EU AI Act risk classifications explained: unacceptable, high, limited, minimal

The EU AI Act does not regulate AI uniformly. It sorts AI systems into four risk tiers and applies obligations proportionate to the harm each tier can cause. The tier you land in determines whether you are banned outright, regulated heavily, regulated lightly through disclosure, or left to voluntary codes of conduct.

This article walks through each tier in turn, explains what triggers it, and summarises what the resulting compliance work looks like. It is the orientation step before you do anything else: until you know which tier each of your AI systems sits in, you cannot meaningfully plan a compliance programme.

The four tiers, at a glance

A separate, parallel regime applies to general-purpose AI (GPAI) models, with a higher-obligation sub-tier for systemic-risk GPAI. The GPAI rules apply to the model itself; the four tiers above apply to downstream AI systems built on top.

Tier 1: unacceptable risk

Article 5 of the AI Act prohibits a defined list of practices outright. These are not heavily regulated; they are illegal. A system cannot be placed on the market, put into service or used in the EU if it falls within the prohibitions, regardless of intent or safeguards.

The list is short but reaches further than people often expect:

• Subliminal, manipulative or deceptive techniques that materially distort behaviour and cause significant harm.
• Exploitation of vulnerabilities of specific groups due to age, disability or socio-economic situation.
• Social scoring by public authorities or on their behalf, where the score is used to disadvantage people in unrelated contexts.
• Predictive policing based solely on profiling or personality assessment.
• Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases.
• Emotion recognition in the workplace and in education, except for medical or safety reasons.
• Biometric categorisation that infers sensitive attributes (race, political opinion, sexual orientation, etc.) from biometric data.
• Real-time remote biometric identification in publicly accessible spaces for law enforcement, with narrow exceptions for serious crime requiring prior judicial authorisation.

A fuller walk-through of each prohibition, with examples, is in the prohibited practices article. For the rest of this guide, the question is: assuming you are not in this tier, where do you sit?

Tier 2: high risk

This is the tier that absorbs most of the regulatory attention and most of a typical compliance budget. An AI system is high-risk if it falls into either of two routes:

Route A — Annex I integration. The system is a safety component of a product, or is itself a product, regulated under one of the existing Union harmonisation laws listed in Annex I. This includes machinery, toys, lifts, in-vitro diagnostic medical devices, civil aviation security, vehicles, marine equipment and several others. If the product already needs CE marking and a notified-body conformity assessment under the sectoral law, the AI Act adds a layer to that existing regime.

Route B — Annex III use case. The system is used in one of eight high-risk domains:

1. Biometrics (where not already prohibited).
2. Critical infrastructure management (water, gas, electricity, road traffic).
3. Education and vocational training (admissions, scoring, exam supervision, allocation of educational institutions).
4. Employment, worker management and access to self-employment (recruitment, performance management, promotion, termination).
5. Access to essential private and public services (credit scoring, benefits eligibility, emergency services dispatch, health insurance pricing).
6. Law enforcement (risk profiling, evidence evaluation, polygraphs).
7. Migration, asylum and border control (visa applications, risk assessments, document verification).
8. Administration of justice and democratic processes (research, voter manipulation).

The Annex III route has an exemption built into Article 6. An AI system within one of these areas is not high-risk if it performs only a narrow procedural task, improves the result of a previously completed human activity, detects decision-making patterns without replacing or influencing human assessment, or performs preparatory work for an assessment. The exemption does not apply when the system performs profiling of natural persons. If you intend to rely on the exemption, you must document the assessment and register it in the EU database.

What high-risk classification requires:

• A quality management system governing how you develop, validate, deploy and monitor the AI system.
• Technical documentation demonstrating conformity, kept up to date.
• Risk management running across the full lifecycle.
• Data governance: training, validation and test datasets must be relevant, sufficiently representative, free of errors and complete. Bias mitigation is explicit.
• Logging of system operation, retained for traceability.
• Transparency to deployers: instructions for use, performance characteristics, known limitations.
• Human oversight designed in, not bolted on.
• Accuracy, robustness and cybersecurity appropriate to intended purpose, with declared performance levels.
• Post-market monitoring for emerging risks.
• Serious-incident reporting to national authorities.
• Conformity assessment (self-assessment for most Annex III systems, third-party for biometrics and most Annex I integrations).
• CE marking and registration in the EU AI database before placing on the market.

For deployers of high-risk systems, the burden is lighter. You follow the provider's instructions, run human oversight, retain logs, and (for public bodies and certain private deployers) carry out a fundamental rights impact assessment before use. You do not redo the conformity work the provider has already done.

A step-by-step decision guide for whether a specific system is in this tier is in the high-risk classification article.

Tier 3: limited risk

Limited risk is the transparency tier. There is no documentation regime, no conformity assessment, no registration. The obligations are that users must know what they are dealing with.

Four categories fall here:

• Systems that interact with natural persons must inform them they are interacting with an AI system, unless this is obvious from the context. Chatbots, voice agents and AI customer service assistants are the canonical examples.
• Emotion recognition systems and biometric categorisation systems must inform exposed persons of their operation. (These are limited-risk only where they are not prohibited or high-risk in a given context.)
• Generative AI systems must mark their output as artificially generated or manipulated, in machine-readable form (typically through watermarking or provenance metadata such as C2PA).
• Deepfakes (AI-generated or manipulated image, audio or video content that closely resembles real persons or events) must be clearly labelled as such, with limited exceptions for evidently artistic, satirical or fictional work.

The obligations apply to providers and, in some cases, to deployers. They are intentionally proportionate: a chatbot does not become high-risk simply because it interacts with humans, but it must not pretend to be human.

Tier 4: minimal risk

Everything that is not unacceptable, high-risk or limited-risk sits here. Spam filtering, inventory optimisation, recommender systems for entertainment, video game AI, search ranking, fraud detection at modest scale, and most internal operational AI all fall into this bucket.

There are no mandatory obligations. The Act encourages adherence to voluntary codes of conduct and, in many cases, to align with the high-risk practices anyway as good engineering. Doing so positions you for any future regulatory tightening and creates evidence that helps with adjacent requirements (GDPR, sectoral rules, B2B procurement questionnaires).

A minimal-risk classification today does not survive forever. The Annex III list is not frozen; the Commission can add use cases via delegated act. Systems that are minimal-risk today can become high-risk tomorrow if the use case is added or the system's purpose changes. A quarterly classification review is good hygiene.

The parallel regime: GPAI models

Independent of the four tiers above, providers of general-purpose AI models (the foundation models that power downstream applications) face their own obligations. A baseline applies to all GPAI providers: technical documentation about the model, a summary of training data, a copyright compliance policy, and information to enable downstream developers to comply with their own obligations.

A higher-obligation tier applies to systemic-risk GPAI. The current quantitative threshold is a cumulative training compute of 10^25 floating-point operations, though the Commission can designate models above or below the threshold as systemic-risk based on capability indicators. Systemic-risk GPAI providers must additionally evaluate their models for systemic risks, take mitigation measures, report serious incidents, and ensure adequate cybersecurity.

Importantly, if you integrate a GPAI model into your own product and place that product on the market, you become a provider of the downstream AI system in addition to whatever role the model provider holds. You inherit the risk-tier classification of your downstream use case independently of what the model provider has done. The GPAI guide goes deeper: GPAI provider obligations.

How to actually classify your systems

Doing this well in-house, without a tool, takes a structured walk-through per system:

1. Inventory. List every AI system in production, in pilot, and on the roadmap. Be inclusive: rule-based automation that includes any learned component counts; standalone ML models embedded in larger products count.
2. Check the prohibited list. Article 5. If you hit it, stop and redesign.
3. Check the Annex I list. If the system or its host product is regulated under the listed Union law, it is high-risk via Route A.
4. Check the Annex III list. If the intended purpose lands in one of the eight areas, run the Article 6 exemption assessment. If the exemption does not apply, the system is high-risk via Route B. Document the assessment.
5. Check the transparency triggers. Does it interact with humans, generate synthetic media, perform emotion recognition or biometric categorisation? If yes, limited-risk obligations apply on top of whatever tier it falls in.
6. Default to minimal risk for anything that survives the above without a trigger.
7. Separately, for any GPAI you build or integrate, run the GPAI assessment.

Document the result and the reasoning. Re-run on every material change to the system's purpose, training data, or deployment context. Re-run at least annually.

This is the work the aiactly classifier is built to make systematic, but the underlying logic is the same whether you do it with a spreadsheet or a tool: tier comes from intended purpose, role comes from supply-chain position, obligations come from the intersection of the two.