The EU Artificial Intelligence Act is the world’s first comprehensive AI regulation, and its most significant obligations for online stores come into full force on 2 August 2026. If you sell to anyone in the EU, regardless of where your business is based, this regulation applies to you.
This guide covers what the Act requires, how it maps to common tools used on WordPress/WooCommerce and Shopify, and what both B2B and DTC operators need to do before the enforcement deadline.
What the EU AI Act Is
The EU AI Act classifies AI systems into four risk tiers:
- Unacceptable risk: banned outright (e.g. government social scoring systems)
- High risk: systems affecting employment, safety, credit, or access to services, subject to strict compliance obligations
- Limited risk: must meet transparency and disclosure requirements
- Minimal risk: largely unregulated
For most ecommerce stores, the relevant category is limited risk. Obligations centre on transparency and disclosure rather than prohibitions. Most retail AI tools (recommendation engines, AI search, demand forecasting, and merchandising algorithms) fall into this category, meaning businesses can continue using them, though disclosure requirements apply.
A full high-level summary of the Act is available at artificialintelligenceact.eu.
Key Dates
The Act has a phased rollout:
- 1 August 2024: Act entered into force
- 2 February 2025: Prohibited AI practices banned; AI literacy obligations active
- 2 August 2025: GPAI (General Purpose AI) model obligations active
- 2 August 2026: Article 50 transparency obligations enforceable for all deployers (the primary deadline for ecommerce operators)
- 2 August 2028: Extended transition period ends for high-risk AI in regulated products
Source: European Commission AI Act overview
Who the Rules Apply To
The Act applies based on where your customers are, not where your business is incorporated. A store based in the US, UK, or Australia that sells to EU residents is in scope.
The regulation distinguishes between two roles:
- Providers: companies that build AI systems (OpenAI, Adobe, Shopify as a platform)
- Deployers: businesses that use AI systems in their operations
As a store owner using third-party AI tools, you are almost certainly a deployer, and the transparency obligations apply to you directly. Your responsibility does not disappear because the AI tool came from a vendor; you remain accountable for how it is used.
Source: Complyo — Article 50 guide for ecommerce
What Counts as AI Under This Regulation
If your store uses any of the following, the transparency rules apply:
- AI writing tools: Shopify Magic, ChatGPT, Claude, Jasper, Copy.ai for product descriptions, email copy, or marketing content
- AI image generation or enhancement: Midjourney, DALL-E, Stable Diffusion, AI background removers, AI product photography tools
- AI chatbots: Tidio, Zendesk AI, Shopify Inbox, or any bot that customers could mistake for a human
- AI recommendation engines: Shopify Search & Discovery, Nosto, Rebuy, personalisation algorithms
- AI email tools: Klaviyo AI-generated subject lines and body copy
- AI translation and localisation: tools that go beyond literal translation into cultural rewriting
Source: Complyo — Article 50 guide for ecommerce
The Fines
Transparency violations under Article 50 sit in the third penalty tier:
- Up to €7.5 million or 1.5% of global annual turnover, whichever is higher
- For SMEs and startups, the lower of the two amounts applies
In practice, regulators are expected to start with warnings for smaller businesses, as GDPR enforcement followed a similar pattern. However, enforcement is genuinely active. The EU issued its first Digital Services Act fine (€120 million, against X/Twitter) in December 2025, demonstrating that the enforcement machinery is operational.
As of April 2026, 78% of organisations are not yet AI Act compliant.
Sources: Axelwin EU compliance guide · Complyo
Shopify: What Changes and What Doesn’t
Shopify has acknowledged the EU AI Act in its terms of service updates but has placed compliance responsibility on merchants. The platform provides the tools; merchants are responsible for disclosures and documentation. Shopify Magic, for instance, generates product descriptions without adding any AI disclosure labels to the output. As of mid-2026, there is no automatic compliance feature built in.
Visible content disclosures. Any product description primarily written by an AI tool needs a disclosure that customers can see. A note along the lines of “This description was created with AI assistance” satisfies the intent. The key is that it exists and is visible.
Machine-readable metadata for AI images. A visible disclaimer alone is not sufficient for AI-generated images. The Act requires machine-readable markers, specifically C2PA (Content Credentials Provenance) metadata, embedded in any product image that was substantially created or modified by AI. Adobe Photoshop 2025+ has C2PA built in. Note that some platform upload pipelines strip image metadata during processing, so you should test your upload workflow end to end.
Chatbot disclosure. Any AI-powered customer service bot must clearly identify itself as non-human at the start of the interaction.
Third-party app audit. Every Shopify app using AI (marketing automation, recommendation engines, review management) brings obligations with it. Review vendor contracts to confirm they are themselves compliant.
On AI images and the deepfake provision. Article 50.4 specifically targets AI-generated or AI-manipulated content depicting real people, places, or events in a way that could mislead. A product photo with an AI-generated background is not a deepfake. An AI-generated model that looks like a real human wearing your clothing is, and must be disclosed.
Sources: EasySell — EU AI Act for Shopify merchants · Rewarx — product image compliance guide
WordPress and WooCommerce: More Control, More Responsibility
WordPress/WooCommerce stores face the same Article 50 obligations as Shopify stores. The open architecture creates both advantages and additional considerations.
Data sovereignty. WordPress allows full control over hosting infrastructure and data storage. This matters given the tension between EU data law and the US CLOUD Act, which can compel US SaaS providers to hand over stored data. Hosting on European infrastructure and using self-hosted or EU-based AI tools provides a more defensible data sovereignty position.
No platform-level safety net. With WordPress, the entire compliance burden sits with the store owner and their developer. Every plugin with AI functionality needs individual review. Many AI-powered WooCommerce plugins were built before this regulation existed and have not been updated.
Practical steps for WooCommerce operators:
- Audit every active plugin that uses AI functionality and confirm whether the vendor has addressed EU AI Act compliance
- Review your page builder for built-in AI writing features (Elementor AI, Divi AI, etc.), as these generate content without compliance output by default
- Confirm that your hosting setup and CDN preserve C2PA metadata when images are uploaded and delivered
- Consider whether third-party AI tools processing EU customer data expose you to CLOUD Act risk
Sources: IFG eCommerce — Shopify vs WooCommerce data sovereignty 2026 · Scandiweb — EU AI Act FAQ for ecommerce
B2B-Specific Considerations
B2B ecommerce operators face an additional dynamic: buyers and procurement teams at larger EU organisations are beginning to require suppliers to document their AI usage as part of vendor due diligence. If you run a trade portal, wholesale store, or subscription supply operation, expect to receive compliance questionnaires about your AI practices.
Early compliance is also a differentiator. Sellers who can demonstrate a documented approach to AI transparency are better positioned to win EU retail partnerships, marketplace trust badges, and B2B procurement contracts that increasingly ask about AI usage during onboarding.
Source: Rewarx — product image compliance guide
Where to Stay Updated
Regulatory guidance is still developing in several areas, including AI translation and localisation thresholds, with clearer implementation guidelines expected from the European Commission in Q4 2026. The enforcement date of 2 August 2026 is fixed, but interpretive detail will continue to emerge.
Recommended resources for ongoing developments:
- artificialintelligenceact.eu — independent tracker maintained by the Future of Life Institute, updated regularly
- EU AI Act compliance checker — 10-minute self-assessment tool
- European Commission AI Act page — official updates and implementation documents
- Article 50 transparency rules guide — practical guide to what providers and deployers must do by August 2026
