The 4 Risk Categories of the EU AI Act
The EU AI Act classifies AI systems into four risk levels – from prohibited to minimal. The classification determines which obligations apply to your company.
The risk-based approach is the core of the EU AI Act. The higher the risk of an AI system, the stricter the requirements. Companies must correctly classify their AI systems to implement the right compliance measures.
Prohibited AI
Unacceptable risk
High-Risk AI
High risk
Limited Risk
Transparency obligations
Minimal Risk
Voluntary measures
Risk pyramid – from prohibited (top) to minimal (bottom)
Prohibited AI
Art. 5 EU AI Act
AI systems considered a threat to fundamental rights and safety are completely banned in the EU. These systems may not be developed or deployed.
Examples
Social scoring by public authorities
Real-time remote biometric identification in public spaces
Manipulation through subliminal techniques
Exploitation of vulnerabilities of specific groups
Obligations
Complete prohibition. No placing on market, no putting into service, no use allowed. Violations are punishable by up to €35M or 7% of annual turnover.
High-Risk AI
Art. 6–49, Annex III EU AI Act
High-risk AI systems affect critical areas such as health, safety or fundamental rights. The most comprehensive compliance requirements apply to them.
Examples
AI in medical devices and diagnostics
AI for HR decisions (recruiting, performance evaluation)
Credit scoring and insurance scoring
AI in critical infrastructure (energy, transport)
Obligations
Risk management system, technical documentation, data governance, conformity assessment, CE marking, registration in EU database, human oversight, logging and monitoring.
Limited Risk
Art. 50 EU AI Act
AI systems with limited risk are subject to transparency obligations. Users must know they are interacting with AI or that content is AI-generated.
Examples
Chatbots and conversational AI
AI-generated text, images or videos
Deepfakes and synthetic media
Emotion recognition in the workplace
Obligations
Labeling requirement: AI-generated or -manipulated content must be marked as such. Users must be informed when interacting with an AI system.
Minimal Risk
Art. 95 EU AI Act
The vast majority of AI systems fall into this category. No legal obligations apply, but voluntary codes of conduct are recommended.
Examples
Spam filters in email programs
AI-powered product recommendations in online shops
AI optimization in computer games
Automatic spell checking
Obligations
No legal obligations. Voluntary codes of conduct and transparency towards users are recommended (Art. 95).
Quick Test: Which Risk Category?
| Question | If yes... | Risk category |
|---|---|---|
| Does your AI system manipulate human behavior? | System is likely prohibited | Prohibited AI |
| Does it affect health, safety or fundamental rights? | System qualifies as high-risk | High-Risk AI |
| Does it generate content or interact with users? | Transparency obligations apply | Limited Risk |
| None of the above apply? | Voluntary measures recommended | Minimal Risk |
Source: Regulation (EU) 2024/1689 of the European Parliament and Council of 13 June 2024. EUR-Lex Volltext
Find out which risk category your AI systems fall into.