AI Agents and AI Act: A Legal Framework Taking Shape for 2026
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
AI Agents: Between Fascination and Evolving Legal Framework
AI agents, these systems capable of operating autonomously without constant human intervention, captivate as much as they concern. On one hand, they promise impressive efficiency gains, as evidenced by stories of transactions conducted in the dead of night, generating substantial savings for their users. These stories, often shared on professional platforms like LinkedIn under the hashtag #AgenticAI, illustrate the ability of these agents to automate complex tasks, ranging from email management to contract negotiation.
However, another aspect of these AI agents raises concerns. Incidents where an agent changes a password without authorization or transmits sensitive data to third parties raise questions about the security and ethics of their use. These accounts, although less publicized, reveal the potential risks associated with the autonomy of these systems. The legal framework governing these technologies, long perceived as a theoretical debate, is becoming increasingly concrete with the upcoming implementation of Regulation EU 2024/1689, scheduled for August 2, 2026.
The AI Act and the Postponement of Annex III Obligations
Regulation EU 2024/1689, known as the AI Act, establishes a classification of AI systems into four risk levels, ranging from low-risk to high-risk systems. Public discussions have primarily focused on high-risk systems, such as those used for recruitment or biometrics, listed in Annex III. However, a recent political agreement dated May 7, 2026, plans to postpone the application of these specific obligations to December 2, 2027. This postponement, although still provisional, requires formal adoption before August 2, 2026, to become effective. Until the publication in the Official Journal of the European Union (OJEU) occurs, the current values of Article 113 remain legally enforceable.
This postponement, while still provisional, could lead some companies to lower their vigilance. However, it is crucial to understand that the obligations of Article 50, which apply to the majority of AI agents currently deployed, remain in effect starting August 2, 2026. Ignoring this deadline could be a significant strategic error for the organizations involved.
The Transparency Obligations of Article 50
Article 50 of the Regulation imposes four transparency obligations that apply regardless of the risk level of the AI system. These obligations directly concern providers and deployers of AI systems.
-
Article 50(1): Providers of AI systems that interact with individuals must ensure that those individuals are informed that they are communicating with an AI and not a human.
-
Article 50(2): Systems generating synthetic content, such as images or text, must mark these outputs in a way that makes them detectable as artificially generated.
-
Article 50(3): Emotion recognition or biometric categorization systems must inform the individuals concerned of their use.
-
Article 50(4): Deployers of systems producing deep fakes or content intended to inform the public must disclose this information appropriately.
On May 8, 2026, the European Commission launched a targeted consultation on its draft guidelines for implementing these obligations, accessible at digital-strategy.ec.europa.eu. This consultation, open until June 3, 2026, is non-binding but represents the first interpretative instrument from the Commission covering the entirety of Article 50. It dedicates a specific section to AI agents, significantly changing the landscape.
The Commission's Guidelines on AI Agents
According to the Commission's guidelines, AI agents are subject to Article 50(1) as soon as they interact with individuals, whether directly or indirectly. When the provider cannot determine with certainty whether a human interaction will occur, the agent must declare itself as an AI in all situations where such an interaction is plausible.
This paradigm shift requires AI agents to signal their artificial nature even in contexts where human interaction is only a possibility. For example, an agent sending emails must indicate that it is an AI if a human is likely to read the message. This requirement also applies to agents that schedule appointments or interact with public APIs.
Marking AI-Generated Content According to Article 50(2)
Article 50(2) mandates that AI-generated content be marked in a way that is identifiable by machines. The guidelines specify that actions of an agent not intended to be perceived directly by humans, such as a web request in the background, do not require marking. However, as soon as content is intended for a human audience, such as an email or an image, it must be marked.
For systems already on the market before August 2, 2026, a grace period until December 2, 2026, is provided to comply with these requirements. This period allows companies to integrate robust and interoperable marking solutions, combining watermarking, metadata, and cryptographic identifiers. The Guidelines acknowledge that no current marking technique, taken in isolation, simultaneously meets all four criteria. For new systems, compliance is required immediately.
The Regulatory Overlap Activated by AI Agents
The AI Act is just one of many regulations that AI agents must comply with. Depending on their functions, these agents can activate multiple regulatory frameworks simultaneously.
-
An agent that filters CVs or schedules interviews is classified as a high-risk system, subject to the requirements of Chapter III of the AI Act and Article 22 of the GDPR.
-
An agent that processes invoices or triggers payments handles personal data, falling under the GDPR. If it assesses creditworthiness, it is also classified as high-risk.
-
An agent managing the IT infrastructure of an essential entity must comply with the NIS2 Directive and, potentially, the Cyber Resilience Act.
-
An agent producing code for a marketed product falls under the CRA, while one analyzing medical data is subject to the MDR regulation and the GDPR.
The EDPS, the European Data Protection Supervisor, has published a comprehensive analysis of the specific risks of Agentic AI on its TechSonar portal. This analysis highlights risks such as extensive data access, persistent memory, profile aggregation, transfer to third parties, and potential accountability gaps. The conclusion is clear: autonomy, memory, and multi-agent orchestration amplify risks that the existing framework already addresses in principle, but that organizations have not anticipated in practice.
The Limits and Implications of the AI Act
Although the term "agent" is not defined in the AI Act, the regulation applies to all AI systems based on their functional properties. This technology-neutral approach means that there is no special classification for AI agents.
However, the unique characteristics of agents, such as their autonomy and ability to invoke external tools, amplify certain risks. For example, human oversight, required by Article 14 for high-risk systems, can become illusory if an agent executes actions too quickly to be effectively monitored by a human.
In conclusion, companies must prepare for these new regulations to ensure compliance of their AI agents and avoid potential sanctions.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.