Understanding risk-based AI regulation: what it means for your organization

The EU AI Act is built around a tiered risk classification framework. Rather than imposing uniform obligations on all AI systems, it calibrates requirements to the level of risk a system poses to health, safety, fundamental rights, and democracy. Understanding this framework is essential for compliance planning.

The four risk tiers

Unacceptable risk (prohibited). A narrow set of AI practices are banned outright. These include AI systems that manipulate people through subliminal techniques, exploit vulnerabilities of specific groups, enable social scoring by public authorities for general purposes, and — with limited exceptions — real-time biometric identification in public spaces by law enforcement. If your organization uses any system that could fall into this category, immediate review is required.

High risk. This is where the most substantive compliance obligations arise. High-risk AI systems are defined either by their use in specified sectors (critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes) or by their use as safety components in regulated products. High-risk systems must meet requirements covering risk management, data governance, technical documentation, transparency, human oversight, accuracy, and robustness — before they are placed on the market or put into service.

Limited risk. Systems in this tier face primarily transparency obligations. Chatbots must inform users they are interacting with AI. Deepfakes and AI-generated content must be labelled as such. The obligations are targeted and relatively straightforward to implement.

Minimal risk. The majority of AI applications — spam filters, recommendation engines, AI-assisted productivity tools — fall here. There are no specific regulatory obligations under the Act, though voluntary codes of conduct are encouraged.

Classification in practice

Classification is not always straightforward. The same underlying model can fall into different risk tiers depending on how it is deployed and in what context. An AI system used for routine administrative tasks may be minimal risk; the same system used to evaluate employee performance or inform access to public benefits becomes high risk.

Organizations need to assess each deployment context — not just the technology itself. The provider-deployer distinction also matters: obligations differ depending on whether you are building the AI system, purchasing it, or deploying it for a specific use case.

Starting your compliance planning

For most organizations, the practical starting point is a classification exercise: systematically reviewing each AI system in use against the criteria in the Act. This produces a prioritized list — high-risk systems requiring immediate governance attention, followed by limited-risk systems requiring transparency measures, and finally a monitored inventory of minimal-risk tools.

Classification is not a one-time activity. As systems evolve and use cases change, classification must be revisited.