ModelCharter
ModelCharter Team

EU AI Act Risk Categories Explained

European Union flags outside the European Commission, representing EU AI Act risk categories

Photo: Guillaume Périgois / Pexels

Key takeaways

  • The EU AI Act sorts AI systems into four tiers: unacceptable, high, limited and minimal risk.
  • Unacceptable-risk systems, like social scoring, are banned outright, not merely regulated.
  • Most small business AI use, chatbots and drafting tools, sits in the limited or minimal tier.
  • High-risk obligations apply mainly to AI used in employment, credit, and other decisions affecting people's rights.
  • Getting your tier right first means you're not over-complying with rules that don't actually apply to you.

The EU AI Act doesn't treat all AI systems the same way, and understanding which of its four risk tiers applies to your use case is the single most useful thing to establish before worrying about compliance detail. Get the tier wrong and you'll either build an unnecessarily heavy compliance programme for a low-risk chatbot, or miss a genuine obligation because you assumed a limited-risk exemption that doesn't actually apply. This guide breaks down what each tier means in practice, using the official EU digital strategy framework as the reference point.

Unacceptable risk: banned outright

At the top of the pyramid sit AI practices the Act prohibits entirely, not regulates: social scoring by governments, real-time biometric identification in public spaces with narrow exceptions, and AI designed to manipulate people in ways that cause harm. This tier is unlikely to touch an ordinary small business, since these are practices, not product categories, and most commercial AI tools were never built to do any of them. If you're not sure your use case is close to this line, it almost certainly isn't.

High risk: obligations apply from 2 August 2026

High-risk systems are those used in contexts that materially affect people's rights or safety: employment decisions (screening or scoring candidates), credit and insurance decisions, education access, and certain biometric or critical-infrastructure uses. For providers, obligations include a risk-management system, data governance, technical documentation and human oversight. Deployers using someone else's high-risk system carry lighter but real duties: use in line with the provider's instructions, human oversight, and monitoring for incidents. These obligations become binding on 2 August 2026, and if any AI tool your business uses screens job applicants or scores creditworthiness, this is the tier to check first.

Limited risk: transparency is the whole obligation

This is where most customer-facing chatbots, AI-generated content and many productivity tools sit. The obligation here is narrower and more manageable: transparency. People need to know they're interacting with an AI system or seeing AI-generated content, under the Article 4 transparency provisions. For most small businesses, this means a clear disclosure on a chatbot or a note that marketing content was AI-assisted, not a full risk-management system.

Minimal risk: the tier most business AI actually falls into

Spam filters, AI-powered spreadsheet features, and most internal drafting or summarisation tools sit in the minimal-risk tier, with no binding obligations under the Act beyond the general AI-literacy duty that already applies to every organisation under Article 4. If your team uses AI mainly to draft emails, summarise meeting notes or generate first-draft copy, this is very likely where you sit, and the compliance burden is genuinely light: staff awareness, not a formal risk programme.

Why the tier matters more than the tool

The same underlying technology, a large language model, can sit in different tiers depending entirely on how it's used. A chatbot answering customer questions is limited risk. The same model used to screen job applicants and rank them is high risk. This is the detail that trips people up: the risk category attaches to the use case, not the AI product itself, which means a single vendor's tool might be minimal risk in one department and high risk in another, depending on what it's actually deciding.

A worked example

A recruitment agency using an AI writing assistant to draft candidate outreach emails sits comfortably in limited or minimal risk; that's a communication tool, not a decision-making one. The same agency using an AI tool to automatically rank and shortlist candidates based on their CVs is now in high-risk territory, because that output materially affects someone's access to employment. Two AI tools, same company, two very different obligation levels, and the difference is entirely about what the output does, not which vendor built it.

Getting your tier right first

Before building any EU AI Act compliance programme, map your actual AI use cases against these four tiers rather than assuming the highest or lowest applies uniformly. Our EU AI Act guide walks through this mapping in more detail, and our AI usage policy generator can help document which tier each approved tool sits in as part of your policy, so the classification isn't something you have to redo from scratch every time a new tool is added.

What happens if you get the classification wrong?

Under-classifying a genuinely high-risk use case, treating candidate screening as a routine drafting tool, for instance, is the mistake with real consequences: missing the risk-management, documentation and human-oversight obligations that become binding from 2 August 2026. Over-classifying is a smaller but still real cost: building a full risk-management system for a customer chatbot that only needed a transparency notice wastes budget and slows adoption for no regulatory benefit. Getting the tier right first, before building any process around it, avoids both failure modes.

A quick self-check for your own AI tools

Ask, for each AI tool your team uses, one question: does its output materially affect a specific person's access to something, a job, credit, insurance, education, on its own or with only light human review? If yes, treat it as a high-risk candidate and investigate further using our EU AI Act guide. If the tool only drafts, summarises or assists a human who makes the actual decision independently, it's very likely limited or minimal risk, and your main obligation is transparency and the general AI-literacy duty rather than a full risk-management programme.

How the tiers interact with deployer versus provider status

Risk tier and legal role are two separate questions that get conflated often. A business can be a deployer of a high-risk system, meaning someone else built it and you're using it as instructed, and still carry real obligations: human oversight, using it strictly according to the provider's instructions, and monitoring for and reporting incidents. Most small businesses using third-party AI hiring or credit-scoring tools are deployers, not providers, which means the heavier documentation burden (technical documentation, a full risk-management system) sits with the vendor. Your obligation is narrower but still genuine, and it's worth confirming your vendor has actually done their side of this before assuming their tool's high-risk classification is entirely their problem to solve.

Where to find the authoritative source, not a summary of a summary

Given how much secondary commentary exists on the EU AI Act, much of it inconsistent in how it describes the tiers, it's worth going back to the European Commission's own regulatory framework page whenever a specific classification question matters for a real business decision. Blog posts, including this one, are useful for building intuition and a working mental model, but for anything with real obligations attached, the primary source is where a genuinely accurate answer lives, and it's free to read.

A final word on getting the classification wrong honestly

If you've read this far and genuinely aren't sure which tier a specific AI use case falls into, that uncertainty is itself useful information, worth resolving before you scale that use case further, not a reason to guess and move on. Ambiguous cases, an AI tool that assists a human decision but with output weighted heavily enough to functionally drive it, are exactly where getting professional legal advice pays for itself, and where a short paid consultation is cheaper than either an unnecessary compliance programme or a genuine regulatory gap.

TierExampleMain obligation
UnacceptableGovernment social scoringBanned outright
High riskAI screening job candidates or credit applicationsRisk management, documentation, human oversight (from 2 Aug 2026)
Limited riskCustomer-facing chatbotTransparency: disclose AI involvement
Minimal riskAI drafting/summarisation toolsGeneral AI-literacy duty only
EU AI Act risk tiers at a glance
The AI Act follows a risk-based approach: the higher the risk of causing harm, the stricter the rules.
European Commission, Regulatory Framework for AI

Frequently asked questions

Which EU AI Act risk tier applies to a customer support chatbot?
Usually limited risk, meaning the main obligation is transparency: telling users they're interacting with an AI system.
When do high-risk AI obligations under the EU AI Act apply?
From 2 August 2026 for the core provider and deployer obligations, covering systems used in employment, credit and similar rights-affecting decisions.
Can the same AI tool be different risk tiers for different uses?
Yes. The tier attaches to the use case, not the underlying technology, so the same model can be minimal risk for drafting and high risk for candidate screening.
Does the EU AI Act apply to a business outside the EU?
It can, if your AI systems affect people in the EU or your output reaches EU users, regardless of where your company is headquartered.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator