Retail and e-commerce use AI for product recommendations, dynamic pricing, customer service bots and content generation. The EU AI Act (Regulation (EU) 2024/1689) affects these use cases in different ways depending on the system's function. The Regulation applies directly across the EU; no separate national implementing act is required for the AI Act itself.
When Annex III applies – and when it does not
Annex III lists the specific high-risk areas. Common e-commerce applications such as recommendation systems and dynamic pricing normally fall outside the Annex III categories, because these categories concern specifically designated societal domains rather than commercial product recommendation.
This does not mean, however, that such systems are unregulated. They may be covered by the transparency obligations in Article 50 and, above all, by the prohibitions in Article 5. An assessment must be made in each individual case based on how the system is actually used.
Transparency under Article 50
Article 50 sets transparency requirements for, among other things, interaction with AI systems and AI-generated content. For e-commerce this is particularly relevant to chatbots: a natural person must be informed that they are interacting with an AI system, unless this is obvious. Requirements may also apply to the labelling of AI-generated content. Article 50 applies from 2 August 2026.
Prohibited manipulative practices under Article 5
Article 5 prohibits certain practices, including systems that use subliminal or deliberately manipulative or deceptive techniques, or that exploit vulnerabilities, in a manner that materially distorts a person's behaviour and causes or is likely to cause significant harm. For retail and e-commerce this is relevant to consider when designing recommendation and pricing logic as well as customer interaction.
Article 5 has been in force since 2 February 2025, as has Article 4 on AI literacy. Infringements of Article 5 carry the most severe penalties.
Roles: provider and deployer
A retail company that purchases AI tools is typically a deployer, while the developer is the provider. Article 25 can reclassify a deployer as a provider, for example in the event of a substantial modification or putting its own name on the system. Should a system exceptionally fall within Annex III, the deployer obligations in Article 26 apply.
Timeline
- 2 February 2025: Article 4 (AI literacy) and Article 5 (prohibited practices) in force.
- 2 August 2026: Article 50 (transparency) applies. The Annex III obligations for deployers apply from this date under the original timeline.
- 2 December 2027: Proposed postponement of the Annex III obligations via the Digital Omnibus (approved by the European Parliament on 16 June 2026; the Council is awaiting publication in the Official Journal). This is a Digital Omnibus proposal and is not yet in force.
Penalties
Under Article 99, prohibited practices under Article 5 can result in fines of up to EUR 35 million or 7% of global annual turnover. Infringements of, among others, Article 50 and high-risk obligations can result in fines of up to EUR 15 million or 3%. Incorrect information can result in fines of up to EUR 7.5 million or 1%.
Before purchasing
- Determine whether the AI system falls within any Annex III category (usually not for recommendation/pricing).
- Review recommendation and pricing logic against the Article 5 prohibitions.
- Ensure Article 50 transparency for chatbots and AI-generated content ahead of 2 August 2026.
- Establish your role: deployer or provider – and monitor Article 25.
PowerQuant is delivered as documentation support: Module 1 (AI inventory + Article 4 register) and Module 2 (Provider documentation package).
This page is general information about the AI Act and does not constitute legal advice.