What are the four risk tiers in the EU AI Act?

The Act uses a risk-based pyramid: prohibited practices that are banned outright, high-risk systems with strict obligations, limited-risk systems with transparency duties only, and minimal-risk systems with no specific obligations. Most everyday AI falls into the minimal-risk tier.

What makes an AI system high-risk?

A system is high-risk if it is a safety component of a regulated product, or if it falls under one of the Annex III use cases — such as biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, or administration of justice — and poses a significant risk to health, safety, or fundamental rights.

What are prohibited AI practices?

Article 5 bans practices including untargeted facial-recognition scraping, social scoring by public authorities, manipulative subliminal techniques that cause harm, exploitation of vulnerabilities, certain emotion recognition at work and school, and most real-time remote biometric identification in public spaces by law enforcement.

Does this tool give legal advice?

No. It implements the public decision logic of the Act as an educational triage aid. The real classification depends on detailed facts, the final text of the Regulation, delegated acts, and guidance. Always confirm with qualified legal counsel before relying on any tier.

What about general-purpose AI models?

General-purpose AI (GPAI) models have their own dedicated rules, including transparency and documentation duties, with stricter obligations for models presenting systemic risk. This tool flags GPAI separately because the GPAI regime layers on top of the four use-case risk tiers.

EU AI Act Risk Classifier

The EU AI Act regulates artificial intelligence using a risk-based pyramid. The obligations that apply to your system — and the penalties for getting them wrong — depend entirely on which tier it lands in. This classifier walks the public decision logic of the Act to triage your system into prohibited, high-risk, limited-risk, or minimal-risk.

How it works

The tool follows the same order of evaluation the Act uses:

1. Is it a prohibited practice (Article 5)?      → PROHIBITED, stop.
2. Is it general-purpose AI?                      → GPAI rules also apply.
3. Is it a safety component of a regulated
   product, or an Annex III use case posing
   significant risk?                              → HIGH-RISK.
4. Does it interact with people, generate
   media, or use emotion/biometric categorisation?→ LIMITED-RISK (transparency).
5. Otherwise                                       → MINIMAL-RISK.

Prohibited beats everything; high-risk beats limited-risk; limited-risk beats minimal-risk. The classifier evaluates the gates top to bottom and reports the first tier that matches, plus the GPAI flag where relevant.

Notes and obligations

A high-risk classification triggers the heaviest duties: a risk-management system, data governance, technical documentation, logging, human oversight, accuracy and cybersecurity, a conformity assessment, and registration in the EU database. Limited-risk systems mainly owe transparency — telling users they are dealing with AI, labelling synthetic media, and disclosing emotion or biometric categorisation. This tool is an educational triage; the binding classification rests on the final Regulation text and qualified legal review.