legally operative deadline for high-risk systems. In practice, the deferral is widely expected to be adopted before that date.
For most SMBs deploying AI agents, the transparency obligations (August 2026) are immediate, while high-risk compliance timelines now extend substantially further — but this does not reduce the case for starting compliance work early. Documentation, risk management processes, and oversight mechanisms still take time to build correctly.
Treat compliance as a build-time requirement rather than a post-deployment retrofit. The organisations doing that now will be in a fundamentally better position.
What the Act Does NOT Require (Clearing Up Common Misconceptions)
It does not prohibit AI in HR. An AI agent that shortlists candidates or schedules interviews is not banned; it is regulated. With the right oversight, documentation, and disclosure, HR automation remains entirely viable.
It does not require EU approval before you deploy. There is no pre-market licensing authority in the way there is for pharmaceuticals. The model is closer to product liability: you bear responsibility for the system you put into service.
It does not only apply to AI companies. If you are a Swiss manufacturing firm deploying an agent that monitors worker output, you are the “deployer” under the Act, and obligations apply to you — not just to the company that built the underlying model.
It does not require perfect AI. The Act requires demonstrable due diligence: documented risk assessment, testing, human oversight, and accurate disclosure. Reasonable imperfection in a well-governed system is a very different position from undocumented deployment.
What Swiss Businesses Specifically Need to Watch
Switzerland is not an EU member state, but the AI Act applies to organisations whose AI systems have effects on people in the EU. A Swiss company with EU customers, EU employees, or EU-facing services needs to take the regulation seriously.
Switzerland also has its own data protection obligations under the nFADP (Neue Datenschutzgesetz / LPD), which interacts with how AI agents process personal data. The two frameworks are complementary, not identical — see AI Agents and Swiss Data Protection: nFADP in Practice for the specifics.
For businesses operating across both, building a single compliance architecture that satisfies both is almost always more efficient than running two parallel workstreams.
High-Risk Compliance Is an Engineering Problem, Not Just a Policy One
Most of the EU AI Act’s high-risk requirements are not tick-box exercises. They require decisions made during system design: how oversight mechanisms are built in, how data quality is monitored, how logging supports auditability. You cannot retrofit a meaningful human-in-the-loop requirement onto an agent designed to act autonomously on employment decisions — you have to redesign the agent.
This is why AI agent governance cannot be an afterthought. The organisations managing it well treat compliance requirements as design constraints from day one, alongside security and performance.
Where to Start if You’re Not Sure Where You Stand
If you have AI agents in production — or are building toward that — start by mapping each system to the risk tier it most likely occupies. For most SMBs, this is a half-day exercise with the right guidance, and it answers three questions:
- Are any of our current or planned agents high-risk?
- What do we need to document, and by when?
- Which systems need human oversight mechanisms, and how should they work?
If you need help with that classification exercise, our AI Strategy team runs structured assessments for exactly this. You can also explore how compliance intersects with your broader agent security posture in our article on AI Agent Security Risks.
Ready to understand where your AI agents stand under the EU AI Act? Book a 30-minute compliance scoping call with Orange ITS — we’ll map your use cases to the risk tiers and give you a clear picture of what’s required and when.