EU AI Act for AI Agents

Note: This article is informational and does not constitute legal advice. Provisional deadlines from the Digital Omnibus are clearly marked as provisional; until formal publication in the EU Official Journal (OJEU), the original application dates remain the legal default.

Why the EU AI Act is relevant for AI Agents - even though it doesn't actually recognise "agents"

The EU AI Act - formally Regulation (EU) 2024/1689 of 13 June 2024 - is the world's first comprehensive, horizontal AI regulation. Published on 12 July 2024 and entered into force on 1 August 2024, it applies as a directly applicable regulation in all Member States. For decision-makers in DACH companies that deploy or offer AI Agents, the key conceptual insight is: the AI Act defines neither "AI Agent" nor "Agentic AI". The Digital Omnibus of 7 May 2026 likewise introduced no agent definition.

Agentic AI systems - that is, AI systems that plan, invoke tools and execute multi-step action chains with reduced human involvement - are captured indirectly, via four legal anchors:

• the general definition of an AI system (Art. 3(1));
• the GPAI model rules (Art. 51-55) for the foundation-model layer beneath the agent;
• the Annex III high-risk catalogue and the transparency layer of Art. 50;
• the value-chain rules (Art. 25) where deployer-side composition, fine-tuning or prompt engineering becomes a substantial modification.

The practical consequence, and at the same time the most important rule of thumb for any compliance project: what is classified is never "the agent" as an architecture, but always the specific use case (intended purpose). An "office assistant" is not a legal object - an agent that performs CV screening very much is.

The definition of an AI system - and why every LLM agent falls under it

Under Art. 3(1), an "AI system" is a machine-based system that operates with varying levels of autonomy, may exhibit adaptiveness after deployment, and infers from the inputs it receives how to generate outputs - predictions, content, recommendations or decisions - that can influence physical or virtual environments.

The non-binding Commission guidelines on the definition of an AI system (C(2025) 924 final, published on 6 February 2025) break this down into seven cumulative elements, with the capacity to infer regarded as the decisive, indispensable distinguishing feature versus ordinary software. Purely rule-based systems, simple optimisation methods (linear or logistic regression) and classical data processing fall outside for lack of inference. Every serious AI Agent - LLM-based copilots, RAG systems with tool use, autonomous multi-agent orchestrations - meets all seven elements. Classical, deterministic RPA without inference, by contrast, generally does not.

The risk pyramid: four tiers plus a parallel GPAI regime

The AI Act layers AI systems into four tiers, plus a parallel regime for GPAI models. The tiers are not mutually exclusive: an agent can simultaneously be subject to Art. 5, Art. 50 and - via its foundation model - the GPAI rules.

The strategic core message: most mid-market agent deployments fall into the bottom two tiers - with a small but high-impact subset (HR, credit, insurance, critical infrastructure, medicine) that lands in Annex III or Annex I.

Prohibited practices (Art. 5) - the red line

Eight categories have been entirely prohibited in the EU since 2 February 2025, backed by the highest fine tier (up to EUR 35 million or 7 % of worldwide annual turnover). The prohibition most directly relevant for DACH agents is Art. 5(1)(f): emotion recognition in the workplace - HR-analytics agents that infer employees' mood, focus or stress from video, audio or biometrics are prohibited (narrow exceptions only for medical and safety purposes). The Digital Omnibus added a ninth prohibition: AI systems for generating non-consensual sexual content and AI-generated child sexual abuse material; non-compliant systems must be withdrawn from the market by 2 December 2026.

High-risk Annex III - the eight categories

Annex III names eight standalone high-risk areas. The most important for AI Agents:

• Employment and workforce management (point 4): recruitment and selection (CV screening), performance evaluation, promotion, termination, task allocation.
• Essential private and public services (point 5): creditworthiness assessment and credit scoring (except fraud detection), risk assessment and pricing for life and health insurance, emergency call triage.
• Critical infrastructure (point 2): AI as a safety component in transport, water, gas, electricity, critical digital infrastructure.

The remaining categories (biometrics, education, law enforcement, migration/asylum, justice and democratic processes) are less frequently relevant for the typical mid-market company.

Art. 6(3) exception: Even in an Annex III use case, a system is not high-risk if it does not pose a significant risk of harm - for example because it performs a narrow procedural task, improves the result of a previously completed human activity, detects deviations without replacing the human assessment, or carries out a preparatory task. Profiling of natural persons, however, always remains high-risk (Art. 6(3) second subparagraph). Anyone relying on the exception must document the justification (Art. 6(4)) and register the classification in the EU database (Art. 49(2)). The Art. 6(5) guidelines intended for practical implementation were originally due by 2 February 2026 but remained outstanding as of May 2026.

Examples: how specific AI Agents are to be classified

One important agent-specific peculiarity is runtime risk drift: the same agent platform can shift between risk tiers depending on the tool inventory connected at runtime. Adding an HR data source can turn a minimal-risk knowledge agent into an Annex III(4) high-risk system overnight. The classification should therefore be reassessed on every change to the tool configuration.

Deployer or provider? Art. 25 as the trapdoor

For DACH practice, the question of role is decisive. A deployer (Art. 3(4)) uses an AI system under its own authority - this is the default role of nearly all DACH SMEs. A provider (Art. 3(3)) develops a system and places it on the market under its own name or puts it into service. Even someone who builds an internal HR-screening system solely for their own use "does not place it on the market" - but they "put it into service", and the full provider obligations apply.

Art. 25 is the trapdoor through which a deployer becomes a provider - with all the obligations under Art. 16, including conformity assessment and technical documentation under Annex IV. Three triggers:

1. Rebranding - placing one's own logo/trademark on a high-risk system already on the market (contractual allocation cannot override this);
2. substantial modification under Art. 3(23) - a subsequent change not foreseen in the original conformity assessment that affects compliance with Art. 8-15 or changes the purpose;
3. repurposing to high-risk - deploying a previously non-high-risk (or a GPAI) system for a new, now high-risk purpose.

For GPAI models, the Commission guidelines of 18 July 2025 introduce an indicative threshold: a downstream modification using more than one third of the original training compute counts as a substantial modification. Standard RAG, prompt engineering and light LoRA fine-tuning lie well below this. The agent-specific trap: building an agent that combines a third-party GPAI with its own tool-calling, memory and orchestration usually does not create a new GPAI model - but it does create a new AI system, whose provider is the integrator. This is the most common misclassification in DACH agent projects.

Deployer obligations (Art. 26) - the DACH mid-market core

The twelve operational obligations of Art. 26 apply from 2 August 2026 under the original timeline, and from 2 December 2027 (provisional) for most Annex III categories under the Digital Omnibus. The most important: use in accordance with the provider's instructions (26(1)); human oversight by competent, authorised persons (26(2)); monitoring and suspension in case of risk (26(5)); retention of the automatically generated logs for at least 6 months (26(6)); information of affected persons in the case of high-risk decisions (26(11)); cooperation with the right to explanation (26(12), in conjunction with Art. 86).

The DACH specificity: works council and staff representation (Art. 26(7))

Art. 26(7) is the norm most underestimated in English-language literature. Before putting a high-risk AI system into service in the workplace, employees and their representatives must be informed - which triggers the national co-determination procedures:

• Germany: § 87(1) no. 6 BetrVG gives the works council a genuine co-determination right (not merely information) for technical equipment used to monitor behaviour/performance; §§ 90 and 95(2a) BetrVG require information or involvement in the case of AI-supported selection guidelines.
• Austria: §§ 91 and 96 ArbVG establish participation rights of the staff representation/works council for personnel data systems and control measures that affect human dignity.
• Switzerland: Participation Act (Art. 9, 10) and CO 328b.

In practice this means: Art. 26(7) information before putting into service, early works council/staff representation consultation, often resulting in a works agreement. This typically extends a high-risk rollout by 3-6 months and should be started in parallel with the FRIA.

Fundamental rights impact assessment (FRIA, Art. 27)

Art. 27 obliges certain deployers to carry out their own fundamental rights impact assessment (FRIA) - one of the few substantive obligations independent of the provider documentation. Affected are public-law bodies, private providers of public services, as well as private deployers of Annex III systems for creditworthiness (5(b)) and life/health insurance pricing (5(c)). Critical-infrastructure operators (Annex III(2)) are expressly exempt.

The FRIA must contain six elements (Art. 27(1)(a)-(f)): process description, duration and frequency of use, affected groups of persons, specific risks of harm, human oversight measures, and governance and complaint mechanisms. It must be carried out before first use, updated when facts change, and notified to the market surveillance authority (Art. 27(3)); the questionnaire to be developed by the AI Office (Art. 27(5)) had not been finalised as of May 2026. A GDPR DPIA (Art. 35) typically covers only 30-40 % of the FRIA content; an integrated DPIA-plus-FRIA is best practice. Each fundamental right must be assessed independently - a positive effect on one right cannot offset a negative effect on another.

Transparency obligations (Art. 50) - from 2 August 2026

Art. 50 sits between minimal risk and high-risk and applies independently of the high-risk classification. The substantive obligations apply from 2 August 2026; the transition period for the technical labelling/watermarking solutions was shortened by the Digital Omnibus from six to three months and ends on 2 December 2026 (provisional, subject to formal adoption).

The four obligations: Art. 50(1) - providers must design AI systems intended to interact directly with humans so that users are informed that they are interacting with AI (except where obvious from the context; to be construed narrowly). Art. 50(2) - providers must mark synthetic audio, image, video and text outputs as AI-generated in a machine-readable form. Art. 50(3) - deployers of emotion recognition/biometric categorisation inform the affected persons. Art. 50(4) - deployers label deepfakes as well as AI-generated text on matters of public interest (exception where there is human editorial responsibility). The Commission published a first draft of a code of practice on labelling on 17 December 2025, a second on 3 March 2026 and draft guidelines on Art. 50 on 7-8 May 2026.

GPAI obligations (Art. 51-55) and the Code of Practice

The GPAI rules hit the model layer beneath every agent and have applied since 2 August 2025; fines for GPAI providers (Art. 101) are enforceable from 2 August 2026. All GPAI providers must provide technical documentation (Annex XI), downstream documentation for integrators (Annex XII - the central value-chain anchor for DACH agent builders), a copyright policy and a public training-data summary. From a cumulative 10^25 FLOP, a model is deemed a GPAI with systemic risk (Art. 51(2)) with additional obligations under Art. 55.

The GPAI Code of Practice of 10 July 2025 creates a presumption of compliance for Art. 53/55. The 26 signatories include Amazon, Anthropic, Google, IBM, Microsoft, OpenAI, Mistral AI, Aleph Alpha and Cohere; Meta has not signed. For DACH deployers this means: agents built on Claude, Gemini, Azure OpenAI or ChatGPT inherit a stronger compliance position by default, while the use of Llama/Meta models increases the due-diligence burden.

Fines and enforcement in DACH

For SMEs, the lower amount applies in each case (Art. 99(6)); the Digital Omnibus extends this protection to small mid-caps (SMCs). In Germany, the Federal Network Agency (BNetzA) is to become the central market surveillance authority under the KI-MIG (cabinet draft 11 February 2026), with DAkkS as the notifying body; its AI Service Desk is already the de facto first point of contact. In Austria, the AI Service Centre at RTR/KommAustria acts as the coordination body, with a full-fledged market surveillance authority in preparation. Switzerland has no direct AI Act fines; FINMA (Guidance 08/2024 refers to Art. 9-15 of the AI Act), FMA equivalents and Swissmedic act on a sectoral basis. Via Art. 2(1)(c), however, Swiss companies can be captured if their agent outputs are used in the EU.

Timeline and the Digital Omnibus

The Digital Omnibus (political agreement Parliament/Council on 7 May 2026, formal adoption promised before 2 August 2026) postpones the substantive Annex III obligations to 2 December 2027 and the Annex I obligations to 2 August 2028. Important: the deferral concerns only the substantive high-risk obligations. Not postponed are Art. 4 (literacy), Art. 5 (prohibitions), the GPAI rules, Art. 50 (only the technical implementation deadline is shortened) and the fine framework. Until publication in the OJEU, the original dates of 2 August 2026 remain the legal default - a central safeguard for every DACH compliance roadmap. Renowned law firms (Latham & Watkins, Baker McKenzie, CMS, Gleiss Lutz, Bird & Bird) consistently warn: the deferral is no reason to pause the governance work.

Practical recommendations for DACH decision-makers

The strategic message is: use the additional time wisely, do not pause the work. A layered compliance posture typically comprises:

1. AI literacy first (Art. 4) - a role-based, German-language programme integrated into the LMS, with documented completions. This obligation has been in force since February 2025, applies to all risk tiers and is the easiest for authorities to check.
2. Use-case register - every agent with purpose, classification memo, owner and oversight role; reassess on every tool change (runtime drift).
3. Vendor due diligence - confirmation of provider compliance, CoP signatory status of the foundation model, Annex XII documentation, contractual Art. 25 allocation and Art. 73 escalation paths.
4. Design Art. 50 disclosure - chatbot notice ("You are chatting with an AI assistant"), labelling of AI-generated content, deepfake labels.
5. Art. 26(7) process - start works council/staff representation consultation early (3-6 months lead time).
6. FRIA + DPIA integrated where credit, insurance or public services are involved.

The typical DACH SME remains a pure deployer as long as it uses the system within the documented purpose, does not substantially modify the model, does not rebrand and does not repurpose it to a new Annex III purpose. The common self-deception "We only use Microsoft 365 Copilot, so we are not affected" is wrong: if Copilot is used to prepare an employment-related decision, the deployer lands in the Annex III(4) area. Equally wrong: "Open source is exempt" - the exception under Art. 2(12) is narrow and does not apply to high-risk applications, GPAI with systemic risk or Art. 50 transparency.

Reminder: This overview is informational and does not replace legal advice. For the binding classification of a specific AI Agent - in particular where it is close to Annex III, where Art. 25 reclassification is possible, or in cross-border Swiss matters - a case-specific legal review is required. Provisional deadlines of the Digital Omnibus are subject to formal adoption before 2 August 2026.