EU AI Act Guide

EU AI Act Risk Classification Explained: What Every Compliance Team Needs to Know in 2025

Updated 2026-05-18
Key Takeaways: The EU AI Act classifies AI systems into four risk tiers — unacceptable, high, limited, and minimal — each with distinct compliance obligations, enforcement timelines, and penalties up to €35 million or 7% of global turnover.

The EU AI Act introduces the world's first comprehensive AI regulation , and its risk-based classification system determines everything from your documentation obligations to potential fines of up to 35 million euros. Here's exactly how the four risk tiers work, what triggers each classification, and what your organization needs to do about it.

Reading time: 12 minutes | Last updated: June 2025 | Includes free downloadable classification checklist

Download the Free Risk Classification Checklist
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why This Regulation Is Different

Why the EU AI Act Risk Classification System Matters More Than You Think

Your organization almost certainly uses AI systems. The tier each one falls into dictates your legal obligations, documentation requirements, human oversight mandates, and penalty exposure. Here's what's at stake.

The Scale of Exposure

Fines Up to 7% of Global Turnover

Deploying a prohibited AI system carries penalties up to 35 million euros or 7% of annual global turnover , whichever is higher. Non-compliance with high-risk obligations triggers fines up to 15 million euros or 3%. These aren't theoretical. Enforcement begins in February 2025 for prohibited systems, with high-risk obligations phasing in through August 2027.

EU AI Act, Article 99 , penalty framework as adopted in final text, June 2024

The Governance Gap

You Can't Manage What You Haven't Mapped

For organizations operating across multiple subsidiaries, jurisdictions, and business units , each potentially deploying different AI systems , the classification exercise alone is a significant governance challenge. HR may be using AI-powered screening tools in one entity while procurement uses predictive analytics in another. Without a centralized inventory, you're flying blind into enforcement.

Based on Priverion's experience deploying AI registers with multi-entity organizations across 50+ jurisdictions

The Hidden Risk

Your Existing HR Tech May Already Be Non-Compliant

AI-powered emotion recognition in workplaces and educational settings is now classified as unacceptable risk under the final AI Act text. Many organizations don't realize that existing employee monitoring tools, video interview platforms, or engagement analytics may contain emotion detection features that trigger an outright ban , not just a compliance obligation, but a prohibition.

EU AI Act, Article 5(1)(f) , prohibition on emotion recognition in workplace and education contexts, final consolidated text

The regulation is 144 pages long. Guidance is still evolving. And most summaries online oversimplify the classification criteria to the point of being misleading. Keep reading for the precise, operationally useful breakdown your team needs , or grab the checklist now.

Download the Free Risk Classification Checklist

How the EU AI Act's Four-Tier Risk Classification Works

The EU AI Act categorizes all AI systems into four risk tiers: Unacceptable, High, Limited, and Minimal. Your tier determines your obligations , ranging from an outright prohibition to essentially no regulatory requirements at all.

The critical thing most summaries get wrong: classification isn't based on the technology itself. It's based on the intended purpose and context of deployment. The same large language model can fall into different tiers depending on whether it's used for customer service chatbots (limited risk) or employee performance evaluation (high risk). This means you can't classify your AI inventory once and forget about it , every new use case requires a fresh assessment.

What follows is a detailed breakdown of each tier: what triggers classification, what your obligations are, concrete examples, and the enforcement timeline. This is the operational reference your compliance team actually needs , not the oversimplified pyramid diagram you'll find in most blog posts.

Tier 1 of 4

Unacceptable Risk . Prohibited AI Practices

Enforcement deadline: February 2, 2025 , already in effect

These AI systems are banned outright. No compliance pathway exists , if you're deploying one of these, your only legal option is to stop. The penalty for violation is the highest in the regulation: up to 35 million euros or 7% of annual global turnover.

What triggers unacceptable risk classification:

  • Social scoring systems by public authorities that evaluate or classify individuals based on social behavior or personality characteristics, leading to detrimental treatment disproportionate to the context
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (with narrow exceptions for specific serious crimes, subject to prior judicial authorization)
  • AI systems that deploy subliminal, manipulative, or deceptive techniques to materially distort behavior in a way that causes or is likely to cause significant harm
  • AI systems that exploit vulnerabilities of specific groups , age, disability, social or economic situation , to materially distort behavior causing significant harm
  • Emotion recognition systems in the workplace and educational institutions (except for medical or safety purposes)
  • Untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases
  • Biometric categorization systems that categorize individuals based on biometric data to infer race, political opinions, trade union membership, religious beliefs, or sexual orientation (except lawfully acquired biometric data in law enforcement contexts)

What this means for your organization right now

This tier's enforcement date has already passed. If your organization uses employee monitoring tools, video interview platforms, or workplace analytics software, you need to audit whether any of these tools contain emotion detection or biometric categorization features , even as secondary functionality. Many vendors embedded these capabilities as "engagement analytics" or "sentiment features" without making the regulatory implications clear to buyers. Priverion's AI Register helps you inventory and classify every AI system across your group entities so nothing falls through the cracks.

EU AI Act, Article 5 , Prohibited Artificial Intelligence Practices, final consolidated text adopted June 2024

Tier 2 of 4

High Risk . Permitted but Heavily Regulated

Enforcement deadline: August 2, 2026 (Annex III systems) / August 2, 2027 (Annex I systems, product safety)

This is where most of the operational complexity lives. High-risk AI systems are permitted, but they come with extensive documentation, testing, monitoring, and human oversight requirements. Non-compliance triggers fines of up to 15 million euros or 3% of annual global turnover. For multi-entity organizations, the challenge multiplies: different subsidiaries may deploy the same type of system under different conditions, each requiring independent compliance assessment.

High-risk categories under Annex III (the ones most relevant to enterprises):

  • Biometric identification and categorization of natural persons (beyond the prohibited categories above)
  • Management and operation of critical infrastructure . AI systems used as safety components in road traffic, water, gas, heating, and electricity supply
  • Education and vocational training . AI used to determine access to education, evaluate learning outcomes, assess appropriate levels of education, or monitor prohibited behavior during tests
  • Employment, worker management, and access to self-employment . AI used for recruitment, job advertising, screening or filtering applications, evaluating candidates, making promotion or termination decisions, allocating tasks based on individual behavior or traits, and monitoring/evaluating worker performance
  • Access to essential services . AI used in evaluating creditworthiness, risk assessment and pricing in life and health insurance, evaluating and classifying emergency calls, assessing eligibility for public benefits and services
  • Law enforcement . AI used for individual risk assessments, polygraphs, detecting deepfakes as evidence, evaluating evidence reliability, predicting criminal offenses based on profiling
  • Migration, asylum, and border control . AI used in processing applications, assessing security risks, examining travel documents
  • Administration of justice and democratic processes . AI used to assist judicial authorities in researching and interpreting facts and law

Compliance obligations for high-risk AI systems:

  • Risk management system , establish, implement, document, and maintain a continuous risk management process throughout the AI system's lifecycle
  • Data governance , training, validation, and testing datasets must meet quality criteria including relevance, representativeness, completeness, and statistical appropriateness
  • Technical documentation , detailed documentation before the system is placed on the market, kept up to date, and sufficient for authorities to assess compliance
  • Record-keeping , automatic logging of events (logs) throughout the system's lifetime, enabling traceability of the system's functioning
  • Transparency and information to deployers , provide clear instructions for use including the system's intended purpose, level of accuracy, known limitations, and circumstances of foreseeable misuse
  • Human oversight , designed to allow effective oversight by natural persons during use, including the ability to fully understand the AI system's capacities and limitations, correctly interpret output, and decide not to use the system or override its output
  • Accuracy, robustness, and cybersecurity , appropriate levels must be achieved and maintained throughout the lifecycle
  • Conformity assessment , before deployment, depending on the type of system
  • EU database registration , high-risk AI systems must be registered in the EU database before being placed on the market
  • Post-market monitoring , providers must establish and document a post-market monitoring system proportionate to the nature and risk of the system

The multi-entity challenge

For organizations with 10, 20, or 50+ subsidiaries, high-risk compliance becomes a governance architecture problem. Your German subsidiary's HR department may use an AI screening tool from vendor A, while your French entity uses vendor B for the same purpose. Both are high-risk. Both require independent compliance documentation. Both need ongoing monitoring. Without a centralized system to track, classify, and manage these obligations across entities, you're essentially asking each local DPO to independently solve the same problem , with no visibility at group level. This is exactly the problem Priverion's AI Register and group-wide dashboard were designed to address.

EU AI Act, Articles 6-15 (high-risk classification and requirements), Annex III (listed high-risk areas), final consolidated text

Tier 3 of 4

Limited Risk . Transparency Obligations

Enforcement deadline: August 2, 2026 (general provisions including transparency)

Limited-risk AI systems don't face the heavy documentation and oversight requirements of high-risk systems, but they do carry specific transparency obligations. The core principle: people interacting with AI must know they're interacting with AI. This tier captures a large portion of the AI systems organizations deploy today, including most chatbots, content generation tools, and synthetic media applications.

What falls under limited risk:

  • AI systems designed to directly interact with natural persons (chatbots, virtual assistants, AI customer service agents) , must clearly disclose they are AI-driven unless this is obvious from context
  • AI systems that generate or manipulate image, audio, or video content (deepfakes, synthetic media, AI-generated images) , output must be machine-readable as artificially generated or manipulated
  • AI systems that generate text published for the purpose of informing the public on matters of public interest , must be labeled as artificially generated, unless editorially reviewed by a human
  • Emotion recognition systems and biometric categorization systems (where not prohibited under Tier 1) , must inform the persons exposed to them of the operation of the system and process personal data in accordance with GDPR

Compliance obligations:

  • Disclosure , providers must ensure AI systems intended for direct human interaction are designed so that individuals are informed they are interacting with an AI system, unless this is obvious from the circumstances and context of use
  • Labeling of synthetic content , providers of AI systems that generate synthetic audio, image, video, or text content must ensure outputs are marked in a machine-readable format as artificially generated or manipulated
  • Deployer obligations for deepfakes , deployers must disclose that content has been artificially generated or manipulated where it constitutes a deepfake, except for artistic, satirical, or fiction purposes with appropriate safeguards

The practical implication for most organizations

If your organization uses any customer-facing chatbot, AI-assisted content creation, or AI-powered communication tools, you likely have limited-risk obligations today. The good news: these are operationally lighter than high-risk requirements. The challenge: most organizations haven't inventoried their AI systems comprehensively enough to know which ones trigger limited-risk transparency obligations. An employee using ChatGPT to draft customer communications, a marketing team using AI image generation, a support team using an AI chatbot , all of these may require disclosure mechanisms you haven't implemented yet.

EU AI Act, Article 50 , Transparency Obligations for Providers and Deployers of Certain AI Systems, final consolidated text

Tier 4 of 4

Minimal Risk , No Specific Obligations

No specific EU AI Act compliance deadline , general provisions apply from August 2, 2026

The vast majority of AI systems in use today fall into this tier. AI-enabled video games, spam filters, inventory management systems, AI-powered search algorithms, AI-assisted manufacturing optimization , these are all minimal risk. The EU AI Act imposes no specific regulatory obligations on minimal-risk AI systems beyond encouraging voluntary adoption of codes of conduct.

Examples of minimal-risk AI systems:

  • AI-powered spam filters and email categorization
  • AI-enabled video games and entertainment applications
  • AI-driven inventory management and supply chain optimization
  • AI-powered search and recommendation engines (when not used in high-risk contexts like employment or education)
  • AI-assisted manufacturing quality control and process optimization
  • AI-powered language translation tools (when not generating public-facing content)
  • Robotic process automation (RPA) with AI components for routine administrative tasks

What "no specific obligations" actually means:

  • No mandatory documentation, conformity assessment, or registration requirements under the AI Act
  • The EU Commission encourages (but does not require) providers of minimal-risk AI to voluntarily apply the principles of trustworthy AI and adhere to voluntary codes of conduct
  • Other regulations still apply . GDPR, sector-specific regulations, product safety rules, and employment law continue to govern these systems independently of the AI Act
  • Classification can change , if a minimal-risk system is repurposed for a high-risk use case (e.g., adapting an inventory optimization AI for employee performance tracking), it triggers reclassification

Why you still need to track minimal-risk AI

The absence of AI Act obligations doesn't mean absence of governance responsibility. For audit readiness and board-level reporting, you need a complete picture of all AI systems across your organization , including those that are minimal risk. Why? Because classification can change when systems are repurposed, because supervisory authorities may request your complete AI inventory, and because demonstrating comprehensive governance (even of minimal-risk systems) builds trust with regulators. Priverion's AI Register captures all four tiers in a single inventory, making it straightforward to demonstrate complete oversight when asked.

EU AI Act, Article 95 , Codes of Conduct for Voluntary Application, Recital 28 , risk-based approach, final consolidated text

Enforcement Timeline: When Each Tier Takes Effect

The EU AI Act doesn't hit all at once. It follows a phased enforcement timeline that's already underway. Missing a deadline isn't a theoretical risk . it's a live compliance gap.

Date What Takes Effect Who Is Affected
February 2, 2025 Prohibition of unacceptable-risk AI systems; AI literacy obligations All organizations deploying or providing AI systems within the EU
August 2, 2025 Obligations for providers of general-purpose AI models (including foundation models and GPAI with systemic risk) Providers of GPAI models, including open-source model providers above thresholds
August 2, 2026 Full application of the regulation , including high-risk requirements for Annex III systems, transparency obligations for limited-risk systems, governance and market surveillance structures Providers, deployers, importers, and distributors of all AI systems in scope
August 2, 2027 High-risk AI obligations for systems that are safety components of products regulated under Annex I (e.g., medical devices, machinery, vehicles, aviation) Providers and deployers of AI systems embedded in regulated products

The first deadline has already passed. The next significant wave . August 2026 , is when the bulk of organizations will feel the impact. That gives you roughly 14 months from the date of this publication to have your AI inventory complete, your classifications documented, and your high-risk compliance programs operational.

Dates per EU AI Act, Article 113 , Entry into Force and Application, final consolidated text as published in Official Journal of the EU, July 2024

Not sure which tier your AI systems fall into?

Priverion's AI Register helps you inventory every AI system across your group, classify each by risk tier, and track compliance obligations , all in one centralized dashboard your DPO and board can actually use.

Book a 30-min walkthrough
Side-by-Side Comparison

EU AI Act Compliance: Priverion vs. OneTrust

Both platforms offer AI governance capabilities. The difference is in how they were built, who they were built for, and what you actually pay.

Capability OneTrust Priverion
AI system inventory / register Available as add-on module; US-hosted by default; inventory exists within broader GRC suite Purpose-built AI Register for EU AI Act classification; Swiss-hosted; integrated with privacy program management
Risk classification Manual classification workflow; requires configuration by implementation team AI-assisted classification with human review; maps systems to all four EU AI Act tiers automatically
Multi-entity management Possible but requires per-entity licensing; group-wide visibility requires additional configuration Built for multi-entity from day one; single dashboard across all subsidiaries and jurisdictions; included in base pricing
GDPR + AI Act integration Separate modules for privacy and AI governance; data mapping may require manual linking Unified platform . AI Register connects directly to ROPA, DPIAs, and vendor risk assessments; classification feeds into existing privacy workflows
Data residency US-headquartered; EU hosting available but may require contract negotiation and premium pricing Swiss-built, Swiss-hosted; all data processing within Swiss infrastructure; European data residency guaranteed
Implementation timeline 6–12 months typical for full deployment; requires dedicated project team and often external consultants Operational in weeks; Aircraft manufacturer achieved 60% compliance admin reduction in first 6 months without external consultants
Pricing model Per-user, per-module pricing; costs escalate with subsidiaries, users, and feature additions Based on number of entities and organizational size; no per-user or per-module charges; predictable annual cost
AI transparency AI capabilities within platform; data processing terms vary by contract AI assists, humans decide; no customer data used for model training; all AI outputs reviewed before becoming compliance records

Comparison based on publicly available product documentation and Priverion customer deployment data as of June 2025. OneTrust capabilities may vary by licensing tier and contract terms.

What we don't do , and why that matters

We don't cover ESG reporting, ethics hotlines, or cookie consent. We're not built for single-entity companies. We focus entirely on multi-entity privacy program management and AI governance , and we do it better than anyone.

How to Operationalize AI Act Compliance Across Your Organization

Understanding the four tiers is step one. The harder question for compliance teams is: how do you actually implement this across a multi-entity organization where AI systems are being adopted faster than you can inventory them?

Step 1: Build a complete AI inventory

You cannot classify what you haven't found. Start by surveying every business unit, subsidiary, and function. Don't just ask "do you use AI?" , ask about specific tools: chatbots, screening tools, analytics platforms, content generation tools, automated decision-making systems, and any software that uses machine learning, neural networks, or natural language processing. Many employees don't think of their tools as "AI," so be specific.

Priverion's AI Register provides a structured framework for this inventory across all group entities, with templates and workflows that make it practical to collect information from dozens of business units without creating yet another spreadsheet exercise.

Step 2: Classify each system by risk tier

For each AI system in your inventory, determine: What is its intended purpose? What context is it deployed in? Does it fall under any Annex III high-risk category? Does it interact directly with individuals (triggering limited-risk transparency obligations)? Does it generate synthetic content? Could any feature , even a secondary one , trigger a prohibition? Document your classification reasoning. You'll need it for audit readiness.

Step 3: Prioritize high-risk compliance programs

For any system classified as high-risk, you need to build or verify: a risk management system, data governance procedures, technical documentation, logging capabilities, human oversight mechanisms, and accuracy/robustness testing. For multi-entity organizations, determine whether you need a centralized compliance program or entity-level programs , or both. The answer usually depends on whether the same AI system is deployed uniformly across entities or whether each entity has made independent procurement decisions.

Step 4: Implement transparency mechanisms for limited-risk systems

For every customer-facing chatbot, AI content generator, or synthetic media tool, implement disclosure mechanisms. This sounds simple, but in practice it requires changes to user interfaces, content workflows, and metadata standards. Coordinate with your product, marketing, and customer experience teams , these transparency obligations aren't just a compliance exercise, they're a user experience consideration.

Step 5: Establish ongoing monitoring and reclassification processes

AI systems don't stay in one tier forever. A minimal-risk system repurposed for a high-risk use case needs reclassification. New vendor features may change the risk profile. Business units may adopt new AI tools without informing the compliance team. Build a process , ideally automated , that surfaces changes and triggers reclassification reviews. This is where the difference between spreadsheet management and a purpose-built platform becomes most apparent.

200+

Hours saved on compliance documentation

Medtec saved 200+ hours preparing for ISO 27001 , eliminating manual tracking across their organization in the first year.

60%

Less compliance admin time

Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months , with predictable pricing based on entities, not per-user seats.

3 mo

Ahead of schedule on ISO 27001

Medtec accelerated their ISO 27001 certification timeline by 3 months using Priverion's audit-ready evidence packages and automated documentation.

Priverion vs. OneTrust

Built for the mid-market. Not stripped down from the enterprise.

OneTrust serves Fortune 500 organizations with broader GRC scope and dedicated privacy teams. Mid-market organizations with 5–50 entities need something different , not less capable, but differently capable.

The typical OneTrust experience

About this page — references, definitions, and FAQs

Key Takeaways — EU AI Act Risk Classification

The EU AI Act (Regulation 2024/1689) establishes the world's first comprehensive, legally binding framework for artificial intelligence. Its risk-based classification system assigns every AI system to one of four tiers — unacceptable, high, limited, or minimal risk — based on intended purpose and deployment context. Penalties reach up to €35 million or 7% of global annual turnover. Enforcement began in February 2025 for prohibited practices, with high-risk obligations phasing in through August 2027. Compliance teams must inventory all AI systems, classify each by use case, and implement tier-specific controls.

What is the EU AI Act?

The EU AI Act (formally Regulation (EU) 2024/1689) is the European Union's horizontal regulation laying down harmonised rules on artificial intelligence. It was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024. The regulation adopts a risk-based approach, imposing obligations proportionate to the level of risk an AI system poses to health, safety, and fundamental rights. Source: EUR-Lex, Regulation (EU) 2024/1689

What is risk-based classification in AI regulation?

Risk-based classification is a regulatory methodology that assigns compliance obligations based on the potential harm an AI system may cause, rather than regulating the technology itself. The EU AI Act defines four tiers: unacceptable risk (Article 5, prohibited), high risk (Articles 6–51, heavily regulated), limited risk (Article 50, transparency obligations), and minimal risk (no specific requirements). This approach mirrors established product-safety frameworks in EU law. Source: EUR-Lex, Regulation (EU) 2024/1689

What is a conformity assessment under the EU AI Act?

A conformity assessment is the process by which a provider of a high-risk AI system demonstrates that the system meets the requirements set out in Chapter III, Section 2 of the EU AI Act. Depending on the system category, this may be a self-assessment or require involvement of a notified body. The assessment covers risk management, data governance, technical documentation, accuracy, robustness, and cybersecurity. Source: EUR-Lex, Regulation (EU) 2024/1689, Articles 40–43

What is a general-purpose AI (GPAI) model?

A general-purpose AI model is an AI model — including large generative models — trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks. GPAI providers face transparency obligations from August 2025, and models posing systemic risk face additional requirements including adversarial testing and incident reporting. Source: EUR-Lex, Regulation (EU) 2024/1689, Articles 51–56

Statistics and Market Context

According to the EU AI Act final text (Recital 1), the regulation aims to ensure AI systems placed on the Union market are safe and respect fundamental rights. The penalty framework in Article 99 establishes three fine tiers: up to €35 million or 7% of global turnover for prohibited practices, up to €15 million or 3% for high-risk non-compliance, and up to €7.5 million or 1% for supplying incorrect information. According to a 2024 IAPP survey, fewer than 25% of organizations had begun formal AI inventorying by mid-2024 (IAPP). A 2024 McKinsey Global Survey found that 72% of organizations had adopted AI in at least one business function, up from 55% in 2023 (McKinsey, The State of AI 2024). The European Commission's impact assessment estimated that approximately 15% of AI systems deployed in the EU would fall under the high-risk category.

Frequently Asked Questions

What are the four risk tiers under the EU AI Act?

The EU AI Act classifies AI systems into four tiers: Unacceptable Risk (prohibited outright under Article 5), High Risk (permitted but heavily regulated under Articles 6–51, requiring conformity assessments, risk management systems, and human oversight), Limited Risk (subject to transparency obligations under Article 50, such as disclosing AI-generated content), and Minimal Risk (no specific regulatory requirements). Classification depends on the intended purpose and deployment context, not the underlying technology. Source: EUR-Lex, Regulation (EU) 2024/1689

What are the maximum fines under the EU AI Act?

The EU AI Act establishes a three-tier penalty framework under Article 99. Deploying a prohibited AI system carries fines of up to €35 million or 7% of annual global turnover, whichever is higher. Non-compliance with high-risk obligations triggers fines of up to €15 million or 3%. Supplying incorrect information to notified bodies or national authorities can result in fines of up to €7.5 million or 1%. For SMEs and startups, fines are capped at the lower of the two amounts. Source: EUR-Lex, Regulation (EU) 2024/1689, Article 99

When do EU AI Act enforcement deadlines begin?

Enforcement is phased over a 36-month period from entry into force (1 August 2024): February 2, 2025 — prohibited AI practices (Article 5) become enforceable. August 2, 2025 — obligations for general-purpose AI model providers apply. August 2, 2026 — high-risk obligations for Annex III systems (standalone high-risk AI). August 2, 2027 — high-risk obligations for Annex I systems (AI embedded in regulated products). Source: EUR-Lex, Regulation (EU) 2024/1689, Article 113

Is emotion recognition in the workplace banned under the EU AI Act?

Yes. Under Article 5(1)(f) of the EU AI Act, emotion recognition systems deployed in workplace and educational settings are classified as unacceptable risk and are prohibited, except when used for medical or safety purposes. This prohibition has been enforceable since February 2, 2025. Organizations should audit existing HR technology, video interview platforms, and employee engagement analytics tools for embedded emotion detection features, which vendors may have marketed as "sentiment analysis" or "engagement scoring." Source: EUR-Lex, Regulation (EU) 2024/1689, Article 5

How does the EU AI Act classify the same AI model used in different contexts?

Classification under the EU AI Act is use-case dependent, not technology-dependent. The same large language model could be classified as limited risk when deployed as a customer service chatbot (requiring only transparency disclosures under Article 50) but as high risk when used for employee performance evaluation or creditworthiness assessment (requiring full conformity assessments under Articles 6–43). This means organizations cannot classify their AI inventory once — every new deployment context requires a fresh risk assessment. Source: EUR-Lex, Regulation (EU) 2024/1689, Article 6

What compliance obligations apply to high-risk AI systems?

Providers of high-risk AI systems must implement: a risk management system (Article 9), data governance measures (Article 10), technical documentation (Article 11), record-keeping and automatic logging (Article 12), transparency and information provision to deployers (Article 13), human oversight measures (Article 14), and standards for accuracy, robustness, and cybersecurity (Article 15). They must also conduct a conformity assessment (Articles 40–43), register the system in the EU database (Article 49), establish a quality management system (Article 17), and implement post-market monitoring (Article 72). Source: EUR-Lex, Regulation (EU) 2024/1689, Chapter III

EU AI Act Risk Tier Comparison

Risk TierEU AI Act ArticlesKey ObligationsMaximum PenaltyEnforcement Date
UnacceptableArticle 5Outright prohibition; must cease deployment€35M or 7% turnoverFebruary 2, 2025
HighArticles 6–51Conformity assessment, risk management, human oversight, technical documentation, EU database registration€15M or 3% turnoverAugust 2, 2026 / August 2, 2027
LimitedArticle 50Transparency disclosures (e.g., inform users they are interacting with AI, label AI-generated content)€15M or 3% turnoverAugust 2, 2026
MinimalNo specific articlesNo mandatory requirements; voluntary codes of conduct encouragedN/AN/A
Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].