Three regulations apply at once. AI agents are already executing the fourth
Retailers, e-commerce platforms, marketplaces, direct-to-consumer brands. Digital commerce operates simultaneously under the AI Act, the Digital Services Act, and the Digital Markets Act, with autonomous AI agents now redefining what it means to execute a transaction.
How AI is changing retail and e-commerce
The dominant assumption in retail and e-commerce has been that AI is a marketing or operational tool. Recommendation engines, dynamic pricing, fraud detection, customer service automation. Each of these has been deployed within its respective function, governed by data protection policies and procurement reviews.
That distribution worked when AI optimized within human-defined rules. Three structural shifts have changed that.
First, recommender systems and dynamic pricing now operate at a scale and sophistication that triggers DSA and DMA obligations on top of AI Act provisions. A single recommendation algorithm in a marketplace can be subject to all three simultaneously, with different transparency, explainability, and intervention requirements under each. Second, autonomous AI agents are entering checkout flows, customer service, and procurement. When an AI agent executes a transaction on behalf of a customer or a business, the question of who is responsible remains unresolved by existing legal frameworks. AIUC-1 is currently the only certification standard that addresses this risk profile specifically. Third, fraud detection, content moderation in user-generated marketplaces, and personalization with sensitive data activate intersecting obligations under AI Act and GDPR that traditional vendor management frameworks were not built to handle.
What risks does this create
The risks are structural, and they compound as AI takes on more autonomous roles in commerce.
Multi-regulatory exposure on single algorithms
A recommendation system that surfaces products, adjusts prices, and ranks content in a marketplace can simultaneously trigger AI Act risk management obligations, DSA transparency requirements, and DMA fairness obligations. Governing it through separate compliance tracks creates contradictions that regulators will find.
Agentic AI without a liability framework
AI agents executing purchases, managing inventory, or handling customer returns operate outside the legal frameworks that govern human-mediated transactions. When something goes wrong, the accountability question is open. AIUC-1 certification addresses the specific risk profile of AI systems that execute tasks and take actions autonomously. Zertia is the European authorized auditor for AIUC-1.
Vendor AI that the retailer is accountable for
Most retail and e-commerce operations depend on third-party AI for recommendations, fraud detection, and customer service. Under the EU AI Act, the deployer carries obligations that do not transfer to the vendor by contract. The retailer that deploys a third-party recommendation engine is the deployer under the AI Act. Treating vendor AI verification as a procurement best practice, rather than a legal obligation, understates what the regulation requires.
Personalization with sensitive data at scale
AI systems that personalize based on inferred health status, financial situation, or behavioral patterns touch GDPR Article 9 obligations that most retail data governance frameworks were never built to handle. The intersection with AI Act risk classification creates obligations that require assessment.
The question that has changed
The question has moved from whether data protection requirements are met, to whether AI deployed across recommendations, pricing, agents, and customer experience operates under a governance framework that integrates AI Act, DSA, DMA, and emerging agent-specific standards.
How these risks can be mitigated
The mitigation path runs through a management system that integrates multi-regulatory obligations across a single governance framework.
Single governance framework for multi-regulatory AI
ISO/IEC 42001 provides the management system that integrates AI Act, DSA, and DMA obligations for recommender and pricing AI into a single auditable framework. Separate compliance programs for each regulation create the gaps that litigation exploits.
AIUC-1 certification for agentic commerce
Any AI system that executes transactions, manages returns, or takes procurement actions autonomously requires AIUC-1 assurance. Zertia is the European authorized auditor.
Vendor AI verification as a procurement standard
The deployer obligation under the AI Act does not transfer to vendors by contract. Independent verification of third-party AI provides the documented evidence the regulatory obligation requires.
For retail and e-commerce companies, the governance architecture required is more complex than most other sectors because the AI is more autonomous and the regulatory surface is wider.
How we help retail and e-commerce companies
AIUC-1 Certification for AI Agents
For retailers and platforms deploying or building autonomous AI agents in commerce. AIUC-1 addresses the specific risks of AI systems that execute tasks and take actions autonomously. Zertia is the European authorized auditor for AIUC-1.
ISO/IEC 42001 Certification for Digital Commerce
ANAB-accredited certification scoped to retail and e-commerce realities. Integrates AI Act, DSA, and DMA obligations into a single management system.
Multi-Regulatory AI Assessment
Inventory of AI deployments mapped against AI Act, DSA, DMA, and GDPR obligations. Identifies the convergence points and the governance gaps that single-regulation reviews miss.
Vendor AI Verification
Independent assessment of AI vendors providing recommendations, fraud detection, content moderation, and customer service AI to your operations.
Zertia Academy — Retail and E-commerce Track
Training for digital, data, legal, and operations teams. Builds shared institutional language across the convergence of digital commerce regulations.
What regulators are asking and what certification answers
| Regulatory obligation | What it requires | How Zertia addresses it |
|---|---|---|
| EU AI Act — Art. 26 (Deployer obligations) | Document AI systems, implement risk management, maintain human oversight, and keep logs. Applies to retailers and platforms deploying third-party AI tools. The deployer obligation does not transfer to vendors by contract. | ISO/IEC 42001 certification covers all Art. 26 deployer obligations, including third-party AI deployed in retail operations. Vendor governance arrangements are assessed as part of the audit scope. |
| Digital Services Act — Art. 38 (Recommender systems) | Applies to Very Large Online Platforms (VLOPs) with more than 45 million monthly active users in the EU. VLOPs must offer at least one recommender option not based on profiling, publish algorithmic transparency reports, and conduct risk assessments for recommenders that may cause systemic harm. Smaller platforms face less prescriptive obligations under the DSA's tiered framework. | Multi-Regulatory AI Assessment maps DSA recommender obligations against existing governance. ISO/IEC 42001 certification provides the management system framework that integrates DSA compliance into ongoing AI governance. |
| Digital Markets Act — Art. 6 (Obligations for gatekeepers) | Applies to platforms formally designated as gatekeepers by the European Commission (currently Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft). Gatekeeper platforms must not use AI to self-prefer their own products in rankings. Most retailers and marketplaces are not gatekeepers, but those that are face binding obligations; others face the DSA framework depending on scale. | Multi-Regulatory AI Assessment identifies DMA obligations that apply to marketplace AI. Covered in ISO/IEC 42001 certification scope for platforms that qualify as gatekeepers. |
| AIUC-1 (Agentic AI standard) | Demonstrate that autonomous AI agents executing commerce transactions operate under controls that address scope, reversibility, oversight, and accountability at the action level. No existing regulatory framework fully resolves agentic commerce liability. | AIUC-1 certification: Zertia is the European authorized auditor. Covers the specific risk profile of agentic AI systems in transactional contexts, providing the only current independent assurance standard for this use case. |
From inquiry to certification
If you're earlier in the process
Get the Retail and E-commerce AI Roadmap
FreeA structured assessment for retailers, e-commerce platforms, and marketplaces. Covers AI inventory, multi-regulatory mapping, and AI agent readiness.
Download the roadmapReadiness Audit
Paid · Fixed feeDiagnostic of your AI deployments against ISO/IEC 42001, AIUC-1 for agentic systems, and the convergence of AI Act, DSA, DMA, and GDPR.
Book a readiness auditIf you're ready for certification
ISO/IEC 42001 or AIUC-1 Certification
ANAB-accreditedThree-year cycle, fixed fees, ANAB-accredited. Surveillance audits included.
Talk to us about certificationA model that adapts to your firm
How we work with you depends on your scale and digital footprint. A direct-to-consumer brand operates on different terms than a multi-jurisdictional marketplace. Three engagement models.
See how we engage →-
Startup
Early-stage AI. Light roadmap, certification when you scale.
-
Scaleup
Readiness audit and certification timed to your growth.
-
Enterprise
Full certification with recurring governance and ongoing support.
Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001
Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.
ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.
For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.
Your fast track to compliance starts here
Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.
