Free tool
AI Act Risk Classifier
Not sure where your AI system sits under the EU AI Act? Answer a few plain-English questions and get a tailored steer: your risk tier, your role, when the rules apply, and what to do next.
Step 1 of 6
The short version
How the AI Act risk tiers work
The Act sorts AI by the risk it poses, and obligations scale with that risk. Here are the four tiers, plus the separate general-purpose AI track, in plain English.
TL;DR
Prohibited - unacceptable risk
Article 5 bans a short list of practices outright, including subliminal or manipulative techniques that cause harm, exploiting vulnerabilities, social scoring, predicting criminality from profiling alone, untargeted scraping of facial images, emotion recognition at work or school, biometric categorisation by sensitive traits, and real-time remote biometric identification in public for law enforcement. These have been banned since 2 February 2025 and carry the steepest fines. Regulation (EU) 2024/1689, Article 5
High-risk
There are two routes into the high-risk tier. The first is AI that is a safety component of a product regulated under Annex I (machinery, medical devices, toys, vehicles and so on). The second is AI used in one of eight Annex III areas: biometrics; critical infrastructure; education; employment and worker management; access to essential services including credit scoring and life or health insurance pricing; law enforcement; migration and border control; and justice and democratic processes. An Article 6(3) filter can take a narrow-task Annex III system out of the high-risk tier - but never if it profiles people. Regulation (EU) 2024/1689, Article 6
Limited / transparency risk
Article 50 adds transparency duties for AI that interacts with people or generates content. Users must be told when they are dealing with a chatbot; AI-generated or manipulated content must be machine-readably marked; deepfakes must be disclosed; and people exposed to emotion recognition or biometric categorisation must be informed. Regulation (EU) 2024/1689, Article 50
Minimal risk, plus the GPAI track
Everything not in the tiers above is minimal risk, with no mandatory obligations - though the cross-cutting AI literacy duty (Article 4) still applies to all AI. General-purpose AI models, such as large language models, are regulated separately under Chapter V, with extra duties for models that pose systemic risk. European Commission, regulatory framework on AI
One part of the timeline is still moving
Risk-tier questions people ask
What are the AI Act risk tiers?
The EU AI Act takes a risk-based approach with four tiers for AI systems. Unacceptable risk (prohibited practices under Article 5) is banned outright. High-risk systems - safety components of regulated products, or systems used in one of eight Annex III areas like employment, credit scoring or biometrics - carry the fullest obligations. Limited or transparency risk (Article 50) covers chatbots, deepfakes and other content-generating or interactive AI, which mainly have disclosure and labelling duties. Everything else is minimal risk, with no mandatory obligations. General-purpose AI models are regulated on a separate track.
Does the AI Act apply to companies outside the EU?
Yes, it can. The Act applies to providers placing an AI system or model on the EU market regardless of where they are established, to deployers located in the EU, and - importantly - to providers and deployers outside the EU whenever the output produced by their AI system is used in the Union (Article 2). This "output used in the Union" trigger gives the Act broad extraterritorial reach comparable to GDPR. A non-EU provider of a high-risk system must also appoint an EU authorised representative.
My system is in an Annex III area. Is it automatically high-risk?
Not always. Article 6(3) provides a filter exception: an Annex III system may not be high-risk if it does not pose a significant risk of harm to health, safety or fundamental rights - for example if it only performs a narrow procedural task, improves the result of a prior human activity, or detects decision-making patterns without replacing human judgement. The crucial caveat is that this exception does not apply if the system profiles natural persons. If it profiles people, it stays high-risk.
When do the high-risk and transparency rules apply?
Under the regulation as enacted, most high-risk obligations (stand-alone Annex III systems) and the Article 50 transparency duties apply from 2 August 2026. High-risk AI that is a safety component of an Annex I product applies from 2 August 2027. A proposed Digital Omnibus on AI, in provisional agreement as of May 2026, would postpone Annex III high-risk to 2 December 2027, but it is not yet law as of June 2026 - so plan to the 2 August 2026 date. The Article 5 prohibitions and the AI literacy duty have already been in force since 2 February 2025, and the GPAI rules since 2 August 2025.
This is guidance to help you understand the EU AI Act, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser.
Sources
- [1]Regulation (EU) 2024/1689 (EU AI Act), full text on EUR-Lexretrieved 9 Jun 2026
- [2]European Commission, regulatory framework on artificial intelligenceretrieved 9 Jun 2026