Regulation (EU) 2024/1689 (the EU AI Act) takes a risk-based approach: the greater the potential harm of an AI system, the more stringent the obligations. Four risk levels form the backbone of this framework. For every organisation that develops or deploys AI, determining which level applies to a given system is the foundation of compliance. This article explains each level and illustrates it with concrete examples.
Unacceptable risk: outright prohibition
AI systems in this category are banned in the EU. Article 5 of the AI Act sets out eight specific practices that have been prohibited since 2 February 2025.
Concrete examples of prohibited applications:
- Social scoring: systems that evaluate or classify individuals based on social behaviour or personality characteristics, resulting in unjustified disadvantage.
- Manipulative techniques: AI that uses subliminal or deceptive methods to materially distort human behaviour in a way that causes harm.
- Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, subject to narrowly defined exceptions (such as searching for missing persons or preventing an imminent terrorist attack).
- Emotion recognition in the workplace or educational institutions, except for medical or safety purposes.
- Biometric categorisation to deduce attributes such as race, political opinion, or sexual orientation.
There are no exceptions to these prohibitions beyond those explicitly listed in Article 5. An organisation that puts a prohibited system into service risks enforcement action by the competent national supervisory authority.
High risk: strict obligations
High-risk AI systems may be placed on the market and put into service, but are subject to a comprehensive set of obligations. The high-risk classification follows from Article 6 in conjunction with Annexes I and III of the Regulation.
There are two routes to a high-risk classification:
- The AI system functions as a safety component of a product covered by existing EU product safety legislation listed in Annex I (such as medical devices, machinery or lifts), and that product is required to undergo a third-party conformity assessment.
- The AI system falls within one of the eight areas of use listed in Annex III: biometrics, critical infrastructure, education and vocational training, employment and workforce management, essential services and benefits, law enforcement, migration and border management, or the administration of justice and democratic processes.
Examples of high-risk AI:
- A CV-screening system that ranks candidates for job vacancies (employment, Annex III).
- A credit-scoring model that influences lending decisions (essential services, Annex III).
- AI used in robot-assisted surgery (safety component of a medical device, Annex I).
- A system that makes admissions decisions for an educational programme (education, Annex III).
High-risk AI systems are subject to requirements including: a risk management system, high data quality standards for training datasets, human oversight, technical documentation, and registration in the EU database. Most of these obligations apply from 2 August 2026.
Limited risk: transparency obligations
AI systems presenting limited risk fall under the transparency provisions of Article 50 of the AI Act. The obligation is primarily informational: users must be made aware that they are interacting with an AI system.
Examples of limited-risk systems:
- Chatbots and virtual assistants: organisations must inform users that they are communicating with an AI, unless this is already evident from context.
- Deepfakes and synthetic media: AI-generated image, audio, or video content must be machine-readably labelled as artificially generated.
- Generative AI applications that produce text or other material for the public on matters of general interest: the artificial nature of the content must be disclosed.
The transparency obligations enter into force on 2 August 2026. Compliance is less burdensome than the requirements for high-risk AI, but non-compliance can nonetheless lead to enforcement action.
Minimal risk: no obligations, voluntary codes
The large majority of AI systems currently in use across the EU fall into the minimal-risk category. The AI Act imposes no new obligations on these systems.
Examples of minimal-risk systems:
- Spam filters and grammar checkers.
- Recommendation systems operating outside the Annex III sectors.
- AI-powered search functionality in standard business applications.
- Inventory management and planning tools with an AI component.
Developers and organisations may voluntarily adopt codes of conduct and align with voluntary frameworks for transparency and robustness. The Regulation encourages this, but does not require it.
Determining the correct classification
The classification process follows a sequence of steps. First, it must be established whether the AI system falls under any of the prohibited practices listed in Article 5. Next comes the high-risk assessment under Article 6: is the system a safety component covered by Annex I, or does its intended use fall within Annex III? Where a system falls within Annex III but has no material influence on decision-making outcomes, it may nonetheless be excluded from the high-risk classification under Article 6(3). The transparency check under Article 50 follows. Systems that do not meet any of the preceding criteria fall into the minimal-risk category.
Providers and deployers are responsible for carrying out this classification. Where the status of a system is uncertain, the competent national supervisory authority may be asked to provide a determination.
Consequences of misclassification
Incorrect classification carries real consequences. An organisation that treats a high-risk system as though it were limited-risk fails to comply with the obligations set out in Chapter III of the Regulation. This may result in enforcement action, including administrative fines. Correctly applying the risk classification framework is therefore a core responsibility for compliance officers, legal teams, and AI leads within any organisation that develops or deploys AI.