The EU AI Act has been in force since 2024, but its enforcement calendar is staged. The first prohibitions on unacceptable-risk practices applied in February 2025. The transparency obligations on general-purpose AI models took effect in August 2025. The deadline that matters for the meeting AI category lands in August 2026: high-risk systems must meet the full set of provider obligations from that date forward.

For buyers and vendors of audio summarization tools, the question is: where does meeting AI fall in the risk classification, and what changes for procurement, vendor due diligence, and product positioning between now and the deadline?

This article is the practical answer, not the legal one. For the legal answer, you need a regulatory specialist; this article will help you brief them.

The EU AI Act enforcement window for high-risk AI systems takes full effect in August 2026. Most meeting and audio summarization tools fall into the limited-risk category, which carries transparency obligations rather than full high-risk compliance, but the line between limited and high risk is sensitive to use case, and procurement should know which side a given deployment sits on.

The risk classification, in plain language

The Act classifies AI systems into four buckets:

Unacceptable risk, banned outright. Social scoring, real-time biometric surveillance in public spaces with narrow exceptions, manipulative systems targeting vulnerabilities. Meeting AI does not land here.
High risk, heavily regulated. AI used for hiring decisions, credit scoring, education access, law enforcement, biometric identification, critical infrastructure. Meeting AI used as part of a hiring or performance decision pipeline can land here.
Limited risk, transparency obligations only. AI systems that interact with humans, generate synthetic content, or process biometric categorization for non-identification purposes. Meeting summarization typically lands here.
Minimal risk, no specific obligations beyond existing law (GDPR, etc.). Spam filters, AI in video games.

Where most meeting AI tools sit, generic summarization for productivity, is limited risk. The transparency obligations are real but tractable: users must be told they are interacting with an AI system, and synthetic content must be labelled.

When meeting AI becomes high risk

The risk classification follows the use case, not the tool. Two flags push a deployment toward the high-risk bucket:

The summary feeds a decision about a person. If the summary is used as input to a hiring decision, a performance review, a promotion, a termination, an education access decision, or a credit decision, the system that generates it inherits the risk classification of the decision pipeline. A meeting AI summarizing a hiring interview, with the summary then used in the hiring decision, is high-risk.
The system performs biometric categorization with identification effect. Speaker identification by voice across recordings can fall under biometric categorization rules even when used for transcription speaker labelling. The line is fine; consult counsel.

Most teams using meeting AI for routine status meetings, customer calls, and internal sync recordings are not in the high-risk bucket. Teams using it inside HR or recruitment workflows likely are.

Transparency obligations every vendor must meet

For limited-risk systems, the Act's Article 50 lays out transparency obligations:

AI interaction disclosure. Users must know when they are interacting with an AI system, unless that fact is obvious. For meeting AI, this means meeting participants must be informed when an AI bot or transcriber is on the call.
Synthetic content marking. AI-generated content must be marked in machine-readable form (think watermarking or metadata) so it can be identified as synthetic downstream.
Training data summary for general-purpose AI. Vendors of underlying GPAI models must publish a "sufficiently detailed" summary of the training corpus.

Buyers should expect the meeting AI vendor to address all three in their documentation. Vendors that handwave on transparency are setting up their customers for compliance friction.

What changes between now and August 2026

For vendors:

Obligation	Status	Action by August 2026
Article 50 transparency obligations	In force	Implemented in product UX, documented in DPA
GPAI model summary publication	In force since August 2025	Published, kept current
High-risk system conformity assessment (where applicable)	August 2026	Conformity assessment completed, technical documentation drafted (Article 11)
Post-market monitoring (high-risk only)	August 2026	System in place
Serious incident reporting (high-risk only)	August 2026	Reporting workflow defined

For buyers:

Document the use case. Is the summary feeding a decision about a person? If yes, you may be the deployer of a high-risk system, with your own obligations.
Update the records of processing. GDPR Article 30 records should reference the AI Act classification of each AI tool in use.
Refresh the vendor due diligence checklist. Add Article 50 transparency, GPAI training summary publication, and (for high-risk deployments) Article 11 technical documentation availability.

What this means for the procurement conversation

The AI Act does not invalidate any of the existing GDPR conversation. It adds a layer. The procurement template that worked in 2025, DPA, sub-processor list, retention policy, training-on-data clause, still works. It now has companions: AI Act risk classification, transparency provision, GPAI summary access.

For most buyers of meeting AI, the Act does not change the choice of vendor; it changes the documentation. The vendors who already documented transparency, retention, and non-training in the GDPR era are the same vendors with the cleanest AI Act story. The vendors who handwaved on GDPR are the same vendors who will handwave on the AI Act.

A note on retention

EnClair stores audio and summaries for 24 hours, then deletes both. Hosting is in Europe. We do not train models on user inputs or outputs. The full posture is on the security page. For the GDPR-side conversation that paired with this one, see the GDPR-compliant meeting summarization article.

What to take from this

The EU AI Act August 2026 deadline is real and the work to meet it is real, but for most meeting AI deployments, generic productivity summarization, the obligations are tractable. The deployments that need the most attention are the ones inside HR, hiring, and performance pipelines, where the summary becomes input to a decision about a person. Document the use case, brief your counsel, and pick vendors that documented transparency before they had to.

Sources: EU AI Act high-level summary, European Parliament, first regulation on AI. This article is general guidance, not legal advice; consult qualified counsel for your specific deployment.