The EU AI Act in 2026: what museums, galleries, auction houses and theaters need to know

A short timeline of the AI Act

The EU AI Act entered into force in August 2024. Its provisions apply in waves: prohibited practices since February 2025, transparency obligations for general-purpose AI in 2025, and obligations for high-risk and limited-risk systems progressively through 2026 and 2027. For cultural institutions, the practical date that matters is when limited-risk transparency obligations apply to systems that interact directly with the public — which now does.

If you operate an AI phone agent, an AI chat agent, or an AI receptionist that talks to your visitors, you sit in the limited-risk category. Compliance is not heavy, but it is binding.

The three obligations that actually apply to you

For a museum, gallery, auction house or theater running an AI agent on phone or chat, three obligations are relevant in practice:

• Disclosure: the caller must be told they are interacting with an AI system, not a human. This applies on first contact and must be unambiguous.
• Human escalation: the caller must be able to ask for a human at any point. Silent escalation does not count — the user has to know the option exists.
• GDPR overlap: the AI Act does not replace GDPR. You still need a lawful basis (typically Article 6.1(f) legitimate interest for the agent, or 6.1(b) contract for ticketing), a retention policy, and a Data Processing Agreement (Article 28) with your AI vendor.

What this changes operationally

You probably already disclose recording for quality. Add one phrase: "You are speaking with an AI assistant." Done.

You need a documented human-escalation path. If you use AI ARTEDUSA, the agent supports the `talk_to_human` tool out of the box — any caller saying "I want to speak to someone" is transferred. Document the destination number in your knowledge base.

For GDPR: get the DPA from your vendor signed before going live. Ask for the list of sub-processors (LLM provider, STT, TTS, hosting). Make sure the audio stream is processed in the EU and that transcripts are not used for training.

Five questions to ask your AI vendor

Before signing, run this short due-diligence list:

• Where is the call audio processed? Which sub-processors? (You need this for the Transfer Impact Assessment.)
• Are my conversation transcripts ever used to train the model? (Hint: the only acceptable answer is "no".)
• Can a caller always ask for a human? How is this tested?
• What is the data retention policy by default, and can I shorten it?
• Will you sign a DPA aligned with GDPR Article 28? (You need this on file.)

Where AI ARTEDUSA stands

AI ARTEDUSA is a vertical agentic AI for art and culture. Knowledge base and transcripts stored in the EU. Audio streams processed via Twilio EU endpoints. No training on customer transcripts. DPA available. Human escalation built into every agent. AI Act limited-risk transparency disclosed on every call.

If you want to see the underlying provisions, the European Commission publishes the consolidated AI Act text at digital-strategy.ec.europa.eu. For the GDPR overlap, the CNIL has published a sector guidance specific to voice AI agents which is the cleanest French-language summary available.