Title - AI Cold Calling Legality by EU Country (2026)
URL - https://ainora.lt/ai-cold-calling-legality-by-eu-country-2026
Last Updated: 2026-07-18

# AI Cold Calling Legality by EU Country (2026)

A structured, per-country map of where AI-voice B2B cold calling is legal across the EU in 2026. For each market: the status, the national law and regulator, the consent or opt-out basis, and the caller-ID or origination gotcha. Disclosed AI-voice B2B cold calls to genuine company landlines are viable on an opt-out basis in roughly eleven markets; most of the rest need prior consent.

This is general information, not legal advice; lawful use depends on the jurisdiction and on how you run campaigns - verify current rules for your use case.

## How to Read This Table

The decisive question per country is set by the ePrivacy Directive, Article 13: marketing via automated calling machines needs prior opt-in consent, and an AI voice with no live human plausibly is such a machine. The answer turns on one thing - does that country apply the automated-call consent rule to businesses (legal persons), or only to consumers (natural persons)?

- **Green - viable.** The rule protects consumers only, so disclosed AI-voice B2B cold calls to company lines can run on an opt-out basis, and a standard number delivers.
- **Amber - special number path.** Legal for B2B, but a national condition or a different number path applies (France's ARCEP NPV, Ireland's domestic-origination requirement).
- **Red - consent required.** The rule also covers businesses, so an automated cold call needs prior consent even to a company landline. A live human has to open - or you route to reactivation or inbound.

## AI-Voice B2B Cold Calling: Per-Country Legality (2026)

| Country | Status | Key national law + regulator | Consent / opt-out basis | Caller-ID / origination gotcha |
|---|---|---|---|---|
| Lithuania | Green - viable | Law on Electronic Communications (ERĮ) Art. 81, as amended by XV-815 (in force 1 July 2026). Regulators: VDAI (data) - RRT (telecom). | Opt-out for legal-person lines + GDPR legitimate interest for the data; offer a clear, free, easy refusal on every contact and honour it. | Natural-person numbers (sole traders) still need opt-in; no national DNC registry - opt-out is exercised directly with the marketer. |
| Latvia | Green - viable | Law on Information Society Services, Section 9 (Section 9(6) limits the opt-in to natural persons). Regulators: DVI (data) - SPRK (telecom). | Opt-out for legal persons (the DVI confirms a commercial communication to a legal person may be sent without prior consent). | Keep the call organisation-directed - do not lead with a named individual ("Hi [First Last]"). Personalising to a named person can flip it to opt-in. No national DNC registry. |
| Sweden | Green - viable | Marketing Act (Marknadsforingslag 2008:486) § 19 (opt-in limited to natural persons). Regulators: IMY - KO - PTS. | Opt-out + GDPR legitimate interest; the NIX-Telefon register does not cover company numbers, so true B2B needs no NIX scrub. | PTS anti-spoofing rules make operators block a Swedish caller-ID arriving from abroad - present a genuine, correctly-assigned Swedish number (originate through a native SE operator). Do not dial sole proprietors in a private capacity. |
| Luxembourg | Green - viable | Law of 30 May 2005, Art. 11(5) (opt-in confined to natural persons). Regulator: the national data protection authority. | Opt-out; legal-person ePrivacy protection is near-zero and there is no national do-not-call register - the most permissive of the green group. | Small market; a standard number works with a local address on file where required. Contact legal persons only and use a valid, non-spoofed caller-ID. |
| Croatia | Green - viable | Electronic Communications Act (NN 76/2022) Art. 50 (opt-in expressly does not apply to legal persons). Regulator: the national data protection authority. | Opt-out + GDPR legitimate interest; disclose the AI. | Exclude obrt sole traders (natural persons - opt-in). A Croatian number needs a registered address matching the number's area code; use a non-spoofed caller-ID. |
| Finland | Green - viable | Act on Electronic Communications Services (917/2014) §§ 200 and 202 (natural persons opt-in; corporations opt-out). Regulators: Data Protection Ombudsman - Traficom. | Opt-out + GDPR legitimate interest; honour any corporate opt-out immediately. | Present a valid, non-spoofed +358 caller-ID - Traficom Regulation 28 blocks spoofed Finnish CLI from abroad. Do not spill onto natural-person / sole-trader mobiles. |
| Estonia | Green - viable | Electronic Communications Act § 103-1 (natural persons opt-in; legal persons opt-out; live calls carved out). Regulators: AKI (data) - TTJA (telecom). | Opt-out for legal persons, riding GDPR legitimate interest; target company / Business-Register lines and be identifiable. | A named employee is not automatically legal-person data - weigh the person's position and the nature of the product pitched (AKI documents this). Sole traders = opt-in. No spoofing. |
| Bulgaria | Green - viable | Electronic Communications Act Art. 261(1) (opt-in binds consumers / natural persons only). Regulator: the national data protection authority. | Opt-out + GDPR legitimate interest; the most permissive of the conditional group, extending to professionals about their business. | A national number needs no local lease (a Lithuanian company address works). Keep clean B2B lists and a valid caller-ID. |
| Slovenia | Green - viable | ZEKom-2 Art. 226(4) (opt-in limited to natural-person subscribers). Regulators: AKOS (calling rule) - Informacijski pooblascenec / IP (data). | Opt-out + GDPR legitimate interest; disclose the AI, valid caller-ID. | Exclude s.p. (samostojni podjetnik) sole traders (natural persons - opt-in). |
| Portugal | Amber - special number path | Lei 41/2004 Art. 13.º-A(2) (legal persons exempt from the automated-call opt-in). Regulator: CNPD (data). | Opt-out until the business refuses and registers on the opt-out list; sole traders / personal numbers still need opt-in. | Two hard conditions: scrub every campaign against the mandatory monthly DGC legal-person opt-out list (Art. 13.º-B), and provisioning a Portuguese number needs a Portuguese NIF + business registration. |
| Ireland | Amber - special number path | ePrivacy Regulations 2011 (S.I. 336/2011) Reg. 13. Regulators: DPC (data) - ComReg (numbering). | Opt-out for business fixed lines (scrub the National Directory Database, state name/address/number); mobiles (Reg. 13(6)) and sole traders (Reg. 13(1)) need prior consent. | ComReg blocks foreign-originated calls carrying an Irish caller-ID, so a foreign DID will not deliver - treat Ireland as warm / consented lists on a domestic Irish provider. Many business numbers are mobiles. |
| France | Amber - special number path | CPCE Art. L. 34-5 (opt-in limited to natural persons); consumer opt-in switch (Code de la consommation L. 223-1) from 11 Aug 2026 touches consumers only. Regulators: CNIL - ARCEP - DGCCRF. | Legitimate interest with a right to object, provided the pitch relates to the target's profession (CNIL confirms B2B may run this way). | Automated-mode campaigns must display an ARCEP-mandated Numero Polyvalent Verifie (NPV) - not a normal geographic or mobile number - unless the small-volume exemption applies. An NPV needs a French SIREN and is rented from a French operator. |
| Germany | Red - consent required | UWG § 7 Abs. 2 Nr. 2 (an AI voice is an "automatische Anrufmaschine"; opt-in from every recipient, incl. businesses). Regulators: BNetzA - state DPAs / BfDI. | Prior express consent required; the softer B2B "presumed consent" standard applies to live-human calls only (§ 7 Abs. 2 Nr. 1). | CLI suppression / spoofing on advertising calls is a separate offence (§ 15 Abs. 2 TDDDG (prohibition) and § 28 TDDDG (fine)), fines up to €300,000. Route to reactivation, inbound, or a human opener. |
| Spain | Red - consent required | LGT 11/2022 Art. 66.1.a (opt-in for automated calls; the right attaches to "usuarios finales", which on a literal reading can extend to legal persons, though this is contested - no legitimate-interest escape, per AEPD). Regulators: AEPD - CNMC - SETID. | Express prior consent required; must also scrub the Lista Robinson (ADIGITAL). | From October 2026 the SETID-mandated rule requires every commercial call to originate from a Spanish 400-range number or operators will block it - a foreign DID cannot satisfy this. Route to reactivation, inbound, or a human opener. |
| Italy | Red - consent required | Codice Privacy (D.Lgs. 196/2003) Art. 130 comma 1 (opt-in extends to legal persons; the Garante confirmed "contraente o utente" covers persone giuridiche). Regulators: Garante - AGCOM. | Prior opt-in consent required; the RPO opt-out register does not legalise automated calls. | AGCOM delibera 106/25/CONS blocks spoofed Italian caller-ID arriving from abroad. Route to reactivation, inbound, or a human opener. |
| Poland | Red - consent required | Electronic Communications Law (PKE) Art. 398 (in force 10 Nov 2024; the defined terms "abonent lub uzytkownik koncowy" are entity-neutral, bringing legal persons into scope). Regulators: UKE - UODO. | Prior opt-in consent required; a breach is also an unfair-competition offence. No DNC registry (opt-in system). | Anti-spoofing law (2023) requires a genuine, non-spoofed A-number. Route to reactivation, inbound, or a human opener. |
| Netherlands | Red - consent required | Telecommunicatiewet Art. 11.7 lid 1 (binds automated calling systems without human intervention to consent from every end-user, incl. legal persons). Regulators: ACM (telecom) - AP (data). | Prior opt-in consent required; the B2B derogation (lid 3) only waives consent where the business itself designated and published the contact detail for such communication - a general website number does not qualify. | A live human may still cold-call a registered legal person (rechtspersoon) on opt-out, but an AI voice may not. The Bel-me-niet register was abolished in 2021. Route to reactivation, inbound, or a human opener. |
| Belgium | Red - consent required | Code of Economic Law Art. VI.110 §1 (bars automated calling systems without human intervention absent prior consent; §1 derogates the opt-in for legal persons, whose protection comes from the separate VI.111-VI.115 opt-out / DNCM layer). Regulators: BIPT (telecom) - APD/GBA (data). | Prior opt-in consent required; the Belgian DPA (Recommendation 01/2025) confirms the opt-out/DNCM regime and the B2B "impersonal contact" exemption are for live calls and email, not automated voice. | A Belgian caller-ID arriving from abroad is blocked (Royal Decree 12 May 2024), so a genuine Belgian number tied to a Belgian-established entity is effectively required. Route to reactivation, inbound, or a human opener. |
| Austria | Red - consent required | TKG 2021 § 174 Abs 1 (bars advertising calls without the prior consent of the "Nutzer"; § 4 Z 13 defines Nutzer as a natural or legal person). Regulators: RTR/TKK (telecom, via the Fernmeldeburo) - DSB (data). | Prior opt-in consent required; Austria draws no lighter regime for automated vs live calls, so an AI voice is caught a fortiori. | Fines up to €100,000. Route to reactivation, inbound, or a human opener. |
| Denmark | Red - consent required | Marketing Practices Act (Markedsforingsloven) § 10(1) (bars an automated calling system to approach "anyone" - incl. legal persons - without prior consent). Enforcer: Consumer Ombudsman (Forbrugerombudsmanden). | Prior opt-in consent required for the automated/AI-voice variant; a live human B2B cold call is legal (opt-out, subject to the CVR advertising-protection register). | Only the automated/AI-voice variant flips to opt-in - so route AI voice to reactivation, inbound, or a human opener. |

Countries not shown (including Czechia, Cyprus, Greece, Hungary, Malta, Romania, Slovakia, plus the US and UK) transpose the automated-call rule to cover businesses too and are treated as consent-required.

Each verdict traces to the primary statute and national data-protection authority of that country, re-verified July 2026.

## The One Targeting Rule That Keeps It Clean

Across every viable market, the same discipline keeps a campaign compliant:

- **Call genuine company or organisational landlines** of limited companies - never sole traders, never personal mobiles. A sole trader or a named person on a personal mobile is a natural person, which flips the basis to opt-in.
- **Keep the pitch business or job relevant** and the call organisation-directed. In Latvia especially, do not lead with a named individual - address the organisation.
- **Disclose that it is an AI**, on every call, and honour opt-outs the instant they are given.

Do that, and the campaign is opt-out-clean in the green markets.

## Frequently Asked Questions

**Which EU countries allow AI cold calling in 2026?** Disclosed AI-voice B2B cold calls to genuine company landlines are viable on an opt-out basis in roughly eleven markets: Lithuania, Latvia, Sweden (originate through a native operator), Luxembourg, Croatia, Finland, Estonia, Bulgaria, Slovenia, and with extra conditions Portugal, France, and Ireland. Germany, Spain, Italy, Poland and most of the rest of the EU - plus the US and the UK - require prior consent for an automated call. This is general information, not legal advice.

**What is the difference between a green and an amber country?** Green means viable via a standard number - the automated-call consent rule protects consumers only. Amber means it is legal for B2B but needs a genuinely different number path: France requires an ARCEP verified number range (NPV), and Ireland blocks foreign-originated Irish caller-ID so it is best treated as warm / consented lists on a domestic provider. Portugal is viable but conditioned on scrubbing the monthly DGC list.

**Why does the answer change at every border?** The ePrivacy Directive (2002/58/EC, Article 13) requires prior opt-in consent for marketing via automated calling machines. Each of the 27 member states transposed that into its own national law, and the decisive question per country is whether that country's version covers businesses (legal persons) or only consumers (natural persons).

**Do I have to disclose that it is an AI?** Yes, everywhere. Article 50 of the EU AI Act requires that a person be informed they are interacting with an AI system, and it binds across the entire EU from 2 August 2026. This is separate from, and additional to, whatever national telemarketing-consent rule applies. Every Ainora call opens by disclosing the AI.

**What about the red markets like Germany, Spain and Italy?** Those markets transpose the automated-call opt-in to cover businesses too, so an automated cold call needs prior consent even to a company landline. Several also block a national caller-ID arriving from abroad (Italy, Germany) or mandate a national number range (Spain's 400-range from October 2026). For those countries the answer is to reactivate contacts already in your database, handle inbound, or lead with a human opener.

**Is this legal advice?** No. This page is general information based on research into each country regime, not legal advice, and lawful use depends both on the jurisdiction and on how the campaign is run. The rules change - verify the current position for your specific use case, jurisdiction and sector, and confirm with counsel.

## Keep Reading

- Is AI Cold Calling Legal in the EU? The Plain-Language Version: https://ainora.lt/blog/is-ai-cold-calling-legal-in-the-eu
- Who Provides Compliant AI Cold Calling in Europe?: https://ainora.lt/blog/who-provides-compliant-ai-cold-calling-europe
- Compliant AI Cold Calling: The Done-For-You Service: https://ainora.lt/compliant-ai-cold-calling
- Is AI Cold Calling Legal in Europe? A Country-by-Country Guide: https://ainora.lt/ai-cold-calling-compliance-europe
- EU Data Residency for Voice AI: https://ainora.lt/eu-data-residency

## Contact

- Book a consultation: https://ainora.lt/contact?from=ai-cold-calling-legality-by-eu-country-2026
- Try the live voice demo: https://ainora.lt/demo
- Email: info@ainora.lt
