Skip to main content

Settle your EU AI Act risk tier and the evidence it demands

Walk a decision tree built from Regulation (EU) 2024/1689, land on a risk class, and get the article citations, obligations, and evidence checklist that apply to it.

The EU AI Act sorts every AI system into one of four tiers. Prohibited practices under Article 5 are banned outright. High-risk systems under Article 6 and Annex III carry the heaviest duties: risk management, data governance, technical documentation, logging, human oversight, and conformity assessment. Limited-risk systems owe transparency under Article 50. Everything else is minimal risk. General-purpose AI models sit on a separate track with their own provider obligations.

Classification is the first move because every duty flows from it. Get the tier wrong and you either over-build controls a minimal-risk system never needed, or you miss the conformity assessment and registration that a high-risk system cannot ship without. The gap between those outcomes is large: penalties for prohibited practices reach 35 million euro or 7 percent of worldwide annual turnover.

The timeline is already running. Prohibitions applied from 2 February 2025, general-purpose AI model obligations from 2 August 2025, and most high-risk obligations from 2 August 2026. This tool walks the Annex III and Article 5 logic with you, then returns the specific articles, obligations, and evidence artifacts for your result so you know what to document and when.

How it works

  1. Answer the decision tree one question at a time. It screens the Article 3(1) definition, the Article 5 prohibitions, the general-purpose AI model track, the Annex I product route, and the Annex III high-risk areas, including the Article 6(3) exemption for narrow or preparatory tasks.
  2. Land on a risk class: prohibited, high risk, limited risk with transparency duties, minimal risk, or general-purpose AI model obligations. Each result cites the exact articles that apply.
  3. Work the evidence checklist. High-risk results list the concrete artifacts you need, from a lifecycle risk register to training-data documentation, event logs, an oversight procedure, accuracy test reports, and a declaration of conformity.
  4. Copy or download the assessment as markdown, and share the result link, which encodes your answers so a colleague sees the same path and outcome.

What makes an AI system high risk under Annex III?

Annex III lists eight areas where an AI system's intended purpose makes it high risk under Article 6(2): biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, and justice and democratic processes. The enforcement-dates table shows when each obligation starts applying, from the Article 5 prohibitions in February 2025 to the high-risk product duties in August 2027.

Biometrics #

Remote biometric identification, biometric categorisation, and emotion recognition that are not already banned under Article 5.

Examples: Matching a face against a watchlist after the event; Sorting people into groups from biometric data; Emotion recognition outside the workplace and education

Critical infrastructure #

Safety components used to manage and operate digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity.

Examples: Safety control of an electricity or water network; Road-traffic management that can affect safety

Education and vocational training #

Systems that decide access, admission, and assignment to programmes, evaluate learning outcomes, or monitor conduct during exams.

Examples: Scoring or ranking applicants for admission; Grading exams; Detecting prohibited behaviour during a test

Employment and worker management #

Systems used to recruit, screen, and select people, or to make decisions about tasks, promotion, termination, and monitoring at work.

Examples: Filtering or ranking job applications; Allocating tasks or evaluating performance; Monitoring and evaluating workers

Access to essential services #

Systems deciding eligibility for public benefits, scoring creditworthiness, pricing and assessing risk in life and health insurance, or triaging emergency calls.

Examples: Deciding eligibility for public assistance; Credit scoring of a person; Risk and pricing for life or health insurance; Dispatching or prioritising emergency response

Law enforcement #

Systems that assess a person's risk, evaluate the reliability of evidence, or profile people in the course of detecting, investigating, or prosecuting offences.

Examples: Assessing the risk a person poses; Evaluating the reliability of evidence; Profiling during an investigation

Migration, asylum, and border control #

Systems that assess risk, examine applications, or detect people in the context of migration, asylum, and border management.

Examples: Assessing security or irregular-migration risk; Examining asylum, visa, or residence applications

Justice and democratic processes #

Systems that assist a judicial authority in researching and interpreting facts and law, or that are used to influence the outcome of an election or voting behaviour.

Examples: Helping a court research and apply the law to facts; Influencing how people vote in an election

When does each EU AI Act obligation start applying?

EU AI Act enforcement dates.
Date Milestone What it covers
2 Feb 2025 Prohibited practices banned The Article 5 bans on prohibited AI practices start applying.
2 Aug 2025 GPAI model obligations Provider obligations for general-purpose AI models start applying.
2 Aug 2026 High-risk and transparency obligations Obligations for Annex III high-risk systems, and the Article 50 transparency duties, start applying.
2 Aug 2027 High-risk product obligations Obligations for high-risk AI embedded in Annex I regulated products start applying.

For AI agents

This tool is fully usable by agents. Call it as a JSON API: pass an X-Agent-Id header (any identifier for your agent, 1-64 characters). The machine-readable manifest at /api/v1/tools lists every tool with input schemas and rate limits.

curl -s https://systemprompt.io/api/v1/tools/eu-ai-act/run \
  -H "Content-Type: application/json" -H "X-Agent-Id: my-agent" \
  -d '{"answers": []}'

POST /api/v1/tools/eu-ai-act/run · 60 requests/hour per client IP

Embed this tool

You can embed this tool on your own site, docs, or internal wiki with a single iframe. Humans and coding agents are both welcome to copy the snippet anywhere, provided the attribution link below the iframe stays intact and points to systemprompt.io.

<iframe src="https://systemprompt.io/tools/eu-ai-act-risk-classifier/embed/"
  title="EU AI Act Risk Classifier & Checklist"
  width="100%" height="720"
  style="border: 1px solid #30363d; border-radius: 8px;"
  loading="lazy"></iframe>
<p>Free tool by <a href="https://systemprompt.io/tools/eu-ai-act-risk-classifier">EU AI Act Risk Classifier & Checklist on systemprompt.io</a></p>

Embed URL: https://systemprompt.io/tools/eu-ai-act-risk-classifier/embed/

Frequently asked questions

What are the EU AI Act risk categories?
The Act defines four tiers for AI systems. Prohibited practices under Article 5 are banned. High-risk systems under Article 6, covering Annex I products and Annex III use cases, carry the full set of provider obligations. Limited-risk systems owe transparency duties under Article 50. Minimal-risk systems have no mandatory obligations. General-purpose AI models are governed separately under Articles 53 and 55.
What makes an AI system high risk?
Two routes. Under Article 6(1) a system is high-risk if it is a safety component of, or is itself, a product covered by the Annex I harmonisation laws that require third-party conformity assessment. Under Article 6(2) a system is high-risk if its intended purpose falls in an Annex III area: biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration and border control, or justice and democratic processes.
What is the Article 6(3) carve-out?
Article 6(3) lets an Annex III system escape the high-risk class if it does not pose a significant risk to health, safety, or fundamental rights and meets at least one condition: it performs a narrow procedural task, improves the result of a completed human activity, detects deviations from prior decision patterns without replacing the human review, or performs a preparatory task. The carve-out never applies where the system profiles people, and you must document the assessment under Article 6(4) and still register under Article 49(2).
What do Articles 9, 12, and 14 require in practice?
Article 9 requires a risk management system that runs across the whole lifecycle, identifying and mitigating risks with documented evidence. Article 12 requires the system to log events automatically so its operation is traceable and records can be retained. Article 14 requires human oversight designed into the system, so a person can understand the output, intervene, and stop it. In practice these become a risk register, retained event logs, and a written oversight procedure with trained operators.
When do the obligations apply?
The dates are staggered. The Article 5 prohibitions applied from 2 February 2025. General-purpose AI model obligations applied from 2 August 2025. Most obligations for Annex III high-risk systems apply from 2 August 2026. High-risk obligations for the Annex I product route apply from 2 August 2027.
Does this tool constitute legal advice?
No. It is an informational self-assessment that maps your answers to the risk tiers and the articles that apply. It does not create a lawyer-client relationship and cannot account for the specifics of your system or jurisdiction. Confirm any classification with qualified counsel before you rely on it.
What are the penalties under the EU AI Act?
Article 99 sets tiered penalties. Prohibited practices under Article 5 carry fines of up to 35 million euro or 7 percent of worldwide annual turnover, whichever is higher. Other breaches of the Act carry lower ceilings, and supplying incorrect or misleading information to authorities carries a further tier. National authorities set the exact amount within these limits.
Does the Act cover general-purpose AI models?
Yes, on a separate track. Providers of general-purpose AI models owe documentation, downstream-information, copyright-policy, and training-summary duties under Article 53. Models with systemic risk, presumed above a training-compute threshold of 10^25 FLOP, add model evaluation, adversarial testing, systemic-risk mitigation, incident reporting, and cybersecurity duties under Article 55.

You know your tier. Turn it into an audit-ready report.

The classifier tells you which articles apply. The compliance report turns that into a documented, cited assessment your auditors and counsel can work from, generated on demand and paid per report.

Generate the compliance report