EU AI Act Risk Classifier — Is My AI System High-Risk?
Answer six questions and find out instantly whether your AI is prohibited, high-risk, limited-risk or minimal-risk under Regulation (EU) 2024/1689 — with the exact articles, the obligations for your role, and the compliance deadline. Free, no signup, every branch cited.
How it works
The classifier encodes the decision logic of the EU AI Act — Regulation (EU) 2024/1689, in force since 1 August 2024 — as a strict, ordered decision tree. The primary risk tier is decided on a first-match-wins basis, while general-purpose AI (GPAI) and transparency duties are evaluated as parallel overlays that can stack on top of whatever tier your system lands in. There is no arithmetic: the only “computation” is ordered branching and set membership, so the result is fully deterministic and reproducible from the cited articles.
- Prohibited (Art 5). If the system performs any of the eight banned practices — social scoring, untargeted facial scraping, real-time remote biometric identification for law enforcement, emotion inference at work or school, and the rest — it is prohibited. It has been unlawful to place such a system on the market since 2 February 2025, so the tree short-circuits here and no obligation checklist is produced.
- High-risk (Art 6 + Annex I / Annex III). If the AI is a safety component of an Annex I regulated product, or its intended use falls in any of the eight Annex III areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice), it is high-risk. Providers then carry the Art 9–15 duties — risk management, data governance, technical documentation, logging, transparency, human oversight and accuracy — plus conformity assessment and CE marking (Art 43, 48) and EU-database registration (Art 49). Deployers, importers and distributors carry the lighter duties of Art 26, 23 and 24 respectively.
- Limited-risk (Art 50). If the system is not high-risk but interacts with people, generates synthetic content, performs emotion recognition or biometric categorisation, or produces deepfakes, it is limited-risk: you must disclose the AI interaction, label synthetic and deepfake content in a machine-readable way, and notify people of emotion recognition.
- Minimal-risk. Everything else carries no mandatory obligations. The cross-cutting AI-literacy duty (Art 4, in force since 2 February 2025) and the voluntary codes of conduct (Art 95) are surfaced as recommendations.
The GPAI overlay (Art 51–55) attaches whenever you flag a general-purpose model: Art 53 documentation, a training-data summary and a copyright policy. Where training compute exceeds 10²⁵ FLOPs, the model is presumed to carry systemic risk (Art 51(2)), adding the Art 55 duties of model evaluation, adversarial testing, incident reporting and cybersecurity. Each result is double-checked: the same answers are re-run through an independent priority-table path, and the three worked examples below are encoded as a regression set so the tier logic cannot silently drift.
Worked examples
Frequently asked questions
Sources & references
- Regulation (EU) 2024/1689 (the EU AI Act) — consolidated text on EUR-Lex
- European Commission — AI Act regulatory-framework hub (phased timeline)
- AI Act Explorer — article-by-article reading aid
Article references, the Annex III areas and the Article 113 dates on this page were last cross-checked against the official EUR-Lex text on 2026-06-26. Dates and citations are a dated static snapshot — always confirm against the live Regulation, which prevails. This is informational triage, not legal advice.
Related tools
Comments & feedback
Spotted a bug or want an improvement? Tell us — our team reviews every comment, and good ideas get built. Comments are public and anonymous.
Found a misclassification, edge case, or want to suggest an improvement?
Email me at [email protected] — most fixes ship within 24 hours.