EU AI Act Risk Classifier
Is your AI product prohibited, high, limited or minimal risk? Answer a few guided questions and this free classifier walks the same decision tree regulators use — then tells you the obligations and deadlines that follow. Everything runs in your browser.
The EU AI Act sorts AI into four risk tiers — unacceptable (prohibited), high (strict obligations), limited (transparency duties) and minimal (no mandatory rules) — with a separate track for general-purpose AI models. Your tier decides your obligations, your costs and your deadlines, so getting it right is the first compliance step.
1. What are you classifying?
A — Prohibited practices (Article 5)
Tick anything your system does. Any one of these makes it prohibited.
B — High risk (Annex I & Annex III)
Tick anything that applies. Any one of these makes it high risk.
C — Transparency triggers (Article 50)
Tick anything that applies. If none of A or B applied, any of these makes it limited risk.
General-purpose AI model
Does your model have systemic risk?
Not legal advice. This classifier is an educational guide based on the EU AI Act (Regulation (EU) 2024/1689). Classification can turn on fine detail and the rules are still evolving, including the 2025–2026 Digital Omnibus proposals. Confirm your classification with qualified legal counsel before acting. Your answers stay in your browser.
How classification actually works
The Act is a cascade, not a menu. You don't pick the tier that feels right; you fall through the tests in order and stop at the first that fits. A recruitment chatbot is not "limited risk" because it's a chatbot — employment screening is an Annex III high-risk use, and high risk wins. This ordering is what most self-assessments get wrong.
The four tiers
Unacceptable (prohibited) — eight banned practices under Article 5, in force since February 2025. No compliance path exists; these systems simply must not be placed on the market or used.
High risk — Annex I (safety components of regulated products) or Annex III (eight standalone domains). Triggers the heavy obligations: risk management, data governance, technical documentation, logging, human oversight, conformity assessment and EU registration.
Limited risk — transparency duties under Article 50: tell people they're dealing with AI, and label synthetic or deepfake content.
Minimal risk — everything else (spam filters, AI in games). No mandatory obligations, though voluntary codes are encouraged.
The most expensive classification error isn't calling a minimal system high risk; it's the reverse. Teams label an HR-screening or credit model "limited risk" because it has a friendly chat interface, ship it, and discover at audit that the use case — not the interface — put it squarely in Annex III. The interface never determines the tier. The decision the AI influences does.
Classify by intended purpose and use case, not by the technology. The same model can be minimal risk in one product and high risk in another. Re-classify whenever you repurpose a system or substantially modify it — that can turn a deployer into a provider.
Baseline dates: prohibitions Feb 2025, GPAI rules Aug 2025, high-risk (Annex III) and transparency Aug 2026, Annex I product-embedded high risk Aug 2027. The 2025–2026 Digital Omnibus proposes deferring some high-risk deadlines (Annex III toward Dec 2027), but these only bind once formally adopted and published. Verify the current date for your tier before you plan around it.
Looking for more tools? Browse all product management calculators.
Frequently asked questions
What are the EU AI Act risk categories?
The EU AI Act sorts AI systems into four tiers: unacceptable risk, which is prohibited outright; high risk, which carries strict obligations; limited risk, which triggers transparency duties; and minimal risk, which has no mandatory requirements. General-purpose AI models follow a separate track of their own.
How does this EU AI Act classifier work?
It walks the same decision tree regulators use. It first checks whether your AI is a prohibited practice, then whether it is high risk under Annex I or Annex III, then whether transparency duties apply, and otherwise lands on minimal risk. General-purpose models are assessed separately.
What makes an AI system high risk under the Act?
An AI system is high risk if it is a safety component of, or itself, a product covered by EU safety law requiring third-party assessment (Annex I), or if it is used in an Annex III domain such as employment, credit scoring, education, biometrics, critical infrastructure, law enforcement, migration or justice.
What AI practices are prohibited?
Article 5 bans eight practices, including harmful manipulation, exploiting vulnerabilities, social scoring, purely profiling-based crime prediction, untargeted facial image scraping, emotion recognition at work or school, sensitive biometric categorisation, and most real-time remote biometric identification in public spaces. These have been prohibited since February 2025.
What are limited-risk transparency obligations?
Under Article 50, limited-risk systems must be transparent. Chatbots must tell users they are AI, generative systems must mark synthetic output as artificially generated, deepfakes must be disclosed, and emotion-recognition or biometric-categorisation systems must inform the people exposed to them.
When do the EU AI Act obligations apply?
The Act entered into force in August 2024 and phases in. Prohibitions applied from February 2025, general-purpose AI rules from August 2025, and high-risk Annex III plus transparency rules from August 2026. A 2025 to 2026 Digital Omnibus proposal may defer some high-risk deadlines once formally adopted.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act applies to providers and deployers placing AI on the EU market or putting it into service in the EU, and to those outside the EU whose AI output is used inside the EU. Location of the company does not by itself remove you from scope.
What about general-purpose AI models?
General-purpose AI models follow a separate track. All providers face documentation, copyright and training-data summary duties. Models with systemic risk, meaning very high-impact capabilities, carry extra obligations such as model evaluation, adversarial testing, incident reporting and cybersecurity. These rules applied from August 2025.
Is this classifier legal advice?
No. This tool is an educational guide to help you orient quickly; it is not legal advice and cannot account for your full context. Classification often turns on fine detail, and the rules are still evolving. Always confirm your classification with qualified legal counsel before acting.
What are the penalties for non-compliance?
Penalties are tiered. Engaging in prohibited practices can draw fines up to thirty-five million euros or seven percent of global annual turnover, whichever is higher. Other breaches carry lower caps. The exact figure depends on the infringement, the operator and national enforcement decisions.