Ai Governance
7 min

EU AI Act: How to Classify Your AI Systems by Risk Level

Understand the four risk tiers of the EU AI Act, determine which category your AI systems fall into, and learn what compliance obligations apply.

Netallion Team·February 10, 2026

EU AI Act: How to Classify Your AI Systems by Risk Level

The EU AI Act introduces a risk-based approach to AI regulation. Your compliance obligations depend entirely on where your AI systems fall within the risk pyramid. Getting the classification right is the first step — everything else follows from it.

The Four Risk Tiers

Unacceptable Risk (Prohibited)

These AI practices are banned outright in the EU:

  • Social scoring by governments
  • Real-time remote biometric identification in public spaces (with limited exceptions)
  • Manipulation techniques that exploit vulnerabilities
  • Emotion recognition in workplaces and educational institutions (with exceptions)
  • Untargeted scraping of facial images from the internet
If your system does any of these, stop. No compliance pathway exists — the system must be discontinued.

High Risk

AI systems in high-risk categories face the most extensive obligations. These include systems used for:

  • Biometrics — remote identification, categorisation based on sensitive attributes
  • Critical infrastructure — safety components of roads, water, gas, electricity, and digital infrastructure
  • Education — determining access to education, evaluating learning outcomes
  • Employment — recruitment, promotion, termination, task allocation, performance monitoring
  • Essential services — credit scoring, insurance pricing, emergency services dispatch
  • Law enforcement — risk assessment, polygraphs, evidence evaluation, crime prediction
  • Migration — visa processing, border control, asylum applications
  • Democratic processes — influencing voters

Limited Risk

Systems with limited risk have transparency obligations only:

  • Chatbots — users must be told they are interacting with AI
  • Emotion recognition systems — users must be informed
  • Deep fakes — must be labelled as artificially generated
  • AI-generated content — must be machine-readable as AI-generated

Minimal Risk

All other AI systems — the vast majority — have no specific obligations under the Act. These include:

  • AI-enabled video games
  • Spam filters
  • Inventory management systems
  • Recommendation engines (unless they fall into a high-risk category)

How to Classify Your Systems

Step 1: Inventory

Start by listing every AI system your organisation develops, deploys, or uses. Include:

  • Internal tools (code completion, document summarisation)
  • Customer-facing systems (chatbots, recommendation engines)
  • Third-party AI services (cloud APIs, embedded AI features)

Step 2: Categorise

For each system, determine:

  • What does it do? Map to the Annex III categories
  • Who does it affect? Consider whether it impacts fundamental rights
  • What decisions does it influence? Automated vs. human-assisted decisions
  • What data does it process? Biometric, health, financial, or other sensitive data

Step 3: Document

For each classification decision, document:

  • The rationale for the assigned risk level
  • The specific Annex III category (if high-risk)
  • The applicable articles and obligations
  • A timeline for achieving compliance

What Netallion Provides

Netallion's AI System Register lets you catalogue every AI system, assign risk levels, and generate compliance documentation:

  • 75 EU AI Act controls covering Articles 8-15 (high-risk), Article 43 (conformity assessment), and Articles 51-55 (general-purpose AI)
  • Structured artifact templates — model cards, risk assessments, and transparency statements pre-populated from your system metadata
  • AI-powered generation — Claude fills in template sections automatically
  • Register-to-pack bridge — generate a compliance pack directly from your AI register
Register your first AI system at grc.netallion.app.
EU AI Act
AI Compliance
Risk Classification
Compliance

Ready to build your compliance evidence pack?

Start with a free starter kit or create your first assurance pack.