The EU AI Act regulates artificial intelligence using a risk-based pyramid. The obligations that apply to your system — and the penalties for getting them wrong — depend entirely on which tier it lands in. This classifier walks the public decision logic of the Act to triage your system into prohibited, high-risk, limited-risk, or minimal-risk.
Why the classification matters
The EU AI Act is the world’s first comprehensive legal framework for AI. It entered into force in August 2024 and applies in phases: prohibitions from February 2025, GPAI and governance rules from August 2025, and high-risk obligations from August 2026. Getting the tier wrong is not academic — penalties can reach EUR 35 million or 7% of global turnover for prohibited practices, EUR 15 million or 3% for other violations.
Even a “minimal-risk” determination is useful: it documents that you assessed the system and found no obligations, which is itself a reasonable compliance posture under a framework that will see enforcement ramp up.
How it works
The tool follows the same order of evaluation the Act uses:
1. Is it a prohibited practice (Article 5)? → PROHIBITED, stop.
2. Is it general-purpose AI? → GPAI rules also apply.
3. Is it a safety component of a regulated
product, or an Annex III use case posing
significant risk? → HIGH-RISK.
4. Does it interact with people, generate
media, or use emotion/biometric categorisation?→ LIMITED-RISK (transparency).
5. Otherwise → MINIMAL-RISK.
Prohibited beats everything; high-risk beats limited-risk; limited-risk beats minimal-risk. The classifier evaluates the gates top to bottom and reports the first tier that matches, plus the GPAI flag where relevant.
What each tier means in practice
Prohibited systems cannot be placed on the EU market at all — for example, social scoring by public bodies or real-time biometric identification in public spaces by law enforcement (with narrow exceptions).
High-risk is where compliance obligations are most demanding. Annex III lists eight domains that trigger high-risk status, including biometrics, critical infrastructure, education and vocational training, employment decisions, access to essential services, law enforcement, migration management, and administration of justice. If your system is safety-relevant within any EU product safety directive, that is also a high-risk path.
Limited-risk systems carry transparency duties only. A chatbot must tell users it is AI. Deepfake or AI-generated content must be labelled. These requirements took effect with the prohibited-practices date.
Minimal-risk — the vast majority of AI applications, such as content recommendation, spam filters, and most business analytics tools — face no mandatory obligations under the Act, though the Commission encourages voluntary codes of conduct.
Notes on general-purpose AI (GPAI)
GPT-style foundation models and other general-purpose AI have their own rules that layer on top of the use-case tiers. All GPAI providers must provide technical documentation and comply with copyright rules. Models above a certain compute threshold (currently defined as training above 10^25 FLOPs) face stricter systemic-risk obligations. The classifier flags this separately because a GPAI model may itself be minimal-risk while the application built on it is high-risk.
This tool is an educational triage; the binding classification rests on the final Regulation text and qualified legal review.