EU AI Act Risk Classification: How to Know If Your System Is High-Risk

The EU AI Act (Regulation 2024/1689) classifies AI systems into four risk levels. Getting this wrong has real consequences — fines up to €15 million or 3% of global revenue. Most companies don't know which category their system falls into.

Here's the practical guide.

The Four Risk Levels

1. Prohibited (Article 5) — Since February 2025

These AI practices are banned in the EU entirely. No exceptions, no grace period.

• Subliminal manipulation
• Social scoring by public authorities
• Real-time biometric identification in public spaces (with limited law enforcement exceptions)
• Emotion inference in workplace and education (non-safety)
• Biometric categorisation by sensitive attributes (race, religion, sexual orientation)
• Untargeted facial recognition scraping
• Individual predictive policing
• Exploitation of vulnerabilities (age, disability, economic situation)

If your system does any of this, it cannot be deployed in the EU. Full stop.

2. High-Risk (Article 6 + Annex III) — Deadline August 2026

This is the category most SMEs get wrong. High-risk doesn't mean "dangerous AI" — it means AI that significantly affects people's lives.

The eight Annex III categories:

1. Biometric identification — Facial recognition, emotion recognition
2. Critical infrastructure — Traffic, energy, water supply management
3. Education — Student admissions, exam grading, learning recommendations
4. Employment — CV screening, performance monitoring, task allocation
5. Essential services — Credit scoring, insurance pricing, welfare eligibility
6. Law enforcement — Evidence evaluation, criminal profiling
7. Migration & asylum — Border control, visa assessment
8. Justice & democracy — Legal research, sentencing, elections

If your AI does any of these, you have serious obligations:

• Risk management system (Article 9)
• Data governance and bias testing (Article 10)
• Technical documentation per Annex IV (Article 11)
• Automatic event logging (Article 12)
• Transparency to deployers (Article 13)
• Human oversight mechanisms (Article 14)
• Accuracy, robustness, cybersecurity (Article 15)
• Accessibility compliance per EAA and EN 301 549 (Article 16(l))
• EU database registration (Article 49)
• Conformity assessment (Article 43)

The accessibility requirement is the one nobody talks about. We wrote a separate post about Article 16(l).

3. Limited Risk (Article 50) — Transparency Only

These systems have modest obligations — mostly disclosure.

• Chatbots must inform users they're AI
• Emotion recognition systems must notify users
• Deepfakes and synthetic content must be labeled
• AI-generated text published as factual information must be disclosed

Penalty for non-compliance: up to €7.5 million or 1% of global turnover.

4. Minimal Risk — No Obligations

Everything else. Spam filters, AI in video games, inventory optimization, weather prediction. No mandatory obligations under the AI Act.

How to Classify Your System

You have three options:

Option 1: European Commission's checker The EU has a free Compliance Checker. It's basic but official.

Option 2: Ask a lawyer €500-2000 per hour. Accurate but expensive.

Option 3: Use our free open source classifier

We built eucompliance, an open source toolkit that classifies AI systems by risk level. No signup, no tracking.

npx eu-compliance-bridge classify "automated CV screening for recruitment"

Output:

Risk Level:    HIGH
Confidence:    65%
Accessibility: REQUIRED (Article 16(l))

Annex III:
  - point 4: Employment, workers management

Obligations:
  - Risk management system (Article 9)
  - Data governance practices (Article 10)
  - Technical documentation per Annex IV (Article 11)
  ...

Or use it as a library in your own code:

import { classify } from '@eucompliance/ai-act-classifier'

const result = classify({
  name: 'Resume Screener',
  purpose: 'Automated CV screening for recruitment',
  dataTypes: ['personal'],
  affectedPersons: ['employees'],
  decisionMaking: 'semi_automated',
})

console.log(result.riskLevel) // 'high'

The classifier uses keyword matching against Annex III categories and Article 5 prohibitions. For ambiguous cases, it offers an LLM-powered mode where you can bring your own model (Gemini, Claude, OpenAI).

What Nobody Tells You

Three things compliance consultants don't mention:

1. Most systems aren't high-risk — but the ones that are, REALLY are

Only around 5-15% of AI systems fall into Annex III. But if yours does, you cannot ship it in the EU without full compliance. There's no "lite" version of high-risk obligations.

2. The deadline is closer than you think

August 2, 2026. That's 4 months away. Implementing Annex III compliance takes:

• 2-3 months for documentation
• 1-2 months for technical measures
• 1-2 months for conformity assessment

If you start now, you might make it. If you start in June, you won't.

3. Article 16(l) will surprise most providers

Virtually no AI governance tool — open source or commercial — operationalizes the accessibility requirement. When auditors start checking it (and they will), many systems will fail conformity assessment not because of missing risk management, but because nobody thought about screen reader compatibility on the override button.

We built eucompliance specifically to address this gap.

Next Steps

1. Classify your system with the free classifier
2. If high-risk, run an AI Accessibility Impact Assessment to identify EN 301 549 requirements
3. If you want a hosted dashboard with automated compliance tracking, try Regulia — built on top of eucompliance

---

Regulia is an open source compliance platform for EU SMEs. We believe compliance tools should be affordable, transparent, and usable by non-technical teams. If this resonates, star the repo.