EU AI Act Risk Classification: Understanding the 4 Risk Levels

The Risk-Based Approach of the EU AI Act

The EU AI Act takes a risk-based approach to regulation, recognising that not all AI systems pose the same level of threat to fundamental rights and safety. Rather than applying blanket requirements to all AI, the Act establishes four tiers of risk, each with proportionate obligations. This approach aims to balance innovation with protection, ensuring that the most potentially harmful AI applications face the strictest oversight while low-risk AI remains largely unregulated.

This risk-based framework was inspired by the EU's existing product safety legislation and reflects the proportionality principle embedded in EU law. The classification determines not just what rules apply, but who bears responsibility for compliance. Providers (those who develop or place AI systems on the market) and deployers (those who use AI systems) have different but complementary obligations depending on the risk tier.

For enterprises, understanding risk classification is the essential first step in compliance. Before you can determine what governance measures, documentation, or oversight you need, you must know where each of your AI systems falls in the risk hierarchy. This classification exercise should cover your entire AI portfolio — not just the systems you built, but every AI tool your organisation uses, from enterprise platforms to department-level SaaS subscriptions.

The Four Risk Tiers Explained

Unacceptable risk AI systems are outright prohibited under the Act. These include social scoring systems used by public authorities that evaluate people based on their social behaviour or personal characteristics, real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions), AI systems that exploit vulnerabilities of specific groups due to age, disability, or social situation, and AI systems that deploy subliminal techniques to materially distort behaviour in ways that cause harm. If any of your AI applications fall into this category, they must be discontinued.

High-risk AI systems constitute the most compliance-intensive tier. The Act defines these through two pathways: Annex I lists AI systems that are safety components of products already covered by EU harmonisation legislation (medical devices, machinery, vehicles, toys, and others), while Annex III lists standalone high-risk use cases including AI in biometrics, critical infrastructure management, education and vocational training, employment and worker management, access to essential services (credit, insurance, social benefits), law enforcement, migration and border control, and administration of justice.

Limited risk AI systems carry specific transparency obligations. These include AI systems that interact directly with people (chatbots must disclose they are AI), emotion recognition or biometric categorisation systems (users must be informed), and AI systems that generate or manipulate content (deepfakes must be labelled). Minimal risk systems — encompassing the vast majority of AI tools used in business, such as spam filters, recommendation engines, and search tools — face no specific obligations under the Act, though voluntary codes of conduct are encouraged.

How to Classify Your AI Systems

Classification requires analysing each AI system against the Act's criteria, which can be more nuanced than it initially appears. Start by listing every AI system in your organisation, including embedded AI features within larger software platforms. A CRM system with AI-powered lead scoring, an HR platform with AI resume screening, or a customer service tool with AI chatbot functionality all need individual classification.

For each system, determine its intended purpose and the context of its use. The same underlying AI technology can fall into different risk categories depending on how it is deployed. A general-purpose language model used for internal document summarisation is minimal risk. The same model used to screen job applications becomes high risk under Annex III's employment category. Context is everything.

Evaluate against Annex III categories systematically. Does the AI system make or significantly influence decisions about people's access to employment, education, essential services, or justice? Does it operate in a safety-critical context? Does it process biometric data for identification? If yes to any of these, the system is likely high risk. For transparency obligations, ask whether the system interacts with people directly, recognises emotions, categorises people biometrically, or generates synthetic content.

Document your classification rationale thoroughly. Regulators will expect not just a classification label but evidence of the analysis that produced it. Record the system's intended purpose, actual use cases, data processed, decisions influenced, and affected individuals. This documentation becomes part of your compliance evidence and should be reviewed whenever the system's use case changes.

Compliance Requirements by Risk Tier

For high-risk AI systems, compliance requirements are substantial. Providers must implement a quality management system, conduct conformity assessments, prepare technical documentation, ensure data governance, implement logging capabilities, provide transparency to deployers, enable human oversight, and achieve appropriate levels of accuracy, robustness, and cybersecurity. Deployers must use the system in accordance with instructions, implement human oversight, ensure input data quality, monitor operations, maintain logs, and report serious incidents.

The conformity assessment is particularly significant. For most high-risk systems, providers can self-assess compliance through an internal procedure. However, certain biometric identification systems require third-party conformity assessment by a notified body. Deployers should verify that providers have completed the appropriate assessment and request conformity documentation.

For limited risk systems, the primary obligation is transparency. Implement clear disclosures when users interact with AI systems, label AI-generated or manipulated content, and inform individuals when emotion recognition or biometric categorisation is used. These disclosures must be timely, clear, and accessible.

Even for minimal risk systems, consider adopting voluntary governance practices. The AI landscape evolves rapidly, and a system classified as minimal risk today could shift categories as regulations are updated or as your use case evolves. Building governance practices across your entire AI portfolio provides a foundation that makes compliance with any future requirements straightforward. Start with an AI register for all systems regardless of risk level, basic usage monitoring, and periodic review of classifications.