EU AI Act risk categories explained
- The Act has four risk tiers: unacceptable (banned), high, limited, and minimal.
- High-risk systems (largely Annex III) carry the heaviest obligations and are the focus of the Act.
- Limited-risk systems mainly face transparency duties; minimal-risk systems face none.
- Risk depends on the use case and context, so the same technology can sit in different tiers.
- Current as of June 2026. This is general information, not legal advice.
Unacceptable risk: banned outright
A small set of AI uses are prohibited because they pose a clear threat to people's rights. These include social scoring by public authorities, certain forms of subliminal or manipulative AI, exploitation of vulnerabilities of specific groups, and certain biometric practices. These prohibitions have applied since 2 February 2025. If your system falls here, the answer is not compliance but cessation.
High risk: strictly regulated
High-risk systems are permitted but carry the heaviest obligations. They are AI systems used in sensitive contexts, set out mainly in Annex III, such as:
- Employment, including CV screening and hiring tools.
- Access to essential services, including credit scoring.
- Biometric identification and categorisation.
- Education and vocational training.
- Critical infrastructure.
- Law enforcement, migration, and administration of justice.
Providers of high-risk systems must implement risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and a conformity assessment before placing the system on the market.
Limited risk: transparency duties
Some systems carry specific transparency obligations rather than the full high-risk regime. The main example is AI that interacts with people or generates content: users should be told when they are dealing with an AI system, and AI-generated or manipulated content should be labelled. Many chatbots and generative AI tools sit here.
Minimal risk: no specific obligations
The large majority of AI systems fall into minimal risk, such as spam filters, recommendation features, or AI in video games. The Act imposes no specific obligations on these, though voluntary codes of conduct are encouraged.
How to use the tiers
Classification is not always obvious, and the same underlying technology can be high risk in one use and minimal in another. The deciding factor is the use case and context, not the algorithm. The practical approach is to take each AI system you build or use, identify its purpose and context, and map it against the tiers, paying closest attention to the Annex III high-risk categories.
Key terms
- Unacceptable risk
- AI uses banned outright by Article 5 because they threaten fundamental rights.
- High-risk AI
- Systems used in sensitive contexts that carry the Act's heaviest obligations.
- Limited risk
- Systems subject mainly to transparency duties, such as chatbots and generative AI.
- Minimal risk
- Systems with no specific obligations under the Act, such as spam filters.
- Annex III
- The Act's list of high-risk use cases, from hiring to credit to critical infrastructure.