August 2026 is the deadline. That's when full enforcement of the EU AI Act kicks in for high-risk AI systems. Fines can hit 7% of global annual turnover. If you're using AI for sales outreach, here's what actually changes for you.
Most marketing AI is low-risk. That's not the problem.
Most marketing AI is low-risk. That's not the problem.
The EU AI Act sorts AI systems into four risk categories: unacceptable, high, limited, and minimal. Most marketing and sales AI tools fall into limited or minimal risk. Email scoring, prospect ranking, personalisation engines — these aren't classified as high-risk systems.
But here's the catch. Using a compliant tool doesn't mean your use case is compliant. The regulation looks at how you apply the system, not just what the vendor built.
If you feed an AI tool customer data without proper consent, the tool's compliance status doesn't protect you. If your AI-generated email makes a false claim about a product's capabilities, that's on you, not the software.
We've seen this pattern before. GDPR didn't kill email marketing. It killed sloppy email marketing. The EU AI Act won't kill AI sales tools. It will kill sloppy AI sales practices.
The real enforcement risk for marketing teams lies in the interplay between the AI Act and existing data protection frameworks. A low-risk classification under the AI Act does not exempt you from GDPR obligations regarding lawful basis for processing, data minimisation, or the right to explanation. When your AI scores a prospect based on inferred attributes — such as purchase intent or job mobility — you are processing special categories of data if those inferences touch on protected characteristics. The AI Act's transparency obligations also apply to limited-risk systems: you must disclose that content is AI-generated, which means every automated outreach email, chat response, or personalised landing page must carry a clear, machine-readable label. Failure to do so can trigger fines of up to €7.5 million or 1.5% of global annual turnover — penalties that apply regardless of the system's risk tier. Moreover, the Act's enforcement timeline is staggered: obligations for limited-risk transparency take effect in August 2025, while general-purpose AI rules follow in August 2026. This phased rollout means your compliance burden shifts over time, not all at once. The safest approach is to treat every AI-driven marketing action as if it were high-risk — document your data flows, audit your consent mechanisms, and maintain a clear chain of accountability for every output. Sloppy practices, not the technology itself, will draw the regulator's attention.
The penalty structure is designed to get your attention
Fines for non-compliance with the EU AI Act are tiered:
- Up to 7% of global annual turnover for prohibited AI practices
- Up to 3% for other non-compliance with obligations
- Up to 1.5% for supplying incorrect information to regulators
For a SaaS company doing £10M in revenue, 7% is £700,000. That's not a rounding error. That's a quarter of your sales team's salary budget.
The percentages mirror GDPR's structure. And we've seen GDPR fines hit companies that thought they were too small to matter. A UK-based real estate agency got fined £80,000 for sending marketing emails without consent. A German property portal got fined €525,000 for inadequate data deletion processes.
The EU AI Act will follow the same enforcement pattern. Regulators will make examples of companies in the first year. They'll target visible, well-funded firms to send a message. If you're a funded startup or a growing SaaS company, you're in the crosshairs.
But the penalty structure isn't just about the headline percentage. It's designed to create a cascading liability chain. If your marketing AI tool uses a third-party large language model that engages in a prohibited practice—say, scraping biometric data from social media to infer emotional states for ad targeting—you, as the deployer, are on the hook for the 7% fine, not the model provider. The Act assigns primary responsibility to the entity that places the AI system on the market or puts it into service. This means your due diligence obligations extend beyond your own code. You must audit your entire AI supply chain, including any pre-trained models or APIs you integrate. Regulators will also consider the duration of non-compliance. A violation that persists for six months while you "iterate" on a fix will attract a higher penalty than one you remediate within weeks. The first-year enforcement wave will likely focus on systems that process personal data without a lawful basis—exactly the kind of behavioral scoring or lead enrichment tools many sales platforms use. If your AI scores a prospect's likelihood to buy based on inferred demographic data without explicit consent, you're not just risking a fine; you're risking a public enforcement action that becomes a permanent part of your regulatory record, complicating future fundraising or acquisition due diligence.
What this means for your sales outreach pipeline
Three things change on August 2026. Not before. But you need to prepare now.
First, your data sourcing needs an audit. If you're scraping LinkedIn profiles or buying contact lists, check where the data originated. The AI Act doesn't change GDPR's consent requirements, but it adds transparency obligations. You need to tell prospects if an AI system made decisions about them. That includes automated prospect scoring and prioritisation.
Second, your personalisation engine needs documentation. If your AI tool drafts emails based on prospect behaviour, you need to document how the system works. What data does it use? How does it make decisions? Can a prospect request an explanation of why they received a specific email? These aren't theoretical questions. They're compliance requirements.
Third, your human-in-the-loop process is now a compliance feature. This is where MiraReach's design matters. We never send a message without a human pressing the button. That's not just good practice. It's a compliance advantage. The AI Act explicitly favours systems where humans maintain oversight. If your AI tool auto-sends emails, you're taking on more regulatory risk than necessary.
We wrote about a similar dynamic in the UAE market earlier this year. The UAE's 90-day compliance pipeline for safety rules created the same pattern: early movers who prepared ahead of enforcement dates captured market share while competitors scrambled.
The tools you use matter less than how you use them
This distinction between tool compliance and workflow compliance is where most teams will stumble. The AI Act doesn't certify tools; it certifies uses. A single platform can host dozens of use cases that fall into different risk categories simultaneously. Your email sequence generator might be minimal risk, but if that same tool also scores leads using protected characteristics—even indirectly through proxy data—you've crossed into high-risk territory without changing a line of code.
The penalty structure reinforces this point. Under the AI Act, non-compliance with prohibited practices can cost you the greater of €35 million or 7% of global annual turnover. But here's the nuance that marketing teams miss: those penalties apply per violation, not per tool. A single campaign that uses AI to infer sensitive data about prospects, then uses that inference to personalize outreach, could trigger multiple violations—improper data processing, failure to provide transparency, and lack of human oversight. The fines stack.
What we've seen work is a use-case inventory approach. Map every AI-assisted action in your outreach pipeline—from lead scoring to subject line generation—and classify each one against the Act's risk categories. Then document your human-in-the-loop controls for any action that touches financial data, employment status, or personal characteristics. The disclosure line in your email footer is a good start, but it should be paired with an internal log of which AI decisions triggered that disclosure and how the prospect can exercise their right to explanation. That log becomes your audit trail if a regulator asks questions.
The tools will keep updating their compliance certifications. Your workflow documentation is what actually protects you.
What we'd do next
Start with an audit of your current AI sales stack. Map every tool to its risk classification under the EU AI Act. Document how each tool processes prospect data. Add a transparency disclosure to your email templates. Then move beyond the checklist. The real work is in the operational layer: assign a named person on your team (or yourself, if you're solo) to own the human-in-the-loop review for each high-risk or limited-risk tool. This isn't a one-time sign-off. You need a documented review cadence — weekly for outbound sequences, monthly for scoring models — and a log of every override or rejection the human reviewer made. That log becomes your audit trail if a regulator asks how you ensured "meaningful human oversight" under Article 14. Next, map your data flows against the Act's prohibitions on inferring sensitive characteristics (Article 5). If your AI enriches prospect profiles with inferred ethnicity, political opinion, or health status — even indirectly — you're already in violation, regardless of penalty phase. Finally, build a simple escalation path: when a prospect requests explanation of a decision made by your AI (Article 86), your team must be able to produce a plain-language rationale within 72 hours. That means your tool's output needs to be interpretable, not just accurate. If you want to see how MiraReach handles compliance, give it a try. We built the human-in-the-loop requirement into the product from day one. Not because regulators asked. Because sending emails without human review is bad sales practice.
— Mira