EU AI Act for AI Agents: What Actually Applies to You
- EU AI Act
- Compliance
- AI Agents
If you are shipping AI agents into production this year and your company touches the EU market, your legal team will ask one question before anything else: what is the risk classification?
Most teams discover the EU AI Act through a Slack thread after the first pilot. They find a 113-article regulation, bounce off, and end up guessing. This guide is a practical pass-through, enough to answer the classification question correctly for your agent, and enough to know which obligations land on you.
What the EU AI Act is in one paragraph
The EU AI Act (Regulation (EU) 2024/1689) is the first horizontal AI regulation in the world. It applies to any AI system placed on the EU market or whose output is used in the EU, including AI agents, regardless of where the company is incorporated. It classifies AI systems by risk, attaches obligations to each tier, and splits responsibility between providers (who build the system) and deployers (who use it). Penalties scale up to €35M or 7% of global turnover.
Three things to internalise before anything else:
- It is extraterritorial. Being in the US does not exempt you.
- It applies to AI systems, not models alone. An agent, a model plus tools, memory, orchestration, is a system.
- The obligation depends on who you are in the chain. The same agent can create different obligations for the vendor and the customer.
The four risk tiers
The Act sorts every AI system into one of four tiers.
Unacceptable risk (prohibited). Social scoring of individuals, real-time remote biometric identification in public spaces, manipulative systems that exploit vulnerabilities, emotion inference in workplaces and schools. These are Article 5 prohibitions and they apply regardless of whether the actor is public or private. If your agent is in this bucket, you are not shipping it. Period. These prohibitions took effect 2 February 2025.
High risk. The interesting one. Annex III lists eight domains that pull systems into high-risk automatically:
- biometrics and categorisation;
- critical infrastructure management;
- education and vocational training;
- employment, HR, worker management, this catches résumé screeners, task-assignment agents, promotion scoring;
- access to essential private and public services, credit scoring, insurance underwriting, benefits allocation;
- law enforcement;
- migration, asylum and border control management;
- administration of justice and democratic processes.
A system is also high-risk if it is a safety component of a regulated product (medical devices, machinery, toys, elevators) under Annex I.
High-risk triggers the full obligation stack: risk-management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and cybersecurity requirements, post-market monitoring, CE marking, and EU database registration.
Limited risk. Systems that interact with humans (chatbots, most assistant agents), generative AI producing deepfakes or synthetic content, and emotion-recognition systems outside the prohibited contexts. The obligation is lighter: transparency. Users must know they are interacting with AI. Synthetic media must be marked as such in machine-readable form.
Minimal risk. Everything else. Spam filters, inventory agents, most internal productivity bots. No mandatory obligations, but the Act encourages voluntary codes of conduct.
Where most real AI agents actually sit
The honest answer for most teams: limited risk, with a non-zero chance of high risk depending on what the agent touches.
Walk through this quickly with your own agent:
- Does it make or materially influence a decision about a person's employment, credit, insurance, education, or access to a public service? → high risk
- Does it do biometric work of any kind? → high risk (or unacceptable)
- Is it a safety component of a regulated product? → high risk
- Does it interact with users or generate content on their behalf? → limited risk (transparency only)
- None of the above? → minimal risk
The bucket that catches people: HR and access-to-services. A résumé-screening agent, a customer-support agent that decides refund eligibility, an internal ticketing agent that routes to a human reviewer, these can all land in high-risk depending on how much the human in the loop actually reviews. "There is a human in the loop" is not a free pass; the Act cares whether that review is meaningful.
Provider vs deployer, who owes what
This split is where most internal confusion happens. Your AI governance adviser will flag it first.
A provider places an AI system on the EU market or puts it into service under their own name or trademark. If you build the agent and sell or offer it, you are the provider.
A deployer uses an AI system under their authority in the course of a professional activity. If you buy the agent and run it inside your company, you are the deployer.
Same agent, different obligations:
| Obligation | Provider | Deployer |
|---|---|---|
| Build the risk-management system | ✓ | — |
| Technical documentation | ✓ | — |
| CE marking & EU database registration (high-risk) | ✓ | — |
| Use the system per instructions | — | ✓ |
| Human oversight of operations | — | ✓ |
| Log retention for the system's operation | — | ✓ |
| Fundamental-rights impact assessment (public bodies & certain deployers) | — | ✓ |
| Inform affected workers (employment use) | — | ✓ |
| Transparency toward end users (limited-risk) | ✓ | ✓ |
If you substantially modify a provider's system, change its intended purpose, or retrain it on your own data in a way that amounts to substantial modification under Article 3(23), you may become a provider yourself under Article 25. This matters for teams that build agents on top of foundation models.
The GPAI overlay
General-Purpose AI models, the foundation models behind most agents, carry their own obligations under Chapter V. Providers of GPAI models must publish a summary of training data, respect EU copyright law, and keep technical documentation. Models classified as carrying systemic risk (currently anchored to training compute above 1025 FLOPs) have additional obligations: model evaluation, adversarial testing, serious-incident reporting, and cybersecurity standards.
If you are a deployer building on GPT-class, Claude-class, or Gemini-class models, most of this is your vendor's problem. But it is worth knowing it exists, because it shapes what those vendors can and cannot tell you about the model behind your agent.
Timeline
- 2 February 2025, prohibitions on unacceptable-risk systems take effect.
- 2 August 2025, obligations on GPAI providers take effect.
- 2 August 2026, the rest of the Act begins to apply, including high-risk obligations for systems listed in Annex III.
- 2 August 2027, high-risk obligations for systems embedded as safety components under Annex I take effect.
If you are shipping agents in 2026, you are already inside the enforcement window for GPAI and prohibitions. You are weeks away from full Annex-III enforcement.
A practical pre-deployment checklist
Before the first production action, answer these in writing:
- Classification. Which tier does the agent fall into? Attach the Annex reference.
- Role. Are you the provider, the deployer, or both (substantial modification)?
- Scope. Which systems does the agent touch? Which of those systems store data about EU individuals?
- Human oversight. Who reviews decisions the agent makes, how often, and what can they actually change?
- Documentation. Do you have a written description of the agent's intended purpose, data sources, and known limitations? Providers: technical documentation. Deployers: the instructions you received from the provider.
- Logging. For how long will you retain operational logs, and how?
- Transparency. If the agent interacts with users, how do they learn they are interacting with AI?
- Sector overlay. Is there GDPR Article 22 exposure (automated decision-making)? Sector regulation (medical device, financial services, employment law) that stacks on top?
Most of this fits on a single page per agent. Teams that can produce that page in minutes have already solved the problem. Teams that cannot are the ones who get stuck at security review.
Where Heron fits
Heron interrogates your AI agent, maps the risks, and produces exactly the artefact this checklist describes, with the relevant Annex references, sector overlays, and required evidence attached. You can run it yourself via the open-source CLI or use the hosted dashboard. Either way, the output is the approval-ready pack that your internal reviewers, or an enterprise customer's reviewers, will accept.
The Act is dense, but for most agent teams the real work is narrow: get the classification right, answer the eight checklist questions, and keep the evidence where the right person can find it.