EU AI Act guide

EU AI Act classification: is my AI system high-risk?

The EU AI Act classifies every AI system into one of four risk tiers, checked in a fixed order: prohibited (Article 5), high-risk (Article 6 with Annex I or Annex III), limited-risk transparency (Article 50), and minimal risk (everything else). The order matters because a system can trip several categories and the highest applicable tier wins. A system is high-risk if it is a safety component of an Annex I regulated product requiring third-party conformity assessment, or if it falls into one of the eight Annex III domains and does not qualify for the narrow Article 6(3) exception. Work through the steps below in order.

Last reviewed: 4 July 2026

The decision path

Check these steps in order and stop at the first tier your system matches — the highest applicable tier governs.

  1. 1. Is it an AI system at all?

    Art. 3(1)

    A system is in scope if it is machine-based, operates with some autonomy, may adapt, and infers from inputs how to generate outputs such as predictions, content, recommendations or decisions. Pure deterministic if/else automation without inference is out of scope. Confirm you are not covered by an Article 2 exclusion (military, national security, scientific research only, or purely personal non-professional use).

  2. 2. Is it a prohibited practice?

    Art. 5

    Eight practices are banned outright, including social scoring, untargeted facial-image scraping, emotion recognition in the workplace or education, and certain manipulative or exploitative techniques. A ninth prohibition — AI generating non-consensual intimate imagery or child sexual abuse material — applies from 2 December 2026. Any single match makes the system prohibited (unacceptable risk); it may not be placed on the market at all.

  3. 3. Is it high-risk via Annex I (product-embedded)?

    Art. 6(1); Annex I

    The system is high-risk if it is a safety component of, or is itself, a product covered by the Union harmonisation legislation listed in Annex I (medical devices, machinery, toys, lifts, radio equipment and similar) and that product requires third-party conformity assessment. This regime applies from 2 August 2028.

  4. 4. Is it high-risk via Annex III (stand-alone domains)?

    Art. 6(2); Annex III

    The system is presumed high-risk if it falls into one of eight domains: biometrics, critical infrastructure, education, employment and worker management, access to essential private and public services (including creditworthiness and life/health insurance pricing), law enforcement, migration and border control, or the administration of justice and democratic processes. This regime applies from 2 December 2027. If a domain matches, check the Article 6(3) exception in the next step.

  5. 5. Does the Article 6(3) exception apply?

    Art. 6(3)

    An Annex III match is not high-risk if the system performs only a narrow procedural task, improves the result of a previously completed human activity, detects patterns or deviations without replacing human judgement, or performs a preparatory task — and does not materially influence the decision. Even where it applies, the provider must document the assessment (Article 6(4)) and register the system in the EU database (Article 49(2)).

  6. 6. Does it trigger Article 50 transparency (limited risk)?

    Art. 50

    If the system is not high-risk, check whether it interacts directly with people (chatbot or voice agent), generates synthetic audio, image, video or text, performs emotion recognition or biometric categorisation, or produces deepfakes. Any of these triggers a disclosure duty — but no conformity assessment or registration. These duties apply from 2 August 2026.

  7. 7. Otherwise: minimal risk

    Art. 95

    Everything else is minimal risk with no mandatory obligations, though the Article 4 AI-literacy duty still applies to staff using the system and voluntary codes of conduct are encouraged.

The Article 6(3) exception is read strictly: a nominal human reviewer who rubber-stamps AI output does not remove a system from the high-risk regime. And the profiling override is absolute — if the system performs profiling of natural persons within the meaning of Article 4(4) GDPR (evaluating personal aspects such as performance, economic situation, health, behaviour or location), it is always high-risk regardless of the four conditions.

The free classifier walks every step above and cites the Article behind each answer. If your system interacts with people or generates content, the Article 50 checker scopes the transparency duties directly.

Frequently asked questions

Is my chatbot high-risk under the EU AI Act?

Usually not. A customer-facing chatbot is typically limited-risk under Article 50: it must disclose that the user is interacting with an AI, but it faces no conformity assessment or registration. It only becomes high-risk if its purpose falls into an Annex III domain — for example, a chatbot that evaluates creditworthiness or screens job applicants — and does not qualify for the Article 6(3) exception.

What is the Article 6(3) exception?

It is a narrow escape hatch from the high-risk regime for Annex III systems. A system that matches an Annex III domain is not high-risk if it only performs a narrow procedural task, improves a previously completed human output, detects patterns without replacing human judgement, or performs a preparatory task — and does not profile people. If the system profiles natural persons in the sense of Article 4(4) GDPR, the exception never applies. Even when it does apply, the provider must document the assessment (Article 6(4)) and register the system (Article 49(2)).

How do I know if my AI system is high-risk?

There are two pathways. Under Article 6(1) the system is high-risk if it is a safety component of, or is itself, an Annex I regulated product requiring third-party conformity assessment. Under Article 6(2) it is high-risk if it falls into one of the eight Annex III domains and does not qualify for the Article 6(3) exception. Check prohibitions (Article 5) first, then high-risk, then Article 50 transparency, in that order.

What counts as a prohibited AI practice?

Article 5 bans eight practices, including social scoring, untargeted scraping of facial images to build recognition databases, emotion recognition in the workplace or education, biometric categorisation inferring sensitive attributes, and certain manipulative or exploitative techniques that cause significant harm. A ninth prohibition targeting AI-generated non-consensual intimate imagery and child sexual abuse material applies from 2 December 2026.

Is credit scoring high-risk?

Yes. Evaluating the creditworthiness of natural persons or establishing their credit score is an Annex III point 5(b) high-risk use, and it typically involves profiling, so the Article 6(3) exception does not rescue it. The one carve-out is AI used exclusively to detect financial fraud, which is not high-risk on that basis. High-risk deployers of credit-scoring systems must also perform a Fundamental Rights Impact Assessment under Article 27.

Primary sources