The EU AI Act runs on one principle: the higher the risk, the stricter the rules. That sounds simple. In practice, the question every company actually has is: which tier are our AI systems in, and what does that mean for us on Monday morning?
This article answers that — with real business examples, not textbook definitions. Skip to the interactive classifier below if you want to start there.
The four EU AI Act risk classes at a glance
| Tier | Risk | Regulation | Examples |
|---|---|---|---|
| 1 | Unacceptable | Banned (since Feb 2025) | Social scoring, real-time facial recognition in public spaces |
| 2 | High | Strict obligations (from Aug 2026) | AI in hiring, credit scoring, medical devices |
| 3 | Limited | Transparency obligations | Chatbots, AI-generated content, deepfakes |
| 4 | Minimal | No special obligations | Spam filters, recommendation systems, search |
Interactive risk class checker
Find out which risk class your AI system falls into:
Question 1: Does your AI system evaluate or monitor people based on biometric data, social behavior, or emotional states in the workplace?
Tier 1: Unacceptable risk — banned
Since 2 February 2025, certain AI systems are simply outlawed in the EU. Full list in Art. 5 EU AI Act:
- Social scoring: Rating people by social behavior over time when the rating triggers unjustified discrimination.
- Real-time biometric identification in public spaces by law enforcement, with narrow exceptions (missing children, imminent terror threat).
- Emotion recognition at work and in education.
- Subliminal manipulation: AI that nudges behavior through imperceptible techniques.
- Exploitation of vulnerabilities: AI targeting age, disability, or social situation.
Worth checking even if you don’t think it applies: some HR tools advertise “sentiment analysis” in candidate interviews. That can fall under emotion recognition. Look at what your vendor’s tool actually does, not what their marketing page calls it.
Tier 2: High risk — the category that drives the work
High-risk AI is allowed, but with conditions. This is where most of the compliance work sits. The Commission estimates 5–15% of commercially used AI in the EU is here.
Two groups land in high-risk:
Group 1: AI as a safety component in already-regulated products — medical devices, vehicles, toys, elevators, aviation. Covered through existing sector-specific regulation.
Group 2: AI in sensitive areas (Annex III):
- HR: CV screening, candidate ranking, performance evaluation
- Education: exam grading, admission decisions
- Credit: creditworthiness assessment, scoring
- Law enforcement: lie detection, risk assessment
- Migration: asylum procedures, border control
- Critical infrastructure: water, power, transport
- Democratic processes: election influence
Deployer obligations:
- Risk management system, set up and maintained
- Data quality (no biased training data)
- Technical documentation
- Human oversight — meaningful, not nominal
- Incident reporting (serious malfunctions, fundamental rights violations)
- GDPR DPIA when personal data is involved
- Fundamental Rights Impact Assessment
Concrete example. You’re using an AI tool to pre-screen job applications. That’s high-risk. You need to be able to show: how the system decides, what data it was trained on, what bias testing was done, who monitors outputs. If the tool is from a US cloud vendor, data sovereignty joins the pile.
Tier 3: Limited risk — transparency obligations
The single most relevant tier for most businesses. Chatbot on your site? AI-written copy? AI helping with internal communications? You’re here.
Art. 50 obligations:
- Chatbots: Users must know they’re talking to AI. (“This chat is powered by AI” works.)
- AI-generated content: Text, images, audio, video — recognizable as AI-generated.
- Deepfakes: Clearly labeled as artificial.
For content publishers: a single line — “This article was produced with AI assistance” — is enough. The point is informing the reader, not running a legal disclaimer marathon. Same rule applies to product descriptions, social posts, newsletters.
Tier 4: Minimal risk — business as usual
Most AI sits here: spam filters, recommendation systems, AI-powered search, text suggestions, autocorrect. No system-specific obligations. The Art. 4 AI literacy obligation still applies — every company that uses AI has to train its employees.
How to classify your AI systems
A pragmatic four-step path:
Step 1: List every AI system in use — including shadow AI that IT didn’t approve.
Step 2: For each system, three questions:
- Does it make automated decisions about people? → possibly high-risk
- Does it interact with users? → transparency required
- Does it generate content? → transparency required
- None of the above? → minimal risk
Step 3: For high-risk: get the provider’s technical documentation, stand up a risk management system, set up incident reporting.
Step 4: For limited risk: implement labeling. It’s a one-day job.
Deploy AI systems compliantly On-premise AI is easier to document, audit, and control by design — not by extra effort.
FAQ
Which risk class does ChatGPT fall into?
ChatGPT is a General-Purpose AI Model (GPAI), regulated under Art. 51–56 — not directly through the four tiers. Your use of ChatGPT determines the tier. Writing marketing copy: minimal. Screening job applications: high-risk. Same tool, two different obligations depending on what you do with it.
Who determines the risk class — the provider or the company?
The provider does the initial classification. As a deployer, you have to verify it fits your actual use case. If you deploy a tool for a high-risk purpose that the provider didn’t intend, you become the provider under the Act — with the provider’s full obligations on top of the deployer’s.
What happens if I misclassify my AI system?
Fines up to EUR 15 million or 3% of global annual turnover for high-risk obligation violations. For deliberately false statements to authorities: EUR 7.5 million or 1.5%. National supervisors begin active enforcement from August 2026 — in Germany, the Bundesnetzagentur.
Bottom line
The risk classes are a logical framework, not a bureaucratic trap. Most business AI sits in minimal or limited and needs little work. Companies using AI for hiring, credit, or critical infrastructure are in high-risk — and the August 2026 deadline is closer than it looks.
Classify first. Compliance follows from the classification.
EU AI Act vs GDPR — where they overlap → | The complete EU AI Act guide →