EU AI Act Compliance

AI Chatbot EU AI Act Compliance: The SME Vendor Due Diligence Checklist

Deploying a chatbot without checking your Article 50 obligations first is a compliance risk you can avoid in an afternoon. Here is the exact vendor due diligence checklist every European SME needs before going live.

· 6 min read · By

EU-law graduate (Maastricht University) · MSc International Tax Law (AI & technology). Builds AI systems and advises SMEs on EU AI Act compliance.

The rule that catches most SMEs off guard

AI chatbot EU AI Act compliance is not optional, and the obligation kicks in earlier than most HR Directors and COOs expect. Under Article 50 of the EU AI Act, any deployer operating an AI system that interacts directly with natural persons must ensure those persons know they are talking to an AI. The requirement applies whether your chatbot handles customer support tickets, answers employee HR queries, or qualifies inbound sales leads. If it is powered by a generative model or otherwise mimics human conversation, the disclosure rule applies to you as the deployer.

The first compliance deadline for Article 50 obligations fell on 2 August 2025, twelve months after the AI Act entered into force. That date is already close. Procurement decisions made today lock in your compliance posture for months.

What Article 50 actually requires

Article 50(1) sets out four distinct obligations for deployers of AI systems that interact with humans:

  1. Timely disclosure. Users must be informed that they are interacting with an AI system before or at the very start of the interaction, not buried in a footer or terms page.
  2. Clear and distinguishable notice. The disclosure must be presented in a way that is easy to understand. A single line of greyed-out 9pt text does not meet this standard.
  3. Human override option. Where a user specifically requests a human agent, the deployer must make a genuine pathway available.
  4. Transparency about AI-generated content. Outputs that could be mistaken for authentic human communication must be labelled accordingly.

There is one limited exception: if it is obvious from context that the interaction is with an AI (think a clearly branded "RoboSupport" widget), formal disclosure can be lighter. But the Act does not define "obvious," so relying on this exception is risky without documented reasoning.

Penalties for non-compliance with Article 50 can reach €15 million or 3% of global annual turnover, whichever is higher, under Article 99. For an SME with €10 million in revenue, that ceiling is €300,000 per infringement.

Three chatbot scenarios, three compliance gaps to close

Customer-facing support bot

You embed a chatbot on your website to handle first-line support queries. This is the highest-visibility deployment and the one regulators will look at first. The gap most SMEs miss: the disclosure notice appears only after the user types their first message. That is too late. Article 50 requires notification before or at the start of the interaction. A simple, visible banner stating "You are chatting with an AI assistant" displayed when the chat window opens is sufficient, provided it is readable and not dismissible before the user sees it.

Internal HR bot

An HR bot that answers employee questions about leave entitlements, payroll queries, or disciplinary procedures carries additional obligations beyond Article 50. If the system influences decisions related to employment, it may also qualify as a high-risk AI system under Annex III of the AI Act, specifically category 4 (employment, workers management, access to self-employment). High-risk systems require a Fundamental Rights Impact Assessment, human oversight mechanisms, and technical documentation. Article 50 disclosure is the floor here, not the ceiling. You must also check whether your HR software vendor has provided the conformity documentation required under Article 27.

Sales qualification bot

A bot that scores or routes inbound leads is less likely to trigger high-risk classification, but the Article 50 disclosure obligation still applies in full. The additional risk here sits at the intersection of the AI Act and the AVG (GDPR): if the bot collects personal data during the conversation, you need a lawful basis, a retention policy, and a record of processing activity. The European Commission's guidance on AI and data protection confirms that the AI Act and GDPR operate in parallel, not as alternatives.

The vendor due diligence checklist

Before signing any contract for a chatbot or conversational AI tool, run every vendor through these twelve questions. Document the answers. If a vendor cannot answer clearly, that itself is a compliance signal.

Disclosure and transparency

  • Does the system display an AI disclosure notice before or at the start of every interaction, by default?
  • Can the disclosure text be customised to match your brand while remaining compliant?
  • Does the system support a clear escalation path to a human agent?
  • Does the vendor provide template disclosure language that satisfies Article 50?

Risk classification

  • Has the vendor confirmed in writing whether the system is classified as high-risk under Annex III?
  • If high-risk: is a Declaration of Conformity and technical documentation available?
  • Does the vendor support your obligation to provide information to deployers under Article 26?

Data and GDPR

  • Where is conversation data stored, and for how long?
  • Is the vendor acting as a data processor under the AVG, and is a Data Processing Agreement in place?
  • Does the system support data subject access and deletion requests?

Incident and audit readiness

  • Does the vendor maintain logs that you can access in the event of a regulatory inquiry?
  • What is the vendor's process for notifying you of material changes to the AI model?

Print this list. Use it as a literal attachment to your procurement process. Any vendor that refuses to answer these questions in writing should not make it past the shortlist stage.

What a compliant Article 50 notice looks like

The notice does not need to be long. It needs to be:

  • Visible before or at the moment the user begins typing
  • Plain language, not legal boilerplate
  • Accurate, meaning it correctly describes the nature of the system
  • Persistent, available throughout the session, not just at the start

A working example for a support bot: "Hi! I'm an AI assistant. I can answer most questions about your order, but you can ask for a human at any time by typing 'agent'."

For an internal HR bot, add the scope boundary: "I'm an AI assistant trained on [Company] HR policies. My answers are informational. For decisions affecting your employment, please speak with an HR team member."

These notices serve a dual purpose. They satisfy Article 50, and they manage user expectations in a way that reduces escalation volume.

AI literacy: the obligation nobody talks about

Article 50 gets the attention, but Article 4 is equally relevant for deployers. It requires that companies ensure sufficient AI literacy among staff who work with or oversee AI systems. For an SME, this means anyone who manages the chatbot configuration, reviews its outputs, or handles escalations must have documented, role-appropriate training. This is not a one-time tick-box. The regulation requires ongoing sufficiency, so training records need to reflect the current version of the tools in use.

For most SMEs, this obligation translates to two practical steps: a brief AI literacy module for the relevant team, and a simple training log that records who completed it and when.

Your next step

Vendor due diligence is not a one-afternoon job, but it is a manageable one when you have the right framework. Start with the twelve-question checklist above. Then map your existing chatbot deployments against the three scenarios described here to identify which ones need urgent attention and which need deeper high-risk assessment.

If you are unsure where your current tools sit, Khairos AI Comply offers a free 2-minute compliance check that flags your highest-priority obligations under the AI Act. Run it before your next vendor renewal.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →