On this page
- Why the EU AI Act Reaches Your Benefit
- The Four Risk Tiers
- What’s Already Banned: Emotion Recognition at Work
- The Transparency Rule: Chatbots Must Say They’re AI
- When a Mental-Health Tool Is “High-Risk”
- The Application Timeline
- What Employers Should Do Now
- How This Connects to the US State Laws
- Bottom Line
- Related Reading
Why the EU AI Act Reaches Your Benefit
The EU AI Act (formally Regulation (EU) 2024/1689) is the European Union’s comprehensive law on artificial intelligence. It entered into force on 1 August 2024 and applies in stages through 2027. It is built on a risk-based approach: the more a given use of AI can affect people’s health, safety, or fundamental rights, the more the Act restricts or regulates it.
A mental-health tool is squarely in the Act’s field of view, because it processes sensitive information about people and, in some designs, tries to read their emotional state. If you offer such a tool to employees located in the EU or the EEA, you can carry obligations under the Act as a “deployer,” and the vendor carries the heavier obligations of a “provider.” Exactly where those obligations bite depends on what the tool does — which is why the risk tiers below matter more than the label on the box.
The Four Risk Tiers
The European Commission describes the Act as sorting AI systems into four risk levels:
- Unacceptable risk (prohibited). Uses judged “a clear threat to the safety, livelihoods and rights of people” are banned outright.
- High-risk. Uses that “can pose serious risks to health, safety or fundamental rights” are allowed but carry strict obligations before and after they go to market — risk assessments, quality data, activity logging, and human oversight.
- Transparency risk. Systems such as chatbots that interact with people must make clear the person is dealing with a machine, so they can make an informed decision.
- Minimal or no risk. Everything else, which the Commission notes is the “vast majority” of AI in use, carries no new obligations.
A single mental-health product can touch more than one tier at once — a chatbot (transparency) that is also a certified medical device (high-risk), for instance. So the practical exercise is not “which box is this in” but “which of these rules does this specific tool trigger, and when.”
What’s Already Banned: Emotion Recognition at Work
This is the part most benefits teams miss, and it is already law. Since 2 February 2025, the Act’s prohibitions have been in force — and one of them targets the workplace directly. Article 5 bans the use of AI systems “to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons.”
Read that carefully, because the exception is doing a lot of work. Emotion inference at work is prohibited; the only carve-out is for tools placed on the market for medical or safety reasons. Whether a given AI mental-health tool falls inside that carve-out is a genuine, fact-specific question — and not one a benefits team should answer on the vendor’s say-so. If a tool markets “mood detection,” “sentiment analysis,” or “emotion tracking” of employees, put the burden on the vendor to explain, in writing, whether it performs emotion inference at all and, if so, the precise legal basis on which it relies. A tool that quietly infers employee emotions without a defensible medical-or-safety justification is not a compliance risk you want to discover after rollout.
The Transparency Rule: Chatbots Must Say They’re AI
The second rule that lands hard on this category is the transparency obligation in Article 50, which applies from 2 August 2026. It requires that providers of AI systems intended to interact directly with people ensure those people are informed that “they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect.”
For a mental-health benefit, that means an AI chatbot has to make clear it is not a human therapist — the same principle that already sits in some US state law. It is a low bar to clear technically, but a real one to verify: confirm the disclosure is present, is genuinely prominent (not buried in a terms-of-service link), and appears at the start of the interaction rather than only after an employee has begun confiding in it.
When a Mental-Health Tool Is “High-Risk”
The heaviest obligations fall on high-risk systems, and the most common route into that tier for a mental-health tool is the medical-device route. Under the Act, AI that is a safety component of — or is itself — a product regulated under existing EU product-safety law counts as high-risk. The Commission’s guidance is explicit that AI systems “embedded as a safety component in products covered by existing product legislation … or constitute such products themselves” qualify as high-risk, with those obligations applying from 2 August 2027 (36 months after entry into force).
The practical trigger is whether the tool is regulated as a medical device in the EU. A mental-health app that makes clinical claims — to diagnose, treat, or materially support the treatment of a condition — may qualify as a medical device, which would pull it into the high-risk tier with all that follows: conformity assessment, a risk- management system, high-quality training data, logging, human oversight, and technical documentation. A purely self-guided wellbeing app that makes no clinical claim generally will not. The line is exactly where clinical claims begin, which is one more reason to hold vendors to the clinical-validity questions in your RFP rather than take “clinically proven” at face value.
One caveat on timing. On 19 November 2025, as part of a “Digital Omnibus” simplification package, the European Commission proposed to adjust the timeline for the application of the high-risk rules. As of writing, that proposal is still under consideration by the European Parliament and the Council — it is not adopted law. Treat the statutory dates below as the baseline and confirm the current in-force timeline before you rely on any specific deadline.
The Application Timeline
The Act applies in phases. The dates that matter for a mental-health benefit are:
| Date | What starts to apply | Relevance here |
|---|---|---|
| 1 Aug 2024 | Entry into force | Clock starts; no obligations yet |
| 2 Feb 2025 | Prohibitions + AI-literacy duties | Workplace emotion-recognition ban is live |
| 2 Aug 2025 | Governance + general-purpose-AI rules | Mostly vendor-side (model providers) |
| 2 Aug 2026 | Remainder of the Act, incl. Article 50 transparency | Chatbots must disclose they are AI |
| 2 Aug 2027 | High-risk rules for regulated products (medical devices) | Applies if the tool is a medical device |
Dates confirmed against the European Commission’s “Navigating the AI Act” FAQ and its implementation timeline, subject to the Digital Omnibus proposal noted above.
What Employers Should Do Now
You do not need to become an AI lawyer to procure responsibly. Fold a short set of EU-specific questions into the vendor evaluation you are already running:
- Does the tool infer employees’ emotions? If yes, on what legal basis under the Article 5 workplace prohibition — and can the vendor put that in writing?
- How does it disclose that it is AI? Ask to see the exact wording and placement of the Article 50 disclosure your EU employees will see.
- Is it a medical device in the EU? If it makes clinical claims, ask whether it is CE-marked as a medical device and how it is preparing for the high-risk obligations.
- Who is the provider, and are you the deployer? Get the roles named in the contract, and confirm the vendor will supply the information a deployer needs to meet its own obligations.
- Where is employee data processed? The AI Act sits alongside the GDPR, not instead of it — the privacy questions in our data-and-compliance guide still apply to your EU workforce.
How This Connects to the US State Laws
The EU is not moving alone. Two 2025 US state laws push in the same direction: the Illinois WOPR Act, which limits AI from delivering therapy without a licensed professional responsible, and Utah’s HB 452, which requires mental-health chatbots to disclose that they are not human. The common thread — a human kept responsible, and users told plainly they are talking to a machine — is quickly becoming the global floor rather than a regional quirk. We cover the US side in depth in our guide to AI mental-health benefits and legal risk; if you operate on both sides of the Atlantic, treat the stricter of the two regimes as your design target and you will usually satisfy both.
Bottom Line
For an employer offering an AI mental-health benefit to EU or EEA staff, three things are worth holding onto. First, the workplace emotion-recognition ban is already in force — if a tool reads employees’ emotions, that is a live compliance question today, not a 2026 one. Second, from 2 August 2026 any chatbot has to tell your employees it is AI. Third, a tool crosses into the heavily regulated high-risk tier mainly when it is a medical device — which is to say, when it makes real clinical claims — and those obligations phase in through 2027, on a timeline the Commission has proposed to adjust but not yet changed. None of this is a reason to avoid the category; it is a reason to make your vendor prove, in writing, which rules its product triggers and how it meets them.
This page is general information for benefits decision-makers, not legal advice. EU AI regulation is developing quickly and its application to a specific product turns on facts we cannot assess for you — confirm your obligations, and any vendor’s claims, with your own qualified counsel before you sign.
Related Reading
- AI Mental Health Tools for Employee Benefits: An HR Buyer’s Guide — the full vendor-evaluation guide this page feeds into
- AI Mental-Health Benefits and Legal Risk — the US side: HIPAA, ADA, ERISA, and the new state AI-therapy laws
- The AI Mental-Health Vendor RFP Checklist for HR — the questions to put to every vendor, in one place
- HIPAA and AI Mental-Health Tools for Employers — the privacy leg, which sits alongside the AI Act and the GDPR