EU AI Act Risk Classification: How to Determine Your AI System's Category
Learn how to classify your AI system under the EU AI Act's four-tier framework — from prohibited to minimal risk — with a practical decision tree and common pitfalls.
Before you can comply with the EU AI Act, you need to know which tier of the framework applies to you. Get it wrong in either direction — over-classifying a minimal-risk tool as high-risk, or under-classifying a genuinely high-risk system as limited-risk — and you face either unnecessary cost or serious legal exposure.
This article walks through the EU AI Act's four-tier structure, explains the two distinct tracks for reaching the high-risk category, maps all eight Annex III domains, covers GPAI as a separate category, and gives you a practical decision process to classify your system.
The Four-Tier Framework at a Glance
The EU AI Act organises AI systems into four broad categories based on the risk they pose to fundamental rights, safety, and public interests. Each tier carries different obligations.
| Risk tier | Legal basis | Key obligation |
|---|---|---|
| Prohibited | Article 5 | Banned outright — cannot be placed on the market |
| High-risk | Article 6 + Annexes I and III | Full compliance regime: conformity assessment, CE marking, registration |
| Limited risk (transparency) | Article 50 | Disclosure obligations only (e.g. chatbot labelling, deepfake notices) |
| Minimal risk | No specific provision | No mandatory obligations; voluntary codes of conduct encouraged |
The vast majority of AI systems in use today fall into the minimal-risk category. The compliance burden concentrates at the high-risk tier.
Tier 1: Prohibited AI Systems (Article 5)
Some AI practices are banned entirely from the EU market, regardless of how they are designed or deployed. Article 5 of the EU AI Act lists these prohibitions. They became enforceable in February 2025.
Key prohibitions include:
- Subliminal manipulation techniques that exploit vulnerabilities to distort behaviour in ways that cause harm
- Real-time remote biometric identification systems in publicly accessible spaces for law enforcement, with narrow exceptions for specific serious crimes
- Social scoring by public authorities that evaluates individuals based on behaviour and leads to detrimental treatment
- AI systems that infer sensitive attributes (race, political opinions, sexual orientation) from biometric data in ways not permitted by law
- Predictive policing systems based purely on profiling without objective individual circumstances
- Emotion recognition in workplaces and educational institutions, except for safety purposes
- Untargeted scraping of facial images from the internet or CCTV to build or expand biometric databases
If your system performs any of these functions, no amount of documentation or risk mitigation makes it compliant. The answer is to redesign or not deploy it in the EU.
Tier 2: High-Risk AI Systems (Article 6)
High-risk status is reached through two distinct tracks. Understanding which track applies to you determines how you approach compliance.
Track A — Annex I Products (Article 6(1))
The first track covers AI systems that are safety components of products already governed by EU harmonised legislation listed in Annex I. These sectors include medical devices, in vitro diagnostic devices, machinery, radio equipment, motor vehicles, civil aviation, marine equipment, railways, and agricultural vehicles.
If your AI system is embedded in such a product and that sector legislation requires a third-party conformity assessment, your AI system is automatically high-risk under the EU AI Act. The AI Act compliance requirements stack on top of the existing sector-specific obligations.
A concrete example: an AI-powered diagnostic feature in a Class IIb medical device is high-risk under Article 6(1). The AI Act's requirements apply alongside the Medical Devices Regulation.
Track B — Annex III Use Cases (Article 6(2))
The second and broader track applies to AI systems that perform specific functions in sensitive domains, regardless of what product category they belong to. These are listed in Annex III and cover eight domains.
The Article 6(3) Exception
Article 6(3) creates an important exception for Annex III systems. A system that would otherwise qualify as high-risk under Annex III is not treated as high-risk if the provider can demonstrate that it poses only a limited risk to the health, safety, or fundamental rights of natural persons.
Specifically, the exception applies when the AI system does not materially influence the outcome of decisions — for example, it is used for a preliminary categorisation that a human then independently reviews and decides upon. If the exception applies, the system is subject to transparency obligations under Article 50 rather than the full high-risk regime.
Providers relying on Article 6(3) must document their reasoning and register the system in the EU database.
The Eight Annex III Domains
The following table maps the eight Annex III domains with representative examples.
| Domain | Examples of high-risk AI |
|---|---|
| 1. Biometric identification and categorisation | Remote biometric ID systems; emotion recognition in sensitive contexts |
| 2. Critical infrastructure | AI managing water, gas, electricity, traffic, or digital infrastructure |
| 3. Education and vocational training | Systems that determine access to education or evaluate students |
| 4. Employment and workers management | CV screening tools; performance monitoring; promotion/dismissal decisions |
| 5. Essential private and public services | Credit scoring; insurance risk assessment; emergency service dispatch |
| 6. Law enforcement | Risk assessment of individuals; polygraph-equivalent systems; evidence evaluation |
| 7. Migration, asylum, and border control | Risk scoring of migrants; document authenticity verification; asylum assessment |
| 8. Administration of justice and democracy | AI assisting judicial decisions; systems influencing elections or political campaigns |
Note that Section 1 (biometrics) is the only Annex III domain requiring a notified body for the conformity assessment. All others may follow the internal control procedure.
Tier 3: Limited Risk — Transparency Obligations (Article 50)
Article 50 covers AI systems that do not reach the high-risk threshold but interact directly with users in ways that could be deceptive or misleading. The obligations here are disclosure-based only — no conformity assessment, no CE marking.
The main situations where Article 50 applies:
- Chatbots and conversational AI: users must be informed they are interacting with an AI system, not a human, unless it is obvious from context
- AI-generated synthetic content (deepfakes): content that manipulates real people's appearance, voice, or actions must be labelled as artificially generated
- Emotion recognition and biometric categorisation systems: operators must inform people when such systems are used
- AI-generated text on matters of public interest: where content is AI-generated at scale, appropriate labelling is required
A standard customer service chatbot, for instance, falls here: it needs a disclosure notice but does not require a conformity assessment.
Tier 4: Minimal Risk
Everything else — the majority of AI systems currently in use — falls into the minimal-risk category. There are no mandatory obligations. The EU AI Act actively encourages providers to adopt voluntary codes of conduct and adhere to emerging standards, but non-compliance with these carries no legal penalty.
Examples of minimal-risk AI: spam filters, inventory optimisation tools, AI-powered navigation in apps, playlist recommendation engines, grammar checkers, fraud detection models that flag transactions for human review, and most B2B analytics tools.
GPAI Models: A Separate Category (Articles 51–56)
General-purpose AI models (GPAI) — large models trained on broad data and capable of performing a wide range of tasks — sit outside the four-tier risk framework. They are governed separately under Articles 51–56, which became applicable in August 2025.
GPAI obligations apply to the model provider (the entity that trains and releases the model), not to downstream application builders. Key obligations include:
- Maintaining technical documentation about the model's training, capabilities, and limitations
- Publishing a summary of training data
- Complying with EU copyright law regarding training data
- Additional obligations for GPAI models with systemic risk (above 10^25 FLOPs training compute), including adversarial testing and incident reporting
Building an application on top of a GPAI model (such as GPT-4, Gemini, or Claude) does not make the application provider a GPAI model provider. However, if that application is itself a high-risk AI system, all Annex III or Annex I obligations still apply to the application layer.
Practical Decision Tree: Classifying Your AI System
Use this sequence to determine your system's category.
Step 1 — Does your system do anything listed in Article 5? If yes: it is prohibited. Do not deploy in the EU. If no: continue.
Step 2 — Is your system a large-scale foundation or general-purpose model (trained across broad domains)? If yes: GPAI obligations under Articles 51–56 apply. Separately assess any downstream applications. If no: continue.
Step 3 — Is your system embedded as a safety component in an Annex I product, and does sector legislation require a third-party conformity assessment for that product? If yes: high-risk under Article 6(1). Full high-risk obligations apply. If no: continue.
Step 4 — Does your system perform a function described in any of the eight Annex III domains? If no: go to Step 6. If yes: continue.
Step 5 — Can you demonstrate that your system has only a limited impact on decision outcomes (Article 6(3) exception)? If yes: limited-risk transparency obligations under Article 50 apply. Document and register your reasoning. If no: high-risk under Article 6(2). Full conformity assessment required.
Step 6 — Does your system interact with users in ways covered by Article 50 (chatbot, deepfakes, emotion recognition)? If yes: transparency obligations under Article 50 apply. If no: minimal risk. No mandatory obligations.
Common Misclassification Mistakes
Several categories of AI system are frequently misclassified by providers who either over- or under-read the Annex III definitions.
Scheduling and workforce management tools
Basic scheduling software — a tool that optimises shift patterns based on staff availability — is not high-risk. It becomes high-risk if it influences individual employment decisions such as dismissal, promotion, or performance assessment, because those functions fall under Annex III, Section 4.
RAG-based chatbots and document Q&A systems
A retrieval-augmented generation chatbot that answers internal questions from a company knowledge base is not automatically high-risk. It is typically limited-risk (Article 50 chatbot disclosure) or minimal-risk. It would only become high-risk if deployed in a context covered by Annex III — for example, advising on credit eligibility or assisting with asylum claim evaluation.
Basic recommendation engines
A product recommendation engine on an e-commerce site is minimal-risk. It does not fall under essential services credit scoring (which relates to financial creditworthiness and access to financial products), even if it recommends financial products, unless it is used to determine whether someone receives credit or insurance.
Semantic search and information retrieval
Document search, semantic matching, and knowledge retrieval tools are generally minimal-risk. The classification changes only if the output materially determines access to an essential service or influences a high-stakes individual decision.
How DilAIg Helps You Classify Your System
DilAIg's 50-question audit walks through every classification decision systematically — mapping your system's functions against Article 5, Article 6(1), Article 6(2), the Article 6(3) exception, Article 50, and the GPAI regime. The output is a documented risk classification with the applicable obligations listed article by article.
Start your free AI Act audit →
FAQ: EU AI Act Risk Classification
My AI system does multiple things — which classification applies?
Classify each function separately. A system that does one minimal-risk thing and one high-risk thing is high-risk overall. High-risk classification is determined by the most consequential use, not the most common one.
Does the Article 6(3) exception apply automatically?
No. Providers must actively assess whether the exception applies and document their reasoning. The exception is not a safe harbour to claim lightly — if your system does materially influence decisions, it does not qualify. You must also register the system in the EU database.
Does the classification change if I add human review?
Adding human review does not automatically change your classification. Article 14 requires high-risk systems to support human oversight, but requiring human review does not remove the high-risk label. The Article 6(3) exception is the correct mechanism if you believe the decision impact is genuinely limited.
Are open-source models subject to the same rules?
Providers of open-source GPAI models have reduced obligations compared to closed models (they do not need to meet the GPAI transparency obligations in the same way), with the exception of models with systemic risk. However, if an application built on an open-source model is itself a high-risk AI system, the application provider must still comply with all high-risk obligations.
What about AI systems used internally, not sold to customers?
If you are an employer using a high-risk AI system to manage your own workforce — for example, AI that scores employee performance — you are the deployer, not the provider. Deployers have their own obligations under the EU AI Act, including conducting a fundamental rights impact assessment in certain contexts and registering their use in the EU database.
Key Takeaways
- The EU AI Act uses four tiers: prohibited (Article 5), high-risk (Article 6), limited/transparency (Article 50), and minimal-risk
- High-risk status is reached via two tracks: embedded in Annex I regulated products (Article 6(1)) or performing Annex III use case functions (Article 6(2))
- Article 6(3) provides a narrow exception for Annex III systems with genuinely limited decision impact — but requires documentation and database registration
- GPAI models are governed separately under Articles 51–56, not under the four-tier risk framework
- Common misclassifications affect scheduling tools, RAG chatbots, recommendation engines, and search tools — analyse the specific function, not the product category
- Biometric systems (Annex III §1) are the only Annex III category requiring a third-party notified body assessment