
AI Act and Voice Agents β Compliance Guide for SMEs 2025
The EU AI Act entered into force on 1 August 2024 and is regarded as the world's first comprehensive AI regulatory framework. For small and medium-sized enterprises that use or plan to use AI-powered telephony systems, pressing questions arise: what obligations are created? What is prohibited? And how do you stay on the safe side without jeopardising your project? This guide provides concrete answers.
Classification of Voice Agents Under the EU AI Act
The AI Act classifies AI systems by risk category: unacceptable risk, high risk, limited risk, and minimal risk. Voice Agents used in customer support or appointment scheduling typically fall into the limited risk category β provided no sensitive decisions such as credit granting or biometric identification are automated.
What "Limited Risk" Means in Practice
Systems with limited risk are subject primarily to transparency obligations. This means: your AI Voice Agent must clearly and comprehensibly inform callers at the start of the conversation that they are speaking with an AI system. This information must not be buried in fine print. A typically compliant greeting reads: "Good day, you are speaking with the automated assistant of [Company Name]. How may I help you?"
According to a Bitkom study (2024), 67% of German consumers do not know that they are interacting with an AI in certain service conversations. The AI Act sets a clear bar here: deliberate deception is prohibited.
Distinction from High-Risk Systems
A Voice Agent becomes a high-risk system if it:
- Makes or prepares personnel decisions (e.g. telephone candidate screening)
- Conducts creditworthiness assessments
- Is deployed in critical infrastructure (energy, water supply)
- Influences access to education or law enforcement
For the vast majority of DACH SMEs using Voice Agents for appointment booking, FAQ handling, or call routing, none of these categories apply.
Prohibited Practices β What Is Absolutely Excluded
The AI Act identifies in Article 5 practices that are completely prohibited. Those relevant to Voice Agents include:
- Subliminal manipulation: Techniques that unconsciously lead users to decisions that harm their interests
- Exploitation of vulnerability: Deliberately targeting the weaknesses of elderly, minor, or mentally impaired persons
- Social scoring: Rating persons based on their behaviour across unrelated areas of life
- Real-time biometric surveillance in public spaces
These prohibitions apply regardless of risk category and have been in force since 2 February 2025.
Transparency Obligations in Detail
Obligation to Identify AI
From 2 August 2026, all AI systems with limited risk operating in the EU must fulfil the transparency requirements. For Voice Agents this means:
- Disclosure at the start of the conversation: The user must know they are speaking with an AI before substantive interaction begins.
- Comprehensible language: The disclosure must be in the user's language β for DACH markets, therefore in German.
- No confusion through anthropomorphisation: The agent may bear a human name, but must nevertheless be identifiable as AI.
GDPR Interface
The AI Act and GDPR overlap considerably when Voice Agents record or process conversations. The following applies:
- Legal basis for recordings: Recording a conversation requires explicit consent (Art. 6(1)(a) GDPR) or another legal basis.
- Purpose limitation: Conversation data may only be processed for the stated purpose.
- Retention periods: Businesses must define how long conversation data is stored.
- Data minimisation: Only data necessary for the task may be collected.
In practice, this means: a Voice Agent that books appointments may capture name and appointment request, but must not ask unprompted about health data or financial situation.
Human Oversight β Requirements for Human Supervision
Even for systems with limited risk, the AI Act recommends implementing human oversight mechanisms. For Voice Agents in SMEs, this means:
- Escalation path: Every conversation must be able to be transferred to a human member of staff at the user's request.
- Monitoring: Regular review of whether the agent is correctly fulfilling its assigned tasks.
- Correctability: Incorrect responses or malfunctions must be quickly identified and corrected.
A robust system includes at minimum a weekly review of conversation logs for outliers and a clear procedure for updating the agent when new information arises.
Compliance Checklist for SMEs
The following checklist helps you maintain an overview:
Transparency
- AI disclosure implemented at the start of conversations
- Disclosure text formulated in clear language
- No misleading statements about the nature of the system
GDPR
- Privacy policy extended to cover AI telephony
- Legal basis for conversation processing documented
- Retention periods for conversation data defined
- Data processing agreement with AI provider concluded (Art. 28 GDPR)
Human Oversight
- Escalation path to human staff established
- Monitoring process for conversation quality defined
- Responsible person for AI oversight designated
Prohibited Practices
- No use for high-risk applications without a corresponding conformity assessment
- No manipulative dialogue patterns implemented
Timeline for SME Compliance
The AI Act provides for staggered deadlines:
| Deadline | Entry into Force | Content |
|---|---|---|
| 2 February 2025 | In force | Prohibition of unacceptable risk systems |
| 2 August 2025 | In force | Rules for general-purpose AI models |
| 2 August 2026 | Forthcoming | Transparency obligations for limited-risk systems |
| 2 August 2027 | Forthcoming | Rules for certain high-risk systems |
For most SMEs, 2 August 2026 is the decisive deadline. All transparency requirements should be implemented by then.
Practical Steps for anicall.io Users
If you use anicall.io for your telephony communication, we recommend the following steps:
Step 1: System Cataloguing (Now)
Document in which processes you use Voice Agents and what data is processed. This documentation is the foundation of every compliance measure.
Step 2: Transparency Audit (Q1 2025)
Review your current greeting texts and conversation flows. Ensure that the AI nature of the agent is communicated unambiguously.
Step 3: GDPR Alignment (Q1βQ2 2025)
Update your privacy policy and ensure that a data processing agreement with anicall.io is in place.
Step 4: Human Oversight Processes (Q2 2025)
Implement a clearly defined escalation path and designate a responsible person for AI oversight.
Step 5: Final Compliance Review (Q3 2025)
Conduct a final review before the August 2026 deadline β ideally with legal support.
Conclusion: Compliance as a Competitive Advantage
The EU AI Act may initially seem like a bureaucratic hurdle. In fact, however, it builds trust β and trust is the foundation of every successful customer relationship. SMEs that move early towards transparent AI telephony and act in compliance position themselves as responsible partners to their customers. At a time when 78% of German consumers β according to the Bitkom study (2024) β place the highest priority on data protection, this is not a nice-to-have, but a strategic advantage.
Get Started Now
Would you like to ensure that your Voice Agent deployment is AI Act-compliant from the outset? Our experts will guide you through the entire compliance process β from system setup to GDPR-compliant data management.