← Back to blog

Am I "High-Risk" Under the EU AI Act?

If you are building or deploying AI in Europe, this is the most critical question you will face. Your answer determines whether you are subject to a handful of transparency rules or a massive regime of 47 mandatory obligations backed by penalties of up to €15 million.

But most self-assessments are based on a misunderstanding of how the Act actually works. Here is the structural walkthrough of the AI Act’s risk classification system.

The Four Categories of Risk

The EU AI Act does not regulate "AI" as a single entity. It regulates the intended use of the system. It divides the world into four tiers:

  1. Unacceptable Risk: Systems that are simply banned (e.g., social scoring, certain biometric surveillance).
  2. High-Risk: Systems that significantly impact safety or fundamental rights (e.g., recruitment, credit scoring, critical infrastructure).
  3. Limited Risk: Systems with transparency duties (e.g., chatbots, deep fakes).
  4. Minimal Risk: Everything else (e.g., spam filters, AI-enabled video games).

    5. The "High-Risk" Test (Article 6)

    To determine if you are high-risk, the law applies a two-step gate.

    Step 1: Safety Components (Article 6(1))

    Your system is high-risk if it is used as a safety component in a product that is already regulated by EU safety laws (like medical devices, cars, or elevators) and is subject to a third-party conformity assessment.

    Step 2: The Annex III List (Article 6(2))

    Even if you aren't a safety component, you are high-risk if your system falls into one of the categories listed in Annex III. This list currently includes:

    • Biometrics: Remote identification and categorization.
    • Critical Infrastructure: Managing water, gas, or heat.
    • Education: Evaluation of students or admissions.
    • Employment: Recruitment, promotion, or termination decisions.
    • Essential Services: Credit scoring, emergency response prioritization.
    • Law Enforcement & Migration: Risk assessment, polygraphs, or border control.

    The Semantic Trap: Intended Use

    The Act doesn't care what your AI could do. It cares what it is intended to do.

    If you build a general-purpose sentiment analysis tool, you might be minimal risk. But if you market that tool to a HR department to "analyze candidate personality during interviews," you have semantically shifted into the High-Risk Employment category (Annex III, 4a).

    Why Self-Assessment is Dangerous

    The boundaries of these categories are not always clear. Our semantic analysis of Annex III identified high "Scope Ambiguity" in areas like "Evaluation of candidates."

    Does a tool that merely "filters" CVs based on keywords count as "evaluating" them?

    • If yes: High-risk.
    • If no: Minimal risk.

    The difference between those two interpretations is a compliance cost delta of hundreds of thousands of Euros.

    How to Get it Right

    Don't guess. Our Classification Assessment provides a formal, governed determination of your system’s risk level. We use a machine-reasoning pipeline to map your system's technical description against the Act's linguistic architecture.

    What you get:

    • A definitive risk classification.
    • The forensic receipt proving the decision logic.
    • A map of the specific penalty exposure for your category.

    Get classified in 48 hours. €2,500.

    Ensure your roadmap is based on forensic reality, not guesswork.

    [Book Classification Assessment]