Risk classification is the foundation of EU AI Act compliance. Get it wrong and you either over-invest in obligations that don’t apply, or — more dangerously — you underestimate your exposure and face enforcement action after August 2, 2026. This guide explains the four-tier framework, what Annex III actually covers, and the classification mistakes companies make most often.
The Four Risk Tiers
The EU AI Act organizes AI systems into four categories based on the potential harm they can cause. The tier a system lands in determines its compliance obligations entirely.
Tier 1: Unacceptable Risk (Prohibited)
These systems are banned outright. They include:
- AI that manipulates people through subliminal techniques or exploits vulnerabilities (age, disability, social situation) to influence behavior in ways that damage their interests
- Social scoring systems operated by public authorities that rate citizens based on behavior and restrict their access to services or opportunities
- Real-time remote biometric identification in public spaces for law enforcement purposes, with narrow exceptions
- AI systems that infer emotions in workplace or educational settings (with limited exceptions for medical or safety purposes)
- Predictive policing tools that target individuals based on profiling alone
If your organization operates any of these systems, the prohibition has been in effect since February 2025. Continued operation carries the highest penalty tier.
Tier 2: High-Risk AI Systems
This is the category that creates the most compliance work for mid-market companies. High-risk systems must meet extensive requirements before deployment and throughout their operational life. The full list of high-risk categories is defined in Annex III (covered in detail below).
Obligations for high-risk systems include: maintaining technical documentation, registering in the EU database, enabling human oversight, ensuring system robustness and accuracy, and conducting ongoing post-market monitoring.
Tier 3: Limited Risk
These systems have transparency obligations only. If an AI interacts with humans (chatbots, virtual assistants), generates synthetic content, or makes recommendations, users must be informed they are interacting with AI. Deepfake content must be labeled as AI-generated.
The compliance burden here is relatively light — it is primarily about disclosure, not documentation or conformity assessment.
Tier 4: Minimal Risk
Most AI systems fall here. Spam filters, product recommendation engines, inventory forecasting tools, and similar applications have no specific obligations under the Act beyond what other applicable laws (GDPR, sector regulations) already require.
Annex III: The High-Risk System Categories
Annex III is the definitive list of high-risk AI applications. Understanding what is on this list — and what is not — is the most consequential compliance decision your organization will make.
Biometric Systems
Biometric categorization systems that classify individuals based on biometric data to infer sensitive attributes (race, political opinion, religion, health status, sexual orientation) are high-risk. Remote biometric identification systems used for purposes other than real-time law enforcement identification are also high-risk.
Practical examples: employee attendance systems using facial recognition, visitor management systems with biometric verification, identity verification in onboarding workflows.
Critical Infrastructure
AI systems used as safety components in critical infrastructure — energy networks, water systems, digital infrastructure, transport — are high-risk. Note that “safety component” is the key qualifier. An AI that optimizes energy consumption is not the same as an AI that controls protective systems.
Education and Vocational Training
AI that determines access to educational institutions, assesses students, evaluates learning outcomes, or monitors prohibited behavior during tests is high-risk. This catches a broader range of edtech tools than many organizations expect.
Employment and HR
This is the category most relevant to mid-market companies. High-risk systems include:
- Recruitment tools that screen or filter job applications — including resume parsers and applicant ranking systems
- Tools used in hiring decisions, including those that analyze video interviews
- Systems that monitor employee performance in ways that influence promotion, demotion, or termination
- Workforce management tools that allocate tasks based on individual behavior assessment
If your HR software uses AI to rank candidates, flag performance issues, or generate performance ratings, it is very likely operating as a high-risk system under Annex III — regardless of whether the AI functionality is a primary or secondary feature.
Access to Essential Private and Public Services
AI used by financial institutions to assess creditworthiness, determine loan eligibility, or set insurance premiums based on individual risk profiling is high-risk. AI that determines eligibility for public benefits or services also falls here.
Law Enforcement
AI systems used by law enforcement for risk assessment, polygraph-like tools, crime analytics that profile individuals, and evidence reliability assessment are high-risk. This category primarily affects public sector and defense organizations.
Migration and Border Control
Risk assessment of individuals crossing borders, document authenticity verification, and asylum claim processing tools are high-risk.
Administration of Justice
AI used to assist courts in researching facts or law, or in applying law to concrete facts, is high-risk.
How to Determine Your System’s Classification
Work through these questions in order:
1. Is the system AI at all? The EU AI Act defines AI systems as machine-based systems that operate with varying levels of autonomy and produce outputs (predictions, recommendations, decisions, content) that influence real or virtual environments. Simple rule-based software that has no learning component may not meet the definition.
2. Does it match a prohibited use case? Check the Tier 1 list. If yes, it should not be in operation.
3. Does it match an Annex III category? Review each category against the system’s actual function — not its marketing description. Consider both primary and secondary functions.
4. If high-risk: are you the provider or deployer? Providers (those who develop or place systems on the market) and deployers (those who use systems for their own purposes) have different but overlapping obligations. Understanding your role determines which specific requirements apply to you.
5. If not high-risk: do transparency obligations apply? Does the system interact with humans in ways that could create confusion about whether they are engaging with AI or a human?
Common Misclassifications
Underclassifying HR AI tools: The most frequent mistake. Companies assume that because their HR software is a third-party product, classification is the vendor’s problem. Deployers have independent classification and compliance obligations.
Overlooking embedded AI: Many enterprise software platforms have embedded AI features that activate automatically. A workflow management tool with an AI-powered task assignment algorithm may be operating as a high-risk system without the deploying company having explicitly chosen to use AI.
Treating “limited use” as “limited risk”: A system used infrequently is not necessarily lower-risk. The risk classification is based on the type of decision the system influences, not the frequency of use.
Assuming general-purpose AI is minimal risk: Large language models or foundation models integrated into business processes can inherit high-risk classification from the application context. An LLM used to generate credit assessments is high-risk regardless of the underlying model’s general-purpose nature.
Misreading the “safety component” qualifier: Not every AI deployed in critical infrastructure is automatically high-risk. The system must function as a safety component — one whose failure could endanger lives or cause significant harm. Analytical and optimization tools in the same environment may be classified differently.
Classification Is Not Static
System classification should be reviewed when:
- The system’s functionality changes (through model updates, new training data, or new use cases)
- The context of deployment changes (a tool adopted for one department is rolled out to HR)
- Annex III is updated through implementing acts from the European Commission
The EU AI Act includes a mechanism for the Commission to amend Annex III as AI technology evolves. Compliance is not a one-time classification exercise — it requires periodic review.
For a detailed look at what documentation high-risk systems require, see our Annex IV documentation checklist. For context on the August 2026 enforcement timeline and penalties for misclassification, see our EU AI Act deadline guide.
Unsure how your AI systems classify? The Aikraft Risk Quiz walks through your systems’ functions and deployment context to give you a preliminary classification — in about 10 minutes, without legal jargon.