AI Governance & ComplianceDeep DiveFreshLast reviewed: · 45d ago

    EU AI Act Risk Categories: Unacceptable, High, Limited & Minimal Explained

    TL;DR

    Quick Answer
    Cited by AI
    The EU AI Act has 4 risk categories: Unacceptable (banned from Aug 2025), High (strict compliance), Limited (transparency only), and Minimal (no obligations).

    The EU AI Act classifies every AI system into one of four risk tiers — each with distinct obligations, prohibitions, or no requirements at all. Here is exactly how the classification works.

    The EU AI Act risk categories are a four-tier regulatory framework — Unacceptable, High, Limited, and Minimal — used to classify AI systems based on their potential harm to health, safety, and fundamental rights within the European Union.

    Eric Lundberg - Author at Alice Labs
    Written by
    Linus Ingemarsson - Reviewer at Alice Labs
    Reviewed by
    Published
    14 min read
    €35M

    Maximum fine for deploying prohibited AI systems under the EU AI Act

    Council of the European Union, May 2024

    4

    Risk tiers defined by the EU AI Act risk classification framework

    European Commission, AI Act, 2024

    Aug 2, 2025

    Date when Unacceptable Risk prohibitions became enforceable

    EUR-Lex, EU AI Act Official Text, 2024

    What you'll learn

    • The exact four risk categories defined by the EU AI Act and what separates them
    • Which AI practices are banned outright under the Unacceptable Risk category
    • What qualifies a system as High Risk and what compliance obligations follow
    • How Limited and Minimal risk tiers differ and what rules apply to each
    • How the European Commission's classification rules under Article 6 work in practice
    • What your organisation must do right now based on your AI system's risk tier

    Key Takeaways

    • The EU AI Act defines 4 risk tiers: Unacceptable Risk (prohibited), High Risk (strict obligations), Limited Risk (transparency rules), and Minimal Risk (no specific requirements).
    • 8 categories of Unacceptable Risk AI practices are banned outright from August 2, 2025, including social scoring by governments and real-time remote biometric identification in public spaces.
    • High Risk AI systems span 8 sectors listed in Annex III, including healthcare, employment, education, and critical infrastructure — each requiring conformity assessments before deployment.
    • Limited Risk systems such as chatbots and deepfakes must meet transparency obligations: users must be informed they are interacting with AI.
    • The European Commission published official classification guidelines in 2025 to help providers determine whether their system falls under Article 6 High Risk rules.
    • Non-compliance penalties reach up to €35 million or 7% of global annual turnover for violations involving prohibited AI practices.
    01 / 09Chapter

    Why the EU AI Act Uses a Risk-Based Approach

    In short

    The EU AI Act applies proportionate obligations based on the potential harm an AI system can cause — the higher the risk to people's rights or safety, the stricter the rules.

    The EU chose a risk-based regulatory model because AI systems vary enormously in their real-world impact. A spam filter is not comparable to an AI system making parole decisions — and the rules governing each should reflect that difference.

    The European Parliament's June 2023 briefing on the AI Act established the core principle: the classification system must balance innovation with the protection of fundamental rights. Proportionality is the governing logic.

    The AI Act entered into force on August 1, 2024, often described by Deloitte and other analysts as "the world's first comprehensive AI law." Its provisions roll in over a 24–36 month transition window — not all at once.

    Date Milestone
    August 1, 2024 AI Act enters into force
    February 2, 2025 General-Purpose AI (GPAI) rules apply; prohibited practices chapter in force
    August 2, 2025 Unacceptable Risk bans fully enforceable
    August 2, 2026 High Risk Annex III obligations apply (employment, healthcare, education, etc.)
    August 2, 2027 Full application including Annex I high-risk systems (product safety legislation)

    The four risk tiers — Unacceptable, High, Limited, and Minimal — form the spine of the entire regulatory framework. Each tier carries distinct obligations, from outright bans to no requirements at all.

    Global Reach

    The EU AI Act applies to any organisation placing AI systems on the EU market or using AI to affect EU residents — regardless of where the company is based. A US or Asia-headquartered company selling AI tools to European businesses must comply.

    Who Must Comply With the EU AI Act

    The Act defines four actor types, each with different obligations. Understanding which role your organisation holds is the first step to determining your compliance burden.

    • Providers (developers): Companies that develop and place AI systems on the market. They carry the heaviest burden — conformity assessments, CE marking, registration in the EU database, and post-market monitoring.
    • Deployers (users of AI): Businesses that use AI systems in their operations. Obligations include fundamental rights impact assessments for High Risk systems and maintaining human oversight.
    • Importers: Entities bringing AI systems from outside the EU into the EU market. They must verify that providers have met compliance requirements.
    • Distributors: Companies making AI systems available in the EU without substantial modification. They carry due-diligence obligations.

    A company headquartered in the US, Canada, or Asia that sells AI tools to European businesses or consumers still falls under the Act. The EU Commission's AI Act Service Desk launched in 2025 as a resource for organisations navigating compliance questions.

    For organisations already working through compliance requirements, our EU AI Act compliance checklist provides a step-by-step framework mapped to each risk tier.

    02 / 09Chapter

    Unacceptable Risk: AI Practices Banned Outright

    In short

    Unacceptable Risk AI practices are prohibited entirely under the EU AI Act — 8 categories of systems deemed so harmful to fundamental rights that no use case justifies them.

    Article 5 of the EU AI Act defines the prohibited AI practices. These 8 categories became enforceable on August 2, 2025, per the EUR-Lex official text. Deploying any of them after that date triggers the Act's harshest penalties.

    Enforcement Date: August 2, 2025

    All Unacceptable Risk prohibitions became enforceable on August 2, 2025. Organisations still operating prohibited AI systems after this date face fines up to €35 million or 7% of global turnover, whichever is higher.

    Prohibited Practice Example Enforcement Date
    Subliminal or manipulative techniques exploiting vulnerabilities AI targeting people with cognitive impairments using subconscious nudges August 2, 2025
    Government social scoring of citizens State systems ranking citizens based on behaviour or social conduct August 2, 2025
    Real-time remote biometric ID in public spaces (law enforcement) Live facial recognition on CCTV for policing (narrow exceptions apply) August 2, 2025
    Retrospective remote biometric identification using databases Post-event facial recognition sweeps across footage archives August 2, 2025
    Predictive policing based purely on profiling AI-only crime risk scores used to deploy police resources August 2, 2025
    Emotion recognition in workplaces and educational institutions Employee mood monitoring systems; student emotion tracking during exams August 2, 2025
    Biometric categorisation inferring sensitive attributes Systems inferring political views, religion, or sexual orientation from facial data August 2, 2025
    AI exploiting children or individuals with disabilities Manipulative dark patterns in apps targeting minors August 2, 2025

    Penalties for Unacceptable Risk violations are the highest in the Act: €35 million or 7% of global annual turnover, per the Council of the European Union's May 2024 press release.

    In our work across 100+ enterprise AI implementations at Alice Labs, social scoring concerns arise most frequently in public sector engagements, while biometric identification questions dominate HR-tech and retail security discussions.

    Narrow Exceptions to the Biometric Identification Ban

    The real-time remote biometric identification ban includes three tightly scoped law enforcement exceptions. These are not a general licence for surveillance — each requires prior authorisation from a judicial or independent administrative authority.

    • Missing persons and trafficking victims: Searching for missing persons or victims of human trafficking and sexual exploitation.
    • Imminent terrorist threats: Preventing a specific, credible, and imminent terrorist attack.
    • Serious criminal suspects: Locating or identifying suspects in criminal offences punishable by at least 3 years imprisonment under EU member state law.

    Each exception requires documented prior authorisation — except in cases of genuine urgency, where authorisation must be sought immediately after use. The bar is deliberately high to prevent mission creep.

    03 / 09Chapter

    High Risk AI Systems: Obligations and Annex III Categories

    In short

    High Risk AI systems face the Act's most comprehensive compliance requirements — conformity assessments, technical documentation, human oversight, and EU database registration — across 8 sectors defined in Annex III.

    High Risk status is determined by two routes under Article 6. First, AI systems embedded in products already regulated under EU product safety legislation (listed in Annex I — including machinery, medical devices, and aviation equipment). Second, standalone AI systems listed in Annex III across 8 critical sectors.

    The European Commission published official Article 6 classification guidelines in 2025 to help providers determine whether their system triggers High Risk obligations. These guidelines are particularly relevant for systems that might otherwise fall into grey areas.

    Sector Example Use Cases
    Biometric identification and categorisation Remote biometric verification systems (permitted use cases only)
    Critical infrastructure AI managing water, energy, transport, or digital infrastructure
    Education and vocational training AI determining access to education; automated grading systems
    Employment and worker management CV screening tools; performance monitoring; promotion decisions
    Access to essential private and public services Credit scoring; AI in social benefits decisions; health insurance underwriting
    Law enforcement Polygraph-equivalent tools; risk assessment for crime or reoffending
    Migration, asylum, and border control Automated visa processing; asylum application assessments
    Administration of justice and democratic processes AI assisting judicial decisions; AI used in elections

    What High Risk Compliance Requires

    Providers of High Risk AI systems must fulfil a detailed compliance package before placing their system on the EU market. Obligations apply from August 2, 2026 for Annex III systems.

    • Conformity assessment: Documented evidence that the system meets the Act's technical requirements — either self-assessment or third-party audit, depending on the use case.
    • Technical documentation: A comprehensive technical file covering system design, training data, accuracy metrics, and intended purpose.
    • Risk management system: An ongoing process identifying, analysing, and mitigating risks throughout the system's lifecycle.
    • Data governance: Training, validation, and test data must meet quality standards; bias evaluation is mandatory.
    • Transparency and instructions for use: Clear documentation for deployers on intended purpose, limitations, and human oversight requirements.
    • Human oversight measures: Technical features enabling human operators to monitor, intervene, and override system outputs.
    • Accuracy, robustness, and cybersecurity: Documented performance benchmarks and security measures.
    • EU database registration: High Risk systems must be registered in the European Commission's public AI database before deployment.
    • CE marking: Required for systems placed on the EU market.
    • Post-market monitoring: Ongoing data collection and reporting on system performance after deployment.

    Deployers (organisations using High Risk AI) also carry obligations — most significantly a Fundamental Rights Impact Assessment (FRIA) before deploying systems in sensitive contexts, and maintaining logs of system operation for accountability.

    Penalties for High Risk non-compliance reach €15 million or 3% of global annual turnover — lower than Unacceptable Risk penalties but still material for any organisation.

    Our EU AI Act compliance guide covers the full documentation and assessment process for High Risk system providers in detail.

    How Article 6 Classification Works in Practice

    Not every AI system used in one of the 8 Annex III sectors is automatically High Risk. Article 6(3) introduces a filtering mechanism — a system does not qualify as High Risk if it poses no significant risk of harm to people's health, safety, or fundamental rights, including by not materially influencing decision-making outcomes.

    The 2025 European Commission classification guidelines provide specific criteria for applying this filter. Providers must document their reasoning and retain that documentation as part of their technical file.

    • Decision influence test: Does the AI system materially influence decisions affecting individuals? If not, it may fall outside High Risk scope.
    • Ancillary function test: Is AI used only as a narrow tool within a broader human-led process, with no autonomous decisional role? This can reduce risk classification.
    • Harm probability and severity: Low-probability, low-severity risk profiles can support a non-High Risk classification even within Annex III sectors.

    At Alice Labs, our governance team applies these three filters as the starting point in every AI audit we conduct for enterprise clients operating in Annex III sectors. The documentation trail matters as much as the classification outcome itself.

    04 / 09Chapter

    Limited Risk: Transparency Obligations for Chatbots and Synthetic Content

    In short

    Limited Risk AI systems face one core obligation: transparency. Users must be told they are interacting with AI — this applies to chatbots, AI-generated images, and deepfakes.

    Limited Risk covers AI systems where the primary concern is not physical harm but deception — specifically, systems that interact with humans or generate content that could be mistaken for human-created work.

    The obligations are comparatively light but legally binding. Failure to disclose AI interaction or synthetic content can constitute a violation, even without any broader harm.

    System Type Obligation Who It Applies To
    Chatbots and conversational AI Inform users they are interacting with an AI system, not a human Deployers and providers
    AI-generated images, audio, and video (deepfakes) Clearly label content as artificially generated or manipulated Providers and deployers
    Emotion recognition systems (non-prohibited contexts) Inform individuals that their emotions are being recognised or inferred Deployers
    Biometric categorisation systems (permitted use) Disclose to individuals when biometric categorisation is being used Deployers

    The chatbot disclosure requirement is the most commercially significant. Any customer-facing AI assistant — whether deployed for customer service, sales, or support — must make its AI nature clear at the start of an interaction.

    Deepfake labelling applies to synthetic media used in commercial, political, or public contexts. Narrow exceptions exist for clearly artistic or satirical purposes, provided the AI-generated nature is still appropriately disclosed.

    Practical Compliance for Limited Risk Systems

    Limited Risk compliance is operationally straightforward for most organisations. The key requirements are disclosure by design — building transparency into the user interface and content workflow, not bolting it on after deployment.

    • Chatbot disclosure: Add a clear "You are speaking with an AI assistant" message at session start — not buried in terms and conditions.
    • Synthetic content labelling: Use machine-readable metadata (such as C2PA standards) alongside human-visible labels on AI-generated images and video.
    • Biometric disclosure: If using emotion recognition or biometric categorisation in permitted contexts, include real-time disclosure in the physical or digital environment.
    • Documentation: Maintain records demonstrating that disclosure mechanisms are implemented and functioning — relevant if a regulator requests evidence.

    Penalties for Limited Risk non-compliance are lower than for High Risk violations — up to €7.5 million or 1.5% of global annual turnover — but enforcement is expected to be active given the high volume of chatbot deployments across Europe.

    05 / 09Chapter

    Minimal Risk: No Specific EU AI Act Requirements

    In short

    Minimal Risk AI systems carry no mandatory obligations under the EU AI Act — the vast majority of AI applications fall into this tier, including spam filters, AI-powered games, and most recommendation systems.

    Most AI systems in commercial use today are Minimal Risk under the EU AI Act. The European Commission estimates that the overwhelming majority of AI applications — by volume — will sit in this category and face no specific regulatory requirements from the Act.

    "No mandatory requirements" does not mean "no governance." The Act encourages providers of Minimal Risk AI to voluntarily adopt codes of conduct — but this is optional, not enforceable.

    AI System Reason for Minimal Risk Classification
    Spam and content filters No significant impact on individual rights or safety decisions
    AI-powered video games and entertainment Recreational use; no consequential decision-making affecting individuals
    AI-driven inventory management Operational tool with no direct impact on individual rights
    Product recommendation engines (general retail) Low harm potential; no access to sensitive personal categories
    AI writing assistants (general purpose) No consequential decisions affecting health, safety, or rights
    Manufacturing quality control AI Operational safety tool; covered by product safety law, not AI Act directly

    One important nuance: a system classified as Minimal Risk today may require reclassification if its intended purpose changes. A recommendation engine used for general retail is Minimal Risk. The same technical system repurposed for insurance underwriting or credit decisions would trigger High Risk obligations under Annex III.

    This is why Alice Labs recommends all organisations building or deploying AI systems conduct a formal risk classification review — not just at launch, but whenever the system's use case, user base, or data inputs change materially.

    Voluntary Codes of Conduct for Minimal Risk AI

    The EU AI Act invites providers of Minimal Risk systems to adopt voluntary codes of conduct aligned with the Act's values. The European AI Office is expected to publish template codes through 2025–2026.

    Adopting a voluntary code serves two practical purposes beyond compliance: it demonstrates responsible AI governance to enterprise customers requiring supplier due diligence, and it future-proofs the organisation if the Commission later reclassifies certain AI categories.

    Ready to accelerate your AI journey?

    Book a free 30-minute consultation with our AI strategists.

    Book Consultation
    06 / 09Chapter

    General-Purpose AI Models: A Separate Obligation Layer

    In short

    General-Purpose AI (GPAI) models — including large language models like GPT-4 and Claude — face their own obligations under the EU AI Act, separate from the four risk tier classification, effective from February 2, 2025.

    The EU AI Act introduced a dedicated framework for General-Purpose AI models in Title VIII. GPAI models are AI systems trained on broad data that can perform a wide range of tasks — the category includes foundation models and large language models used across Europe.

    GPAI obligations apply to providers of these models, not their downstream deployers. The rules became effective February 2, 2025.

    GPAI Category Threshold Key Obligations
    Standard GPAI models All GPAI models placed on EU market Technical documentation; copyright compliance summary; transparency to downstream providers
    GPAI models with systemic risk Training compute exceeding 10²⁵ FLOPs, or designated by European Commission All standard obligations plus: adversarial testing (red teaming); incident reporting to European AI Office; cybersecurity measures; energy efficiency reporting

    The systemic risk tier is designed for frontier models — the most capable and potentially impactful AI systems. At the 10²⁵ FLOPs training compute threshold, this currently captures a small number of the largest foundation models globally.

    GPAI classification runs parallel to the risk tier system. A GPAI model integrated into a High Risk AI application triggers both sets of obligations — GPAI rules for the model provider, and High Risk rules for the system integrator or deployer.

    Implications for Organisations Using GPAI APIs

    If your organisation builds applications on top of GPAI APIs (such as OpenAI, Anthropic, or open-source foundation models), you are a downstream deployer — not a GPAI provider. Your obligations depend on how you use the model, not the model's own GPAI classification.

    However, you must ensure the GPAI provider you use has met their documentation and transparency obligations. This is becoming a standard element of enterprise AI procurement due diligence — something we cover in depth in our enterprise AI strategy framework.

    07 / 09Chapter

    How to Classify Your AI System: A Practical Decision Process

    In short

    Classifying an AI system under the EU AI Act requires a structured four-step process: check for prohibited use cases, test against Annex I and Annex III, apply Article 6 filtering, then confirm Limited Risk transparency obligations.

    The EU AI Act does not provide a single classification lookup table. Instead, providers and deployers must work through a sequential logic process. The European Commission's 2025 classification guidelines formalise this into a structured decision pathway.

    At Alice Labs, our governance team uses the following four-step process as the starting point for every EU AI Act risk assessment across our enterprise implementations.

    1. Step 1 — Screen for Unacceptable Risk (Article 5): Does the system engage in any of the 8 prohibited practices? If yes, the system cannot be deployed in the EU. Full stop. No exemptions except the narrow biometric identification exceptions for law enforcement.
    2. Step 2 — Test for Annex I High Risk (product safety): Is the AI system a safety component of, or itself, a product covered by existing EU product safety legislation (Annex I)? If yes, High Risk obligations apply from August 2027.
    3. Step 3 — Test for Annex III High Risk (standalone AI): Does the system fall within one of the 8 Annex III sectors? If yes, apply the Article 6(3) filter — does it materially influence consequential decisions affecting individuals? If the answer is yes after filtering, High Risk obligations apply from August 2026.
    4. Step 4 — Check Limited Risk transparency obligations: Is the system a chatbot, emotion recognition tool, biometric categorisation system, or does it generate synthetic content? If yes, transparency obligations apply regardless of risk tier.

    Systems that clear all four steps without triggering any obligations are Minimal Risk. No further action is required under the Act — though voluntary code adoption is encouraged.

    Document Everything

    Even where a system classifies as Minimal Risk, retain the written rationale for that classification. Regulators may request evidence of a classification decision, and documented reasoning is far stronger than a verbal assessment.

    When to Reclassify an Existing AI System

    Classification is not a one-time event. The EU AI Act's obligations follow the system's actual use — not its original design intent. Three scenarios typically trigger a reclassification review.

    • Change in intended purpose: Repurposing a Minimal Risk system for an Annex III use case — e.g., adapting a general recommendation engine for credit decisions.
    • New user population: Extending a B2B tool to direct consumer use, particularly involving vulnerable groups.
    • Regulatory reclassification: The European Commission has the power to update Annex III categories via delegated acts — organisations should monitor these updates annually.

    Our full step-by-step compliance process — including documentation templates and conformity assessment checklists — is available in our EU AI Act compliance checklist for 2026.

    08 / 09Chapter

    EU AI Act Penalties: What Non-Compliance Costs

    In short

    EU AI Act penalties are tiered by violation severity: up to €35 million or 7% of global turnover for prohibited AI, €15 million or 3% for High Risk violations, and €7.5 million or 1.5% for Limited Risk failures.

    The EU AI Act's penalty structure is deliberately asymmetric — the most severe fines are reserved for the most harmful practices. Understanding the penalty tiers helps compliance teams prioritise remediation work.

    Violation Category Maximum Fine Alternative (if higher)
    Unacceptable Risk — deploying prohibited AI (Article 5) €35,000,000 7% of global annual turnover
    High Risk — non-compliance with provider obligations €15,000,000 3% of global annual turnover
    Limited Risk — transparency obligation failures €7,500,000 1.5% of global annual turnover
    Providing incorrect or misleading information to authorities €7,500,000 1.5% of global annual turnover
    SME/startup — all violation types Lower of the above caps SMEs and startups benefit from proportionate caps to avoid disproportionate impact

    The "whichever is higher" rule means that for large global technology companies, the turnover-based calculation will typically exceed the absolute euro cap. A company with €10 billion in global turnover faces a €700 million exposure for the most serious violations — not €35 million.

    Enforcement authority sits primarily with national market surveillance authorities in each EU member state. The European AI Office has oversight authority for GPAI model providers and for cross-border infringements. Coordinated enforcement is expected to intensify from 2026 onward as High Risk obligations come into full effect.

    Enforcement Realities: What to Expect

    Full enforcement of High Risk obligations begins in August 2026 — giving organisations a defined runway to complete conformity assessments and documentation. However, Unacceptable Risk violations have been enforceable since August 2, 2025. Regulators have already signalled that early enforcement actions are likely to focus on the most egregious prohibited practices.

    National authorities are building enforcement capacity. Germany's Federal Network Agency, France's CNIL, and the Dutch ACM have all indicated active monitoring of AI deployments within their jurisdictions. The UK's equivalent framework is developing separately post-Brexit, but many principles align.

    For organisations assessing their EU AI Act compliance readiness, our broader AI governance guide covers the governance infrastructure — policies, oversight committees, and audit processes — that compliance programmes depend on.

    09 / 09Chapter

    Frequently Asked Questions: EU AI Act Risk Categories

    In short

    Answers to the most common questions about EU AI Act risk classification, from how to determine your category to what obligations apply to each tier.

    What are the 4 risk categories in the EU AI Act?

    The EU AI Act defines four risk categories: Unacceptable Risk (8 prohibited AI practices, banned from August 2, 2025), High Risk (strict compliance obligations across 8 Annex III sectors, applying from August 2026), Limited Risk (transparency obligations for chatbots and synthetic content), and Minimal Risk (no mandatory requirements under the Act).

    What counts as Unacceptable Risk under the EU AI Act?

    Unacceptable Risk covers 8 specific practices defined in Article 5 of the EU AI Act. These include government social scoring of citizens, real-time biometric identification by law enforcement in public spaces (with narrow exceptions), subliminal manipulation of individuals, emotion recognition in workplaces and schools, and AI systems exploiting children or persons with disabilities.

    Which sectors trigger High Risk AI classification?

    Annex III of the EU AI Act lists 8 sectors: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential services (credit, benefits, insurance), law enforcement, migration and border control, and administration of justice and democratic processes. Systems in these sectors may qualify as High Risk depending on the Article 6(3) classification filter.

    Do chatbots need to comply with the EU AI Act?

    Yes. Chatbots fall under Limited Risk and must disclose to users that they are interacting with an AI system — not a human. This disclosure must be made at the start of the interaction, in a clear and accessible format. The obligation applies to deployers operating chatbots in the EU, regardless of where the underlying AI system was developed.

    When do High Risk AI obligations apply?

    High Risk obligations for Annex III systems apply from August 2, 2026. High Risk systems embedded in products covered by Annex I product safety legislation have until August 2, 2027. Providers should begin conformity assessments and technical documentation immediately — the 12–24 months of preparation time is necessary given the scope of required work.

    Does the EU AI Act apply to companies outside the EU?

    Yes. The EU AI Act has extra-territorial reach. Any company placing an AI system on the EU market or using AI to affect EU residents is subject to the Act — regardless of where the company is headquartered. This is sometimes called the "Brussels Effect" in AI regulation, similar to how GDPR applies globally to companies processing EU personal data.

    What are examples of Minimal Risk AI systems?

    Minimal Risk covers AI systems with no significant harm potential — including spam filters, AI-powered games, general product recommendation engines, AI writing assistants, and manufacturing quality control tools. The European Commission estimates the vast majority of commercial AI applications by volume fall into this category. No mandatory obligations apply, though voluntary codes of conduct are encouraged.

    What is the penalty for deploying prohibited AI in the EU?

    The maximum penalty for deploying Unacceptable Risk (prohibited) AI systems is €35 million or 7% of global annual turnover, whichever is higher — per the Council of the European Union's May 2024 official text. For large global companies, the 7% turnover calculation will typically produce a higher fine than the absolute euro cap.

    How do I determine which risk category my AI system belongs to?

    Work through a four-step process: (1) check whether the system engages in any Article 5 prohibited practices; (2) test for Annex I product safety integration; (3) test for Annex III sector membership and apply the Article 6(3) materiality filter; (4) check Limited Risk transparency obligations. The European Commission's 2025 classification guidelines provide detailed criteria for each step. Document your reasoning at each stage.

    About the Authors & Reviewers

    Published
    Written by
    Eric Lundberg - Co-Founder, Alice Labs at Alice Labs
    Eric Lundberg

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.

    • AI automation & agent systems lead
    • Workflow design across 100+ deployments
    • Specialist in RAG, integrations & APIs
    Reviewed by
    Linus Ingemarsson - Co-Founder, Alice Labs at Alice Labs
    Linus Ingemarsson

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.

    • 8+ years in AI strategy & implementation
    • Top-5 AI Speaker, Sweden (Mindley 2025)
    • 100+ enterprise AI engagements
    Published
    Reviewed for technical accuracy, methodology and source integrity.·All claims trace to public sources cited in-line.

    Frequently Asked Questions

    What are the 4 risk categories in the EU AI Act?

    The EU AI Act defines four risk categories: Unacceptable Risk (8 prohibited practices, banned from August 2, 2025), High Risk (strict compliance across 8 Annex III sectors from August 2026), Limited Risk (transparency obligations for chatbots and synthetic content), and Minimal Risk (no mandatory requirements).

    What counts as Unacceptable Risk under the EU AI Act?

    Unacceptable Risk covers 8 specific practices in Article 5: government social scoring, real-time biometric ID by law enforcement in public (with narrow exceptions), subliminal manipulation, predictive policing by profiling, emotion recognition in workplaces and schools, biometric categorisation inferring sensitive attributes, and AI exploiting children or disabled persons.

    Which sectors trigger High Risk AI classification?

    Annex III lists 8 High Risk sectors: biometric identification, critical infrastructure, education, employment and worker management, access to essential services (credit, benefits, insurance), law enforcement, migration and border control, and administration of justice. Classification depends on applying the Article 6(3) filter to determine whether the system materially influences consequential decisions.

    Do chatbots need to comply with the EU AI Act?

    Yes. Chatbots are Limited Risk and must disclose to users at the start of each interaction that they are speaking with an AI system. The obligation applies to EU-market deployers regardless of where the underlying AI was developed. Failure to disclose can result in fines up to €7.5 million or 1.5% of global turnover.

    When do High Risk AI obligations apply?

    High Risk obligations for Annex III systems apply from August 2, 2026. Annex I product safety-integrated systems have until August 2, 2027. Providers should start conformity assessments and technical documentation immediately — preparation requires 12–24 months given the documentation and audit requirements.

    Does the EU AI Act apply to companies outside the EU?

    Yes. The EU AI Act applies to any company placing AI on the EU market or using AI affecting EU residents, regardless of headquarters location. A US, Canadian, or Asian company selling AI tools to European businesses must comply — mirroring how GDPR applies globally to companies processing EU personal data.

    What is the penalty for deploying prohibited AI in the EU?

    The maximum penalty for deploying Unacceptable Risk AI is €35 million or 7% of global annual turnover, whichever is higher (Council of the EU, May 2024). For large global companies, 7% of turnover will typically exceed the absolute euro cap significantly.

    How do I determine which risk category my AI system belongs to?

    Use a four-step process: (1) screen for Article 5 prohibited practices; (2) test for Annex I product safety integration; (3) test for Annex III sectors and apply the Article 6(3) materiality filter; (4) check Limited Risk transparency obligations. Document your reasoning at each step using the European Commission's 2025 classification guidelines.

    Previous in AI Governance & Compliance

    EU AI Act Timeline 2026: Key Deadlines & Compliance Dates

    Next in AI Governance & Compliance

    EU AI Act Compliance Guide: Step-by-Step for Enterprises

    Further reading

    Related services

    Related reading

    Sources

    1. Council of the European Union — AI Act Final Approval“EU AI Act final approval; penalty figures of €35M or 7% global turnover confirmed”
    2. EUR-Lex — Rules for Trustworthy AI in the EU (Regulation EU 2024/1689)“Official text of EU AI Act; enforcement dates, Article 5 prohibited practices, Annex III sectors”
    3. European Commission — Digital Strategy, AI Regulatory Framework“Risk-based classification framework; four tier structure; GPAI obligations”
    4. European Parliament Briefing — EU AI Act“Classification system established to balance innovation with protection of fundamental rights”

    Next scheduled review:

    Ready to accelerate your AI journey?

    Book a free 30-minute consultation with our AI strategists.

    Book Consultation
    Share

    Get in Touch!

    The lab usually responds within 24 hours.

    Need help with AI?Get in touch