EU AI Act risk classification: how the four tiers work

The Act takes a risk-based approach to avoid imposing identical obligations on a low-stakes recommendation engine and a high-stakes credit-scoring model. The tiered structure also keeps the regulatory burden proportionate to potential harm to fundamental rights, health, and safety. The European Commission's AI portal describes the four tiers as the central design choice of the regulation [2].

For enterprises, the practical implication is that risk classification is the first analytical step of any AI procurement or build decision. Until you know which tier a system falls into, you cannot scope the documentation, the testing, the human-oversight design, or the contract. Vendors who skip this step and propose a system without a written risk classification are signalling that the conformity work has not been done.

Article 5 lists eight categories of prohibited AI practice. Subliminal or manipulative techniques that materially distort behaviour and cause significant harm. Exploitation of vulnerabilities due to age, disability, or social or economic situation. Social scoring by public or private actors that leads to detrimental treatment unrelated to the original context. Risk assessment of natural persons for predicting criminal offences based solely on profiling. Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases. Emotion recognition in workplaces and educational institutions. Biometric categorisation inferring sensitive attributes such as race, political opinions, or sexual orientation. Real-time remote biometric identification in publicly accessible spaces by law enforcement, with narrow exceptions [1].

These obligations applied from 2 February 2025 and the European Commission published detailed guidelines on prohibited practices in early 2025 [4]. Penalties for breach are the highest band: up to 35 million euros or 7 percent of worldwide annual turnover.

High-risk classification follows two paths. The first is Annex III, which lists eight areas where AI systems are presumed high-risk: biometrics (post-event identification, categorisation, emotion recognition outside prohibited contexts), critical infrastructure (safety components for road, rail, water, gas, electricity), education and vocational training (admissions, grading, monitoring), employment and worker management (recruitment, promotion, performance evaluation, task allocation), access to essential services (credit scoring, social benefits, emergency response triage, life and health insurance pricing), law enforcement (risk assessment, polygraphs, evidence evaluation), migration and border control (risk assessment, document verification, asylum eligibility), and administration of justice and democratic processes (assistance to judicial authorities, electoral influence) [3].

The second path is Annex I: AI safety components in regulated products that already require third-party conformity assessment under sectoral law - machinery, toys, lifts, radio equipment, civil aviation, two- and three-wheel vehicles, agricultural and forestry vehicles, marine equipment, rail interoperability, motor vehicles, in vitro diagnostic medical devices, medical devices. An AI system that is a safety component of a CE-marked machine is high-risk under the AI Act in addition to the existing sectoral conformity requirements.

Article 6(3) provides an exemption: an Annex III system is not high-risk if it performs a narrow procedural task, improves the result of a previously completed human activity, detects decision patterns without replacing the human assessment, or performs preparatory work. The exemption is narrow, must be documented, and is subject to challenge by national authorities.

High-risk systems carry the heaviest design-time and operational burden. Providers must establish a risk-management system across the lifecycle (Article 9), implement data governance meeting Article 10 (training, validation, testing data quality, provenance, bias mitigation), produce technical documentation aligned with Annex IV (Article 11), build automatic logging (Article 12), provide transparency to deployers (Article 13), design human oversight (Article 14), achieve appropriate accuracy, robustness, and cybersecurity (Article 15), implement a quality-management system (Article 17), retain documentation for 10 years (Article 18), register the system in the EU database (Article 49), perform a conformity assessment (Article 43), and operate post-market monitoring (Article 72).

Deployers of high-risk systems must use the system in accordance with the instructions for use, assign human oversight to competent staff, ensure input data is relevant, monitor operation and report serious incidents, retain logs, conduct a fundamental rights impact assessment where Article 27 applies, and inform individuals subject to AI-driven decisions where Article 26(11) applies.

The conformity assessment guide walks through the procedural steps, and the ISO 42001 mapping shows how the AI management-system standard aligns with these articles.

Limited-risk systems are subject to transparency obligations under Article 50. Providers of AI systems that interact directly with humans must inform the human that they are interacting with an AI, unless this is obvious from context. Providers of AI systems generating synthetic audio, image, video, or text content must mark the output as artificially generated or manipulated in a machine-readable format. Deployers of emotion-recognition or biometric-categorisation systems must inform exposed individuals. Deployers of deepfake systems must disclose that the content has been artificially generated or manipulated, with exceptions for clearly artistic, satirical, or fictional work.

The transparency obligations apply from 2 August 2026 alongside the high-risk regime. Most consumer-facing chatbots, AI-powered customer-support tools, and generative-content products fall into this tier and need to add the disclosure layer to their UX before the 2026 deadline.

Minimal-risk systems carry no specific obligations under the Act beyond the cross-cutting AI literacy requirement of Article 4, which applied from 2 February 2025. The literacy requirement asks providers and deployers to take measures to ensure a sufficient level of AI literacy among staff who use AI systems on the organisation's behalf, taking into account the context of use, the staff's technical knowledge, experience, education, and training, and the persons or groups on whom the AI systems are used.

Most workflow-automation tools, spam filters, recommendation engines for non-essential services, and AI-enabled productivity software sit in this tier. Voluntary codes of conduct under Article 95 are encouraged for minimal-risk systems and can be a useful procurement signal in regulated industries. Stanford HAI's AI Index 2024 reports that more than 78 percent of organisations have adopted AI in at least one business function [7], so most enterprises have multiple minimal-risk systems even before they encounter a high-risk one.

General-purpose AI models, defined in Article 3(63) as models displaying significant generality and capable of performing a wide range of distinct tasks, sit on a separate track. Chapter V splits them into two: standard general-purpose AI models, with documentation, copyright, and training-data summary obligations; and general-purpose AI models with systemic risk, defined as those trained with cumulative compute exceeding 10^25 floating-point operations, with additional evaluation, mitigation, incident-reporting, and cybersecurity obligations [1].

The threshold of 10^25 FLOPs is an objective trigger but the AI Office can also designate a model as systemic-risk based on capabilities, reach, or other criteria. Downstream applications built on top of general-purpose models inherit a partial compliance pack from the model provider but layer their own system-level obligations on top, classified by the use case (high-risk, limited-risk, or minimal-risk).

A defensible classification follows five steps. One, write a short system description: purpose, intended users, input data, output, deployment context. Two, check Article 5 for prohibited-practice triggers. If any apply, the system cannot be placed on the market. Three, check Annex I for safety-component status in regulated products. If yes, the system is high-risk. Four, check Annex III for area-based triggers. If yes, the system is presumed high-risk; document any Article 6(3) exemption claim with reasoning. Five, check Article 50 transparency triggers. If yes, the system is at least limited-risk and the disclosure requirements apply.

The classification document should be retained as part of the technical documentation and reviewed annually or whenever the system, the input data, or the deployment context materially changes. National competent authorities can challenge a classification under Article 79 and require evidence supporting the analysis.

For a guide to picking vendors who can produce defensible classifications, see EU AI Act compliant AI vendors. For the underlying methodology, see TRACE. For an example high-risk use case, see decision-support AI. For the cluster pillar, see EU AI Act overview.