EU AI Act: How to Classify Your AI Systems by Risk Level
The EU AI Act introduces a risk-based approach to AI regulation. Your compliance obligations depend entirely on where your AI systems fall within the risk pyramid. Getting the classification right is the first step — everything else follows from it.
The Four Risk Tiers
Unacceptable Risk (Prohibited)
These AI practices are banned outright in the EU:
- Social scoring by governments
- Real-time remote biometric identification in public spaces (with limited exceptions)
- Manipulation techniques that exploit vulnerabilities
- Emotion recognition in workplaces and educational institutions (with exceptions)
- Untargeted scraping of facial images from the internet
High Risk
AI systems in high-risk categories face the most extensive obligations. These include systems used for:
- Biometrics — remote identification, categorisation based on sensitive attributes
- Critical infrastructure — safety components of roads, water, gas, electricity, and digital infrastructure
- Education — determining access to education, evaluating learning outcomes
- Employment — recruitment, promotion, termination, task allocation, performance monitoring
- Essential services — credit scoring, insurance pricing, emergency services dispatch
- Law enforcement — risk assessment, polygraphs, evidence evaluation, crime prediction
- Migration — visa processing, border control, asylum applications
- Democratic processes — influencing voters
Limited Risk
Systems with limited risk have transparency obligations only:
- Chatbots — users must be told they are interacting with AI
- Emotion recognition systems — users must be informed
- Deep fakes — must be labelled as artificially generated
- AI-generated content — must be machine-readable as AI-generated
Minimal Risk
All other AI systems — the vast majority — have no specific obligations under the Act. These include:
- AI-enabled video games
- Spam filters
- Inventory management systems
- Recommendation engines (unless they fall into a high-risk category)
How to Classify Your Systems
Step 1: Inventory
Start by listing every AI system your organisation develops, deploys, or uses. Include:
- Internal tools (code completion, document summarisation)
- Customer-facing systems (chatbots, recommendation engines)
- Third-party AI services (cloud APIs, embedded AI features)
Step 2: Categorise
For each system, determine:
- What does it do? Map to the Annex III categories
- Who does it affect? Consider whether it impacts fundamental rights
- What decisions does it influence? Automated vs. human-assisted decisions
- What data does it process? Biometric, health, financial, or other sensitive data
Step 3: Document
For each classification decision, document:
- The rationale for the assigned risk level
- The specific Annex III category (if high-risk)
- The applicable articles and obligations
- A timeline for achieving compliance
What Netallion Provides
Netallion's AI System Register lets you catalogue every AI system, assign risk levels, and generate compliance documentation:
- 75 EU AI Act controls covering Articles 8-15 (high-risk), Article 43 (conformity assessment), and Articles 51-55 (general-purpose AI)
- Structured artifact templates — model cards, risk assessments, and transparency statements pre-populated from your system metadata
- AI-powered generation — Claude fills in template sections automatically
- Register-to-pack bridge — generate a compliance pack directly from your AI register