

The EU AI Act will become applicable on August 2, 2026. If you run an e-commerce business and use AI on your website, this regulation applies to you.
That's why we've prepared this checklist with the 10 key obligations you should review before that date.
Before you can comply with anything, you need to know what you have.
Make an inventory:
The Regulation bans specific AI uses, such as subliminal manipulation of consumer behavior or certain profiling systems. Review your personalization, dynamic pricing, and product recommendation tools to make sure none of them crosses these limits.
The Regulation requires that people who use AI systems within your company have a sufficient level of understanding about how they work, their risks, and their limitations.
If your customer service uses an AI-powered chatbot or voice assistant, the Regulation requires that the person know, from the very first contact, that they're talking to an AI system and not a human, unless this is obvious from the context. Review your chat widget and any conversational assistant on your website: is it clear that it's AI, or could it be mistaken for a human agent?
Some ecommerce businesses are starting to test AI that analyzes facial expressions or tone of voice during customer service video calls, or systems that categorize people based on biometric data. If you use any of these tools, you must expressly inform the person exposed to the system and process their data in accordance with GDPR.
Product photos, banners, blog, emailing, social media: any image that has been substantially generated or retouched by AI falls within the scope of Article 50 obligations. This also includes content delivered by suppliers and external agencies, even if you didn't generate it directly.
The AI Act requires that, if an AI-generated or AI-manipulated image could be mistaken for real content (deepfake), this must be clearly disclosed at the moment the user views it.
Much of the compliance risk doesn't come from what you generate yourself, but from what third parties deliver to you without informing you that AI was used in the process.
The AI Act also requires disclosure when AI-generated or AI-manipulated text is published to inform the public about matters of public interest. This is relevant if your ecommerce has a corporate blog, an industry news section, or editorial content generated with AI without human review. If that content goes through human editorial review with responsibility for publication, the disclosure obligation doesn't apply; if you publish it directly from a model without supervision, it does.
Although as a deployer your documentation burden is much lighter than that of a provider, you should be able to demonstrate to a supervisory authority or to a client who asks about it, what process you follow to detect and label AI-generated content, and since when you've been applying it.