How to Classify Your AI System Under the EU AI Act: A Step-by-Step Guide
How to Classify Your AI System Under the EU AI Act: A Step-by-Step Guide?
Not sure if your AI system is high-risk? Walk through the official classification process with practical examples for common business AI tools.
The EU AI Act classifies AI systems into four risk tiers: Prohibited, High, Limited, and Minimal. Getting this classification right determines your entire compliance roadmap. Here's how to do it.
Step 1: Check for Prohibited Practices (Article 5)
First, verify your system doesn't fall into the eight prohibited categories. Most business AI won't, but check anyway:
- Does it score individuals for social behavior?
- Does it use subliminal manipulation?
- Does it exploit vulnerabilities of specific groups?
- Does it perform real-time biometric identification in public?
- Does it recognize emotions in workplaces or schools?
If yes to any of these, stop. The system cannot be deployed in the EU.
Step 2: Check the High-Risk List (Annex III)
Annex III lists eight sectors where AI is high-risk when it significantly affects individuals:
- Biometrics — remote identification systems
- Critical infrastructure — safety components in utilities, transport
- Education — admissions, grading, monitoring, cheating detection
- Employment — recruitment, CV screening, performance evaluation, termination decisions
- Essential services — credit scoring, insurance pricing, social benefits
- Law enforcement — risk assessment, evidence evaluation, profiling
- Migration — risk assessment, document verification
- Democratic processes — voter influence systems
The key question: does your AI system make or materially influence decisions about natural persons in these sectors?
Step 3: Check for Transparency Obligations (Article 50)
Even if your system isn't high-risk, it might have transparency obligations:
- Chatbots: Must inform users they're interacting with AI
- Content generation: AI-generated text, images, audio, or video must be labeled
- Emotion recognition: Subjects must be informed
- Deep fakes: Must be clearly labeled as synthetic
Step 4: Minimal Risk
Everything else falls here. No specific obligations, just voluntary codes of conduct and the general AI literacy requirement.
Practical Examples
| System | Classification | Why | |--------|---------------|-----| | Customer support chatbot | LIMITED | Interacts with people, transparency obligation | | CV screening tool | HIGH | Employment sector, influences hiring decisions | | Content recommendation engine | MINIMAL | No significant individual impact | | Fraud detection for loans | HIGH | Essential services, affects access to credit | | AI image generator | LIMITED | Generates synthetic content, labeling required | | Predictive maintenance sensor | MINIMAL | No impact on individuals |
What Happens After Classification
For high-risk systems, you need: a risk management system, data governance procedures, technical documentation, automated logging, transparency information for users, human oversight mechanisms, and accuracy/robustness testing. Plus a conformity assessment before deployment.
For limited-risk systems, you need transparency measures — inform users, label content.
For minimal-risk systems, you're encouraged to follow voluntary codes of conduct, but there are no mandatory obligations beyond AI literacy.
Start classifying now. The high-risk deadline is August 2, 2026, and building compliance infrastructure takes time.
Key Documentation Requirements by Risk Tier
Prohibited AI (Article 5): No documentation required — these systems must be decommissioned or discontinued. If you identify a prohibited practice in an existing system, document the finding and your remediation plan for audit purposes.
High-risk AI (Annex III): Full documentation under Articles 9–15, including a risk management system, data governance documentation, technical file (Annex IV), automatic logging, instructions for use, and evidence of human oversight provisions. Where third-party conformity assessment applies under Article 43, retain the EU declaration of conformity and register the system in the EU database (Article 71).
Limited-risk AI (Article 50): Transparency disclosure documentation only. Systems must notify users when they are interacting with AI. Maintain records of the disclosure mechanism and the user interface used to convey it.
Minimal-risk AI: No mandatory documentation, but maintaining an internal record of AI systems and their purposes is best practice and supports Article 4 AI literacy obligations.
Frequently Asked Questions
How do I know if my AI system falls under Annex III of the EU AI Act?
Annex III lists eight specific sectors where AI is classified as high-risk when it significantly affects individuals: biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border management, and administration of justice. The key test is whether your system makes or materially influences a decision about a natural person in one of these sectors. A CV screening tool in an HR department clearly falls under the employment category. A fraud detection model used in consumer lending falls under essential services. If you are uncertain, the European Commission has published guidance on the interpretation of Annex III categories.
What is the difference between a high-risk AI system and a limited-risk AI system?
High-risk AI systems under Annex III require the full compliance regime — risk management, data governance, technical documentation, logging, human oversight, conformity assessment, and registration. Limited-risk systems under Article 50 have only transparency obligations: users must be informed when they are interacting with AI, AI-generated content must be labelled, and systems using emotion recognition must notify the subject. The difference in compliance burden is substantial. A customer service chatbot, for example, is typically limited-risk and requires only transparency disclosures, while an AI tool used to screen job applicants is high-risk and requires the complete documentation and assessment process.
Can an AI system move between risk tiers over time?
Yes. The risk tier applies to the system's use case and deployment context, not just its technical architecture. If a tool originally deployed for minimal-risk purposes — such as a content recommendation engine — is later adapted to influence decisions about access to essential services, its risk classification changes. Providers and deployers must reassess classification whenever the intended purpose, deployment context, or data inputs change materially. This is why maintaining an AI inventory with documented use cases is important: it provides the baseline against which changes can be evaluated and reclassification decisions recorded.
Sources
- EUR-Lex, Regulation (EU) 2024/1689 (EU AI Act), Annex III (high-risk AI systems): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
- European Commission, AI Act risk classification guidance: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- ENISA, AI risk assessment methodology and tools: https://www.enisa.europa.eu/topics/artificial-intelligence
Key takeaways: How to Classify Your AI System Under the EU AI Act: A Step-by-Step Guide
This article covers: Step 1: Check for Prohibited Practices (Article 5), Step 2: Check the High-Risk List (Annex III), Step 3: Check for Transparency Obligations (Article 50).
- Step 1: Check for Prohibited Practices (Article 5)
- Step 2: Check the High-Risk List (Annex III)
- Step 3: Check for Transparency Obligations (Article 50)
- Step 4: Minimal Risk
- Practical Examples
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.
Get the weekly EU compliance briefing — 2 minutes, every Thursday.
Related Regulation
EU AI Act
Official EuroComply guide to EU AI Act