How to Classify Your AI System Under the EU AI Act
Classifying an AI system under the EU AI Act means working top down through four risk tiers, prohibited, high-risk, limited (transparency) and minimal, to find the first tier your system matches and the obligations it triggers.
The short answer
Classification under the EU AI Act, Regulation (EU) 2024/1689, is a risk-tier exercise: you assess each AI system against four tiers in order of severity and stop at the first one it falls into. The tiers are prohibited (Article 5), high-risk (Articles 6 and 7 with Annex III), limited risk requiring transparency (Article 50), and minimal risk (everything else).
Two things shape the outcome before you reach the tiers. First, whether the system meets the Article 3 definition of an AI system at all. Second, your role in the value chain, because a provider (the party that develops or places the system on the market under its own name) carries far heavier duties than a deployer (the party that uses it under its own authority). The same tool can put you in different obligation sets depending on that role.
Six steps to classify a system
Run these steps per system and per intended purpose, not per vendor. Re-run them whenever you change a system's purpose, retrain it on materially different data, or deploy it in a new context, since any of those can move it into a higher tier.
- Inventory your AI. List every AI system you build, buy, embed or use, with its purpose, the data it processes, who is affected, and whether outputs feed a decision about a person. You cannot classify what you have not catalogued, and a register is also the backbone of later evidence.
- Determine your role: provider or deployer. Decide for each system whether you are the provider, the deployer, or both. Note that putting your own name or trademark on a high-risk system, or substantially modifying one, or changing its intended purpose, can turn a deployer into a provider under Article 25.
- Check Article 5: is it a prohibited practice? Screen against the banned uses such as untargeted scraping of facial images to build recognition databases, social scoring, manipulative or exploitative techniques causing harm, and emotion recognition in workplaces and schools. These bans apply since 2 February 2025. If a use is prohibited, you stop and remove it; there is no compliance path.
- Check Annex III and Article 6: is it high-risk? Compare the intended purpose against the Annex III use cases (for example biometrics, critical infrastructure, education, employment and worker management, access to essential services, law enforcement, migration, and administration of justice). Also flag AI that is a safety component of a product covered by EU harmonisation legislation in Annex I. Apply the Article 6(3) filter: a system in an Annex III area may still be non-high-risk if it only performs a narrow procedural task or does not materially influence a decision, but you must document that assessment.
- Check Article 50: does it trigger transparency duties? If not high-risk, check the limited-risk obligations. Systems that interact with people (such as chatbots), generate synthetic audio, image, video or text, or produce deep fakes must disclose the AI involvement and mark generated content in a machine-readable way.
- Otherwise it is minimal risk. If a system clears all the steps above, it is minimal risk with no mandatory obligations beyond the AI-literacy duty under Article 4. Voluntary codes of conduct are encouraged. Record the conclusion so the classification is defensible.
What each of the four risk tiers requires
Two cross-cutting layers sit alongside the tiers. The AI-literacy obligation in Article 4 applies to providers and deployers across all tiers since 2 February 2025. Separate rules for general-purpose AI (GPAI) models and the EU governance structure have applied since 2 August 2025.
| Risk tier | Legal basis | Core requirement | Key date |
|---|---|---|---|
| Prohibited | Article 5 | Use is banned; the system must not be placed on the market or used in the EU | In force since 2 February 2025 |
| High-risk | Article 6, Annex III and Annex I | Risk management, data governance, technical documentation (Annex IV), logging, human oversight, accuracy and robustness, plus conformity assessment and registration; deployers have their own oversight and monitoring duties | Most obligations apply from 2 August 2026; product-embedded high-risk from 2 August 2027 |
| Limited (transparency) | Article 50 | Disclose AI interaction, label synthetic and deep-fake content in a machine-readable form | Applies from 2 August 2026 |
| Minimal | No tier-specific articles | No mandatory obligations beyond the cross-cutting AI-literacy duty; voluntary codes encouraged | AI-literacy duty (Article 4) in force since 2 February 2025 |
Why getting the tier right matters
Misclassification is expensive in both directions. Treating a high-risk system as minimal leaves you exposed to enforcement, while treating a minimal system as high-risk burns budget on conformity work you do not owe. The penalty ceilings make the downside concrete: up to EUR 35 million or 7 percent of total worldwide annual turnover for breaching the Article 5 prohibitions, and up to EUR 15 million or 3 percent for most other obligations, whichever is higher.
A note on timing: a proposed Digital Omnibus package has floated deferring some high-risk deadlines, but it is PROPOSED and NOT yet adopted. Plan against the enacted dates above until any change becomes law.
Classify once and the result carries across frameworks. The risk tier you assign maps to the controls you will document for the EU AI Act, and the same system inventory and risk assessment feed an ISO/IEC 42001 management system and the NIST AI Risk Management Framework, so the classification work is reused rather than repeated.
Related
- Is my AI system high-risk?
- EU AI Act compliance deadlines
- AI system risk classification (glossary)
- EU AI Act compliance software
Get started
Start your free trial with ComplyAgent, or see pricing.
Last reviewed June 2026 by the ComplyAgent team.