How the EU AI Act Will Affect Online Stores
Tomasz runs a mid-size electronics store on PrestaShop, selling headphones, smart-home gear, and accessories across four EU countries. Over the past two years he's added a GPT-powered chatbot for customer support, a dynamic pricing plugin that adjusts prices based on competitor scraping and stock levels, and — more recently — an AI tool that generates lifestyle images for product listings instead of paying for photography. None of it felt like a legal question until his marketing agency mentioned, almost in passing, that "the AI Act probably applies to at least two of those."
It does, in different ways and on different timelines. The AI Act (Regulation (EU) 2024/1689) isn't a single switch that turns on and makes AI illegal or legal — it's a risk-based framework, and most eCommerce AI use falls into the lower tiers, which mostly means disclosure obligations rather than bans.
The AI Act classifies systems by risk, not by "is it AI"
The regulation sorts AI systems into four rough bands: unacceptable risk (banned outright), high-risk (heavily regulated, mostly outside typical retail use), limited risk (transparency obligations — this is where most store AI lands), and minimal risk (largely unregulated). A chatbot, a product-description generator, and a dynamic pricing tool are unlikely to be high-risk under current scoping, but they're not exempt from the law either — they usually fall into that limited-risk transparency band.
What's already banned — since February 2025
Prohibited practices under the AI Act have applied since 2 February 2025, which means this isn't a future concern for some stores — it may already be a live violation. Relevant examples for retail include AI systems designed to exploit vulnerabilities (age, disability, specific social or economic situation) to materially distort behaviour, and certain uses of biometric categorisation. A chatbot engineered to specifically target and pressure vulnerable customers into purchases they wouldn't otherwise make would fall foul of this — aggressive personalised discount timers alone generally wouldn't, but the line is about intent and effect, not the technology itself.
Transparency duties from August 2026 — the one that touches the most stores
From 2 August 2026, transparency obligations apply to AI systems that interact directly with people or generate content. In practical terms for a PrestaShop store, that means:
- Chatbots and virtual assistants need to disclose that customers are interacting with an AI system, not a human, unless it's obvious from context.
- AI-generated or AI-manipulated images, video, or audio used in marketing may need labelling as such in certain contexts, particularly where it could otherwise mislead.
- Emotion-recognition or biometric-categorisation features (rare in retail, but present in some advanced personalisation tools) carry their own disclosure requirements.
This is the deadline most merchants should actually plan around — not the high-risk tier discussed below, which affects a narrower set of use cases.
Where dynamic pricing and recommendation engines actually sit
This is the part merchants ask about most, and the honest answer is: it depends on implementation, and formal guidance is still developing. Standard dynamic pricing based on stock levels, demand, or competitor pricing is not currently expected to be classified as high-risk under the Act as scoped. However, if a pricing or recommendation system incorporates profiling that could be considered to affect access to essential services, or exploits personal characteristics in a way that overlaps with other prohibited-practice language, it moves into riskier territory. This is an area to watch rather than panic about — treat firm claims that "dynamic pricing is high-risk" as premature until sector-specific guidance is published.
High-risk systems: a narrower band, arriving August 2027
Most high-risk AI system obligations apply from 2 August 2027, and they're built around use cases like biometric identification, employment screening, credit scoring, and critical infrastructure — categories that rarely map onto typical retail storefront tools. A merchant using AI purely for chat support, content generation, and pricing is unlikely to trigger this tier, but businesses using AI for credit-risk assessment on B2B accounts or algorithmic hiring for their own staff should review this category specifically, since it's a different compliance bar entirely — closer to the DSA and DMA obligations we cover in our guides on the Digital Services Act and broader EU compliance checklist.
Penalties: "small store" isn't automatic protection
Fines under the AI Act can reach into the tens of millions of euros or a percentage of global turnover for the most serious violations, with lower tiers for lesser breaches — the structure is deliberately similar in scale to GDPR penalties. In practice, enforcement against a seven-person PrestaShop store is unlikely to look like enforcement against a platform with millions of users, but "unlikely to be first in line" isn't the same as "exempt." Complaint-driven enforcement — a customer reporting an undisclosed chatbot, for instance — doesn't require a regulator to be actively hunting small merchants first.
A practical checklist for common storefront AI features
- [ ] List every AI feature live on your site: chatbot, recommendations, pricing, content generation, image generation, fraud scoring
- [ ] Confirm each chatbot or virtual assistant discloses it's AI, ahead of August 2026
- [ ] Review AI-generated marketing images for labelling needs where they could mislead
- [ ] Document your dynamic pricing logic in case you need to demonstrate it isn't profiling-based
- [ ] Flag any AI used for B2B credit decisions or staff hiring for separate high-risk review
- [ ] Assign one owner for AI Act compliance — don't leave it split between marketing and IT with nobody accountable
If you're building or expanding AI features rather than just auditing existing ones, our piece on how AI will transform PrestaShop stores is a useful companion, and the module-level implementation detail lives in our AI Act PrestaShop compliance guide.
The next concrete step for most stores: open a spreadsheet today, list every AI-powered feature on your site next to who built or licensed it, and mark which ones directly interact with customers. That list is what August 2026's transparency duties will actually apply to — and it takes about twenty minutes to build, which is a lot less painful than finding out about a gap from a customer complaint.
Frequently asked questions
Does the EU AI Act ban AI chatbots on eCommerce sites?
No. Chatbots aren't banned — they fall under transparency obligations that apply from 2 August 2026, requiring disclosure that customers are interacting with an AI system rather than a human, unless that's already obvious from context.
Is dynamic pricing considered high-risk under the AI Act?
Generally not, under current scoping — standard demand or competitor-based pricing isn't classified as high-risk. Systems that incorporate profiling touching on protected characteristics or exploit vulnerabilities carry more risk and deserve closer review.
When do AI Act obligations start applying to online stores?
Prohibited practices have applied since 2 February 2025. Transparency duties for chatbots and AI-generated content apply from 2 August 2026. Most high-risk obligations apply from 2 August 2027, but rarely touch typical storefront tools.
Can a small PrestaShop store be fined under the AI Act?
Yes, in principle — the law doesn't exempt small merchants by size. Enforcement priorities will likely focus on larger platforms first, but complaint-driven cases against smaller stores are possible, especially for undisclosed AI interactions.
Do AI-generated product images need a disclosure label?
In certain contexts, particularly where the image could mislead a customer, yes — labelling requirements for AI-generated or manipulated content fall under the transparency obligations starting August 2026.
Where should I start if I haven't reviewed my AI features yet?
List every AI feature live on your store, note which ones interact directly with customers, and check each against the August 2026 transparency deadline first — that's the phase most retail AI use actually falls under.
Related reading
- How AI Will Transform PrestaShop Stores
- AI Fraud Detection for Online Stores
- AI-Powered Dynamic Pricing Explained
- Digital Services Act Explained for Merchants
- Complete EU Compliance Checklist for Online Stores
