The EU AI Act does not impose uniform obligations on every AI system. It imposes obligations calibrated to risk, and the calibration starts with classification. Get the classification wrong and every compliance decision that follows is built on a false foundation.
Article 9(1) of Regulation (EU) 2024/1689 requires providers of high-risk AI systems to establish a risk management system covering the entire lifecycle of the system. That obligation cannot be met without first knowing whether the system is high-risk. Classification is not a preliminary step before compliance begins. It is the first compliance obligation.
The classification framework has four tiers: prohibited, high-risk, limited-risk, and minimal-risk. Each tier is defined by law, not by how developers describe their product or how vendors market their tools. A system is classified by what it does and how it is used, not by what it is called.
The Four Tiers at a Glance
| Risk tier | Legal basis | Consequence |
|---|---|---|
| Prohibited | Article 5 | System cannot lawfully operate. Use constitutes an infringement from February 2025 |
| High-risk | Articles 6-7, Annexes I and III | Full compliance obligations including conformity assessment, technical documentation, registration, human oversight |
| Limited-risk | Article 50 | Transparency and disclosure obligations only |
| Minimal or no risk | No specific article | No mandatory obligations under the Act |
Key Definitions for Classification
| Term | Definition | Legal basis |
|---|---|---|
| AI system | A machine-based system that infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content, operating with varying degrees of autonomy | Article 3(1) |
| General-purpose AI model | An AI model trained on large amounts of data using self-supervision at scale, capable of competently performing a wide range of distinct tasks | Article 3(63) |
| Intended purpose | The use for which an AI system is intended by the provider, including the specific context and conditions of use | Article 3(12) |
| Reasonably foreseeable misuse | Use of an AI system in a way not intended by the provider but which may result from reasonably foreseeable human behaviour | Article 9(2)(b) |
| Substantial modification | A change to a high-risk AI system after it has been placed on the market that affects its compliance with the Act or changes its intended purpose | Article 3(23) |
2. Tier One: Prohibited Practices
Article 5 of the Act sets out eight categories of AI practice that are banned outright across the European Union. These prohibitions have applied since 2 February 2025. There is no conformity assessment, no exemption process, and no grace period. Operating a prohibited AI system is an infringement from the moment the prohibition took effect.
The prohibited categories are defined by the harm they cause or the mechanism they use, not by the technology underlying them. A system that meets the description of a prohibited practice is prohibited regardless of how it is marketed, what sector it operates in, or how small the operator is.
The Eight Prohibited Practices
| Prohibited practice | What the Act says | Article |
|---|---|---|
| Subliminal manipulation | “AI systems that deploy subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques, with the objective or the effect of materially distorting the behaviour of a person or a group of persons” in a way that causes harm | Article 5(1)(a) |
| Exploitation of vulnerabilities | AI systems that “exploit any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation” to distort behaviour in a harmful way | Article 5(1)(b) |
| Social scoring by public authorities | AI systems used by public authorities to “evaluate or classify natural persons or groups of persons” based on social behaviour or personal characteristics, where the scoring leads to detrimental treatment | Article 5(1)(c) |
| Real-time remote biometric identification | AI systems used for “real-time remote biometric identification of natural persons in publicly accessible spaces for the purposes of law enforcement” except in narrowly defined circumstances | Article 5(1)(d) |
| Biometric categorisation by sensitive attributes | AI systems that “categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation” | Article 5(1)(e) |
| Emotion recognition in workplace and education | AI systems used “to infer the emotions of a natural person in the areas of workplace and education institutions” except for safety or medical reasons | Article 5(1)(f) |
| Untargeted facial scraping | AI systems that “create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage” | Article 5(1)(g) |
| Predictive criminal profiling | AI systems used “for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics” | Article 5(1)(h) |
Classification Test for Prohibited Practices
Before proceeding to high-risk classification, every AI system should be tested against the prohibited practice categories. The test requires honest assessment of what the system does in practice, not how it is described in marketing materials.
| Question | If yes |
|---|---|
| Does the system use techniques designed to operate below conscious awareness to influence behaviour? | Likely prohibited under Article 5(1)(a) |
| Does the system target individuals based on vulnerability (age, disability, economic situation) to alter their behaviour? | Likely prohibited under Article 5(1)(b) |
| Does the system score individuals based on social behaviour for use by a public authority in decisions affecting them? | Likely prohibited under Article 5(1)(c) |
| Does the system identify individuals in real time using biometric data in public spaces for law enforcement? | Likely prohibited under Article 5(1)(d) unless within narrow exceptions |
| Does the system categorise individuals by race, religion, political opinion, sexual orientation, or trade union membership using biometric data? | Likely prohibited under Article 5(1)(e) |
| Does the system infer employee or student emotions? | Likely prohibited under Article 5(1)(f) unless for medical or safety reasons |
| Does the system build facial recognition databases by scraping public sources? | Likely prohibited under Article 5(1)(g) |
| Does the system predict individual criminal risk based solely on profiling? | Likely prohibited under Article 5(1)(h) |
If your system meets any of these descriptions, discontinue its use. The penalty for operating a prohibited AI system is a fine of up to EUR 35,000,000 or 7% of total worldwide annual turnover, whichever is higher, under Article 99(3).
3. Tier Two: High-Risk AI Systems
High-risk AI systems carry the Act’s most extensive compliance obligations. Classification as high-risk is determined by two separate pathways set out in Article 6.
The first pathway covers AI systems that form a safety component of a product regulated under EU harmonisation legislation listed in Annex I, or are themselves such a product. The second pathway covers AI systems used in one of eight domains listed in Annex III. Either pathway is sufficient to classify a system as high-risk.
Pathway One: Annex I Products
Article 6(1) states that “an AI system shall be considered to be high-risk where both of the following conditions are fulfilled: (a) the AI system is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation legislation listed in Annex I; and (b) the product whose safety component pursuant to point (a) is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment with a view to the placing on the market or putting into service of that product pursuant to the Union harmonisation legislation listed in Annex I.”
| Annex I product category | Examples |
|---|---|
| Machinery | Industrial robots, automated production equipment |
| Toys | AI-powered interactive toys |
| Recreational craft | Autonomous or AI-assisted marine vessels |
| Lifts | AI-controlled lift systems |
| Equipment for use in explosive atmospheres | AI monitoring systems in hazardous environments |
| Radio equipment | AI-enabled wireless devices |
| Pressure equipment | AI-controlled pressure management systems |
| Personal protective equipment | AI-integrated safety gear |
| Gas appliances | AI-controlled gas systems |
| Medical devices | AI diagnostic tools, AI-assisted surgical equipment |
| In vitro diagnostic medical devices | AI-powered diagnostic laboratory equipment |
| Civil aviation | AI systems in aircraft and aviation safety |
| Motor vehicles | AI driving assistance, autonomous vehicle components |
| Agricultural and forestry vehicles | AI-powered agricultural machinery |
Pathway Two: Annex III Domains
Article 6(2) states that “in addition to the high-risk AI systems referred to in paragraph 1, AI systems referred to in Annex III shall be considered to be high-risk.” The eight Annex III domains are set out below with the specific use cases the Act identifies within each.
| Domain | Specific high-risk use cases | Who is typically affected |
|---|---|---|
| Biometric identification and categorisation | Remote biometric identification systems; biometric categorisation systems other than those prohibited under Article 5; emotion recognition systems other than those prohibited under Article 5 | Security companies, identity verification providers |
| Critical infrastructure | AI as safety components in management of critical digital infrastructure, road traffic, and supply of water, gas, heating, and electricity | Infrastructure operators, energy management platforms |
| Education and vocational training | AI determining access to educational institutions; evaluating learning outcomes; assessing students during exams; monitoring students for prohibited behaviour | EdTech platforms, assessment tools, exam proctoring systems |
| Employment and workers management | AI used in recruitment and selection, including CV screening, advertising vacancies, and filtering applications; monitoring and evaluating performance; promoting or terminating employment relationships; allocating tasks | HR software, recruitment platforms, workforce management tools |
| Access to essential private and public services | AI used in creditworthiness assessment; insurance risk assessment and pricing; emergency services dispatch prioritisation; public benefit eligibility assessment | Fintech lenders, insurers, public sector platforms |
| Law enforcement | Risk assessment tools for individual recidivism; polygraph and similar tools; evaluation of evidence reliability; crime analytics for crime hotspot prediction; profiling tools in criminal investigations | Law enforcement agencies, LegalTech providers serving law enforcement |
| Migration, asylum, and border control | Risk assessment of applicants; examination of applications; border control monitoring systems; document verification | Immigration authorities, border technology providers |
| Administration of justice and democratic processes | AI assisting courts in researching and interpreting facts and law; AI for influencing election outcomes | LegalTech providers serving courts, civic technology |
The Article 6(3) Exception
Not every system used in an Annex III domain is automatically high-risk. Article 6(3) provides that “an AI system referred to in Annex III shall not be considered to be high-risk if it does not pose a significant risk of harm to the health, safety, or fundamental rights of natural persons.” This exception applies where the AI system is intended to perform a narrow procedural task, improve the result of a previously completed human activity, detect decision-making patterns without influencing individual decisions, or perform preparatory tasks for assessment relevant to the purposes listed in Annex III.
The exception does not apply where the system profiles individuals within the meaning of Article 4(4) of the GDPR.
Providers who rely on Article 6(3) must document their reasoning and register the system in the EU database under Article 49(2). The exception is not self-executing. It requires an affirmative determination and a documented justification.
High-Risk Classification Questionnaire
| Question | If yes |
|---|---|
| Is your system a safety component of a product listed in Annex I, or is your system itself an Annex I product requiring third-party conformity assessment? | High-risk under Article 6(1) |
| Is your system used for biometric identification, categorisation, or emotion recognition outside the prohibited categories? | High-risk under Annex III, point 1 |
| Does your system manage or control critical infrastructure including energy, water, transport, or digital infrastructure? | High-risk under Annex III, point 2 |
| Does your system determine access to education, assess students, or monitor students during exams? | High-risk under Annex III, point 3 |
| Does your system screen CVs, rank candidates, monitor employee performance, or support employment termination decisions? | High-risk under Annex III, point 4 |
| Does your system assess creditworthiness, insurance risk, or eligibility for public benefits or emergency services? | High-risk under Annex III, point 5 |
| Does your system assess recidivism risk, support crime analytics, or evaluate evidence reliability for law enforcement? | High-risk under Annex III, point 6 |
| Does your system assess migration or asylum applications or support border control decisions? | High-risk under Annex III, point 7 |
| Does your system assist courts in fact-finding or applying law, or influence elections? | High-risk under Annex III, point 8 |
| Does the Article 6(3) exception apply because the system poses no significant risk of harm? | Document the reasoning and register under Article 49(2) |
4. Tier Three: Limited-Risk AI Systems
Limited-risk AI systems are not subject to the full compliance burden that applies to high-risk systems. They carry specific transparency and disclosure obligations under Article 50, designed to ensure that individuals know when they are interacting with an AI system or when AI-generated content is presented to them.
Article 50(1) states that “providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the context and the circumstances.”
The Four Transparency Obligations Under Article 50
| Obligation | Who it applies to | What is required | Article |
|---|---|---|---|
| Chatbot disclosure | Providers and deployers of AI systems interacting directly with people | Inform users they are interacting with an AI system, unless obvious from context | Article 50(1) |
| Deepfake labelling | Providers of AI systems generating synthetic audio, image, video, or text content | Label the output as artificially generated or manipulated in machine-readable format | Article 50(2) |
| Emotion recognition disclosure | Providers and deployers of emotion recognition or biometric categorisation systems | Inform individuals exposed to the system | Article 50(3) |
| AI-generated content labelling | Providers of GPAI models generating content | Mark outputs in a machine-readable format detectable as artificially generated | Article 50(4) |
Systems Typically Classified as Limited-Risk
| System type | Transparency obligation |
|---|---|
| Customer service chatbots | Disclose AI interaction to users |
| AI writing assistants generating content for publication | Label output as AI-generated |
| Image or video generation tools | Label synthetic content in machine-readable format |
| AI-powered virtual assistants | Disclose AI interaction |
| Emotion analytics tools used outside prohibited contexts | Inform individuals of the system’s use |
The limited-risk tier contains a significant practical trap for small businesses. A system that appears to be limited-risk because it is a chatbot or content generator may simultaneously operate in a high-risk context. An AI recruitment chatbot, for example, is a chatbot subject to Article 50(1) and a high-risk system subject to the full Annex III obligations for employment-related AI. Both sets of obligations apply concurrently.
5. Tier Four: Minimal-Risk AI Systems and GPAI Models
The majority of AI systems currently in use fall into the minimal-risk tier. The Act imposes no mandatory compliance obligations on minimal-risk systems beyond the general AI literacy obligation in Article 4.
Article 4 states that “providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.” This obligation applies universally, irrespective of risk tier.
Examples of Minimal-Risk Systems
| System type | Why it is minimal-risk |
|---|---|
| AI-powered spam filters | Does not affect fundamental rights or safety decisions |
| Product recommendation engines | Does not make decisions with significant legal or personal effects |
| AI-powered search features | Does not operate in an Annex III domain |
| AI grammar and spell-check tools | Does not generate content presented as human-produced |
| Inventory management AI | Does not affect individuals’ rights or safety |
| Predictive maintenance tools for non-safety-critical equipment | Does not form a safety component in an Annex I product |
GPAI Models: A Separate Category
General-purpose AI models occupy a distinct position in the Act’s framework. They are not classified by risk tier in the same way as AI systems. Instead, Chapter V of the Act (Articles 51 to 56) imposes a separate set of obligations on GPAI model providers, calibrated by whether the model poses systemic risk.
| GPAI model category | Classification trigger | Key obligations |
|---|---|---|
| Standard GPAI model | Model capable of performing a wide range of tasks placed on the EU market | Technical documentation, copyright transparency, model card publication |
| GPAI model with systemic risk | Trained with compute exceeding 10^25 FLOPs, or designated by AI Office | Above plus adversarial testing, incident reporting, cybersecurity measures |
Article 51(1) states that “a general-purpose AI model shall be classified as a general-purpose AI model with systemic risk if it has high-impact capabilities evaluated on the basis of appropriate technical tools and methodologies, including indicators and benchmarks.” The compute threshold of 10^25 floating-point operations serves as the primary quantitative indicator, though the AI Office may designate models below this threshold if warranted by their capabilities.
Providers of open-source GPAI models are partially exempt from the technical documentation and transparency obligations under Article 53, provided they publicly disclose the required information. The exemption does not apply to open-source models classified as posing systemic risk.
6. Applying the Classification Framework: Questionnaire and FAQ
Classification is not a one-time exercise completed before a product launches. Article 9(2) requires providers of high-risk AI systems to review and update risk assessments throughout the system’s lifecycle. A system that is minimal-risk when first deployed can become high-risk if its intended purpose changes, if it is substantially modified, or if it is deployed by a customer in an Annex III context the original provider did not anticipate.
The Classification Questionnaire
Work through the questions below in order. Stop at the first tier that applies. A system may simultaneously attract obligations from more than one tier.
Step 1: Is this system prohibited?
| Question | Answer |
|---|---|
| Does the system use subliminal techniques to manipulate behaviour harmfully? | If yes: prohibited under Article 5(1)(a) |
| Does the system exploit vulnerability based on age, disability, or economic situation to distort behaviour? | If yes: prohibited under Article 5(1)(b) |
| Does the system score individuals based on social behaviour for public authority decisions? | If yes: prohibited under Article 5(1)(c) |
| Does the system perform real-time biometric identification in public spaces for law enforcement? | If yes: prohibited under Article 5(1)(d) subject to narrow exceptions |
| Does the system categorise individuals by sensitive attributes using biometric data? | If yes: prohibited under Article 5(1)(e) |
| Does the system infer employee or student emotions? | If yes: prohibited under Article 5(1)(f) subject to medical or safety exceptions |
| Does the system build facial recognition databases by scraping public sources? | If yes: prohibited under Article 5(1)(g) |
| Does the system predict individual criminal risk based solely on profiling? | If yes: prohibited under Article 5(1)(h) |
If prohibited: stop. Discontinue the system. Do not proceed to further classification.
Step 2: Is this system high-risk via Annex I?
| Question | Answer |
|---|---|
| Is the system a safety component of an Annex I regulated product, or is it itself such a product? | If yes: high-risk under Article 6(1) if third-party conformity assessment is required |
Step 3: Is this system high-risk via Annex III?
| Question | Answer |
|---|---|
| Is the system used in any of the eight Annex III domains listed in Section 3 of this guide? | If yes: provisionally high-risk under Article 6(2) |
| Does the Article 6(3) exception apply because the system poses no significant risk of harm? | If yes: document the reasoning and register under Article 49(2) |
Step 4: Does the system carry limited-risk transparency obligations?
| Question | Answer |
|---|---|
| Does the system interact directly with people in a way that is not obviously AI? | If yes: Article 50(1) disclosure obligation applies |
| Does the system generate synthetic audio, image, video, or text content? | If yes: Article 50(2) labelling obligation applies |
| Does the system perform emotion recognition or biometric categorisation outside prohibited categories? | If yes: Article 50(3) disclosure obligation applies |
Step 5: Is this a GPAI model?
| Question | Answer |
|---|---|
| Is the system a general-purpose AI model capable of a wide range of tasks? | If yes: Chapter V obligations apply from August 2025 |
| Was it trained using compute exceeding 10^25 FLOPs, or has the AI Office designated it as systemic risk? | If yes: systemic risk obligations under Article 55 apply in addition |
Step 6: Default classification
If none of the above steps have triggered a higher classification, the system is minimal-risk. The Article 4 AI literacy obligation still applies.
Frequently Asked Questions
Who is responsible for classifying an AI system?
The provider is primarily responsible for classification. Article 9(1) requires providers of high-risk AI systems to establish a risk management system, which presupposes that the provider has determined the system is high-risk. Deployers are not relieved of their own classification obligations. A deployer who uses a system in an Annex III context that the provider did not intend may independently trigger high-risk deployer obligations, regardless of how the provider has classified the system.
What happens if a provider classifies their system as minimal-risk but a deployer uses it in a high-risk context?
The deployer’s use determines their own obligations. If a deployer uses a general-purpose tool in an employment decision context, the deployer may be subject to Article 26 high-risk deployer obligations even if the provider has not classified the system as high-risk. In some cases, the deployer may cross into provider territory under Article 25 if the use constitutes a substantial modification or a change in intended purpose.
Our vendor says their tool is compliant. Does that mean we do not need to classify it ourselves?
No. Vendor compliance documentation covers the vendor’s obligations as provider. You must independently determine your role and the applicable risk tier for your specific use of the system. A vendor’s EU Declaration of Conformity does not substitute for your own classification analysis as deployer.
Can a system move between risk tiers after initial classification?
Yes. Classification is not fixed. Article 3(23) defines substantial modification as a change that affects compliance with the Act or changes the intended purpose. A substantial modification requires the provider to treat the modified system as a new system and repeat the classification and conformity assessment process. Deployers who change how they use a system must reassess classification at the point of change.
We built a general-purpose tool not aimed at any specific high-risk domain. A customer is using it for CV screening. Are we affected?
Possibly. If you become aware that your system is being used in a high-risk context, Article 25(3) requires you to inform the relevant authorities and cooperate to bring the system into compliance. If you have contractual relationships with the deployer, you should address permitted use cases in your terms of service and take steps to prevent use outside the scope of your intended purpose classification.
The Article 6(3) exception looks useful. Can we rely on it to avoid high-risk classification for our Annex III system?
Article 6(3) is a genuine exception but it requires a documented, reasoned determination that the system poses no significant risk of harm to health, safety, or fundamental rights. Providers who rely on it must register the system in the EU database under Article 49(2) and make the reasoning available to authorities. Regulators will scrutinise Article 6(3) claims carefully. The exception is intended for genuinely low-impact uses within Annex III domains, not as a general escape route from high-risk classification.
What is the classification obligation for open-source AI systems?
Open-source AI systems are not exempt from classification. An open-source system that falls within Annex III or Annex I triggers the same high-risk classification as a proprietary system. The Act provides some documentation exemptions for open-source GPAI models under Article 53, but these do not affect risk tier classification. Providers of open-source high-risk systems carry the same conformity assessment and documentation obligations as proprietary providers.
Does classification affect how we interact with customers and users?
Yes, directly. High-risk classification triggers user information obligations under Article 26(8), which requires deployers to inform individuals subject to a high-risk AI system. Limited-risk classification triggers disclosure obligations under Article 50(1) where users interact with an AI system. Minimal-risk classification carries no specific user-facing obligation beyond AI literacy requirements for internal staff.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024 and applicable guidance issued by the European AI Office through May 2026. It is published by Grecta for general informational purposes and does not constitute legal advice. Businesses should obtain advice specific to their products, operations, and markets.
