Settle your EU AI Act risk tier and the evidence it demands
Walk a decision tree built from Regulation (EU) 2024/1689, land on a risk class, and get the article citations, obligations, and evidence checklist that apply to it.
The EU AI Act sorts every AI system into one of four tiers. Prohibited practices under Article 5 are banned outright. High-risk systems under Article 6 and Annex III carry the heaviest duties: risk management, data governance, technical documentation, logging, human oversight, and conformity assessment. Limited-risk systems owe transparency under Article 50. Everything else is minimal risk. General-purpose AI models sit on a separate track with their own provider obligations.
Classification is the first move because every duty flows from it. Get the tier wrong and you either over-build controls a minimal-risk system never needed, or you miss the conformity assessment and registration that a high-risk system cannot ship without. The gap between those outcomes is large: penalties for prohibited practices reach 35 million euro or 7 percent of worldwide annual turnover.
The timeline is already running. Prohibitions applied from 2 February 2025, general-purpose AI model obligations from 2 August 2025, and most high-risk obligations from 2 August 2026. This tool walks the Annex III and Article 5 logic with you, then returns the specific articles, obligations, and evidence artifacts for your result so you know what to document and when.
How it works
- Answer the decision tree one question at a time. It screens the Article 3(1) definition, the Article 5 prohibitions, the general-purpose AI model track, the Annex I product route, and the Annex III high-risk areas, including the Article 6(3) exemption for narrow or preparatory tasks.
- Land on a risk class: prohibited, high risk, limited risk with transparency duties, minimal risk, or general-purpose AI model obligations. Each result cites the exact articles that apply.
- Work the evidence checklist. High-risk results list the concrete artifacts you need, from a lifecycle risk register to training-data documentation, event logs, an oversight procedure, accuracy test reports, and a declaration of conformity.
- Copy or download the assessment as markdown, and share the result link, which encodes your answers so a colleague sees the same path and outcome.
What makes an AI system high risk under Annex III?
Annex III lists eight areas where an AI system's intended purpose makes it high risk under Article 6(2): biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, and justice and democratic processes. The enforcement-dates table shows when each obligation starts applying, from the Article 5 prohibitions in February 2025 to the high-risk product duties in August 2027.
Biometrics #
Remote biometric identification, biometric categorisation, and emotion recognition that are not already banned under Article 5.
Examples: Matching a face against a watchlist after the event; Sorting people into groups from biometric data; Emotion recognition outside the workplace and education
Critical infrastructure #
Safety components used to manage and operate digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity.
Examples: Safety control of an electricity or water network; Road-traffic management that can affect safety
Education and vocational training #
Systems that decide access, admission, and assignment to programmes, evaluate learning outcomes, or monitor conduct during exams.
Examples: Scoring or ranking applicants for admission; Grading exams; Detecting prohibited behaviour during a test
Employment and worker management #
Systems used to recruit, screen, and select people, or to make decisions about tasks, promotion, termination, and monitoring at work.
Examples: Filtering or ranking job applications; Allocating tasks or evaluating performance; Monitoring and evaluating workers
Access to essential services #
Systems deciding eligibility for public benefits, scoring creditworthiness, pricing and assessing risk in life and health insurance, or triaging emergency calls.
Examples: Deciding eligibility for public assistance; Credit scoring of a person; Risk and pricing for life or health insurance; Dispatching or prioritising emergency response
Law enforcement #
Systems that assess a person's risk, evaluate the reliability of evidence, or profile people in the course of detecting, investigating, or prosecuting offences.
Examples: Assessing the risk a person poses; Evaluating the reliability of evidence; Profiling during an investigation
Migration, asylum, and border control #
Systems that assess risk, examine applications, or detect people in the context of migration, asylum, and border management.
Examples: Assessing security or irregular-migration risk; Examining asylum, visa, or residence applications
Justice and democratic processes #
Systems that assist a judicial authority in researching and interpreting facts and law, or that are used to influence the outcome of an election or voting behaviour.
Examples: Helping a court research and apply the law to facts; Influencing how people vote in an election
When does each EU AI Act obligation start applying?
| Date | Milestone | What it covers |
|---|---|---|
| 2 Feb 2025 | Prohibited practices banned | The Article 5 bans on prohibited AI practices start applying. |
| 2 Aug 2025 | GPAI model obligations | Provider obligations for general-purpose AI models start applying. |
| 2 Aug 2026 | High-risk and transparency obligations | Obligations for Annex III high-risk systems, and the Article 50 transparency duties, start applying. |
| 2 Aug 2027 | High-risk product obligations | Obligations for high-risk AI embedded in Annex I regulated products start applying. |
For AI agents
This tool is fully usable by agents. Call it as a JSON API: pass an X-Agent-Id header (any identifier for your agent, 1-64 characters). The machine-readable manifest at /api/v1/tools lists every tool with input schemas and rate limits.
curl -s https://systemprompt.io/api/v1/tools/eu-ai-act/run \
-H "Content-Type: application/json" -H "X-Agent-Id: my-agent" \
-d '{"answers": []}'
Frequently asked questions
What are the EU AI Act risk categories?
What makes an AI system high risk?
What is the Article 6(3) carve-out?
What do Articles 9, 12, and 14 require in practice?
When do the obligations apply?
Does this tool constitute legal advice?
What are the penalties under the EU AI Act?
Does the Act cover general-purpose AI models?
You know your tier. Turn it into an audit-ready report.
The classifier tells you which articles apply. The compliance report turns that into a documented, cited assessment your auditors and counsel can work from, generated on demand and paid per report.