AI Risk Classifier — Is Your AI System High-Risk Under the EU AI Act?

Answer 3-4 questions to classify your AI system under the EU AI Act: Annex I (product embedded), Annex III (standalone high-risk), GPAI, transparency-only, or minimal risk. Free, instant results.

How EU AI Act risk classification works

The EU AI Act uses a four-tier classification logic. Work through each question in order — the first match determines your category.

Step 1 — Is your AI a safety component embedded in a regulated product?

If your AI system is integrated into a product governed by EU product safety legislation (medical devices MDR/IVDR, machinery, motor vehicles, aviation, railways, lifts, toys, PPE), it is classified as Annex I high-risk under Art. 6(1). The compliance deadline is 2 August 2028.

→ Yes: Annex I obligations →

Step 2 — Is your AI a standalone system in one of 8 high-risk sectors?

If your AI operates autonomously (not embedded in a regulated product) and falls into one of these domains, it is Annex III high-risk under Art. 6(2):

Biometric identification and categorisation
Critical infrastructure management
Education and vocational training access
Employment, worker management, and self-employment access
Essential private and public services (credit scoring, insurance risk, benefits)
Law enforcement
Migration, asylum, and border control
Administration of justice and democratic processes

The compliance deadline is 2 December 2027. Note: Art. 6(3) allows exclusion if the system presents no significant risk of harm — this must be documented.

→ Yes: Annex III obligations →

Step 3 — Is your system a general-purpose AI model?

If your system is an AI model trained at large scale on broad data to perform a wide range of tasks (LLM, multimodal foundation model, large image-generation model), it is classified as GPAI under Chapter V. Obligations have applied since 2 August 2025.

→ Yes: GPAI obligations →

Step 4 — Transparency or minimal risk

If none of the above apply:

Transparency-only (Art. 50): AI systems that interact with humans (chatbots), generate synthetic content (deepfakes), or perform emotion recognition must disclose their AI nature to users.
Minimal risk: All other AI systems. No mandatory obligations, but voluntary codes of conduct apply.

Use the Compliance Checklist → after classification to map out your specific obligations and timelines.

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

What does 'high-risk AI' mean under the EU AI Act?

High-risk AI systems are those classified under Annex I (safety components of regulated products) or Annex III (AI systems in 8 specific sectors: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice). High-risk AI must comply with Chapter III obligations including risk management, data governance, technical documentation, and conformity assessment.

Can an Annex III system be excluded from high-risk classification?

Yes. Art. 6(3) allows a provider to self-assess that an Annex III system is not high-risk if it does not present a significant risk of harm to health, safety, or fundamental rights. This requires documented justification and notification to the relevant national authority.

Does internal-only AI need to comply with the EU AI Act?

Yes, in some cases. The AI Act covers AI 'put into service' — which includes deploying AI internally if it affects people (e.g., HR decisions, employee monitoring). An AI system used solely for backend computation with no human impact may fall outside scope, but this requires careful legal analysis.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.