AI Act risk classification — a step-by-step method

The EU AI Act (Regulation 2024/1689) assigns every AI system to one of four risk levels: unacceptable (prohibited), high, limited and minimal. Obligations follow the risk level, not the technology. Most obligations for high-risk systems start to apply on 2 August 2026, and some prohibitions have applied since February 2025. Below is a method that walks a single system through that classification, step by step.

This is not a board readiness checklist (that exists separately). It is a method for one concrete system: by the end you know which risk bucket it sits in and what obligations follow.

Step 1. Is it an “AI system” at all?

The AI Act applies to “AI systems” as defined in Article 3 — software that, from input data, produces outputs (predictions, content, recommendations, decisions) with some autonomy. A plain rule-based script or a spreadsheet is not an AI system. If it isn’t an AI system, the AI Act imposes no obligations. If it is, move on.

Step 2. Does it perform a prohibited practice (Article 5)?

Some uses are simply banned, and that ban has applied since February 2025. They include social scoring, manipulative techniques that exploit vulnerabilities, emotion recognition at work and in education, and untargeted scraping of facial images to build recognition databases. A ban cannot be “documented away” — such a system has to be withdrawn or redesigned. If clear, move on.

Step 3. Is the system “high-risk”?

Two paths lead to high risk:

• the system is a safety component of a product covered by EU harmonisation law (Annex I — e.g. machinery, medical devices), or
• it falls under an Annex III use case: recruitment and HR, credit scoring and access to services, education and exams, critical infrastructure, biometrics, law enforcement, access to public benefits.

If so, the heaviest regime applies: a risk-management system, data quality and governance, technical documentation, event logging, human oversight, and accuracy and cybersecurity requirements. Obligations for Annex III systems start to apply on 2 August 2026; for systems embedded in regulated products (Annex I), the transition period is longer.

Step 4. Are there transparency obligations (Article 50)?

Even if a system is not “high-risk”, it may carry transparency obligations: a chatbot must disclose that the user is talking to AI, and AI-generated or AI-altered content (including deepfakes) must be labelled. This is the limited- risk level — lighter obligations, but real ones.

Step 5. The rest is minimal risk

Most business uses — internal search, summaries, assistants over company documents — are minimal risk, with no legal obligations under the AI Act. Good practice (testing, evaluations, oversight) stays voluntary, but it is what decides whether the system actually works reliably.

Step 6. A separate layer: general-purpose AI (GPAI)

If your system is built on a general-purpose model (e.g. a large language model), a separate layer of GPAI obligations applies — mostly on the model provider, in force since 2 August 2025. What matters for you is whether the provider meets them (documentation, copyright policy); that is part of your due diligence.

Who is responsible: provider or deployer?

The AI Act splits obligations between the “provider” (who builds or places a system on the market under their own name) and the “deployer” (who uses it). Most companies “just use” off-the-shelf tools and are deployers. But note: if you substantially fine-tune a model, change its intended purpose, or put it on the market under your own brand, you can become a provider — with a heavier set of obligations. So always classify in pairs: risk level times your role.

In short

For each system, answer in order: (1) is it an AI system, (2) is it prohibited, (3) is it high-risk, (4) are there transparency obligations, (5) if not, it’s minimal, (6) which GPAI model it runs on and what your role is. The result is a concrete risk level, a list of obligations and a named responsible person — the basis every compliance audit needs.

What next

Classification is the first step. For the full list of questions a board must be able to answer, see the AI Act readiness checklist. How we close this out in practice — audit, classification, governance — is on our AI Act compliance page. If you want to run this method on your own systems, start with an audit.