Quick answer: The EU AI Act sorts AI systems into four risk tiers. Prohibited (banned since 2 February 2025): social scoring, workplace emotion recognition, manipulative systems. High-risk: AI in hiring, credit, education, essential services — heavy obligations, now applying by 2 December 2027 for Annex III systems after the Omnibus deferral. Limited risk: chatbots and AI-generated content, which need transparency disclosures from 2 August 2026. Minimal risk: everything else — spam filters, grammar checkers — with no specific obligations. Your compliance burden depends entirely on which tier each of your systems lands in, so classification is step one.
Risk classification sounds like lawyer work. It isn't, mostly. For the average SMB toolset, you can classify 90% of systems in an afternoon once you understand the tiers. Here's each one with examples that actually look like your business.
Why Classification Comes First
Every obligation in the AI Act hangs off the risk tier. Classify wrong in one direction and you do expensive, unnecessary compliance work. Classify wrong in the other direction and you're exposed to fines up to €35m or 7% of global turnover (for prohibited practices) or €15m/3% (for most other violations).
Tier 1: Prohibited AI Practices (Banned Since 2 February 2025)
- Social scoring of people by general behavior or characteristics
- Emotion recognition in workplaces and schools (narrow medical/safety exceptions)
- Untargeted facial-image scraping to build recognition databases
- Manipulative or exploitative techniques that materially distort behavior and cause significant harm
- Biometric categorization to infer race, political opinions, sexual orientation, and other sensitive traits
Where SMEs actually hit this tier: not in mad-scientist projects — in feature checkboxes. A call-center analytics suite that scores agent "sentiment and engagement." An exam-proctoring tool that flags "emotional stress." If a vendor pitch includes reading employees' emotional states, that feature is likely an Article 5 problem in the EU.
Tier 2: High-Risk AI Systems
High-risk systems are legal but heavily regulated. They come in two flavors: Annex III (standalone, obligations by 2 December 2027) and Annex I (embedded in regulated products, obligations by 2 August 2028).
Annex III examples that look like an SMB
| Use case | Why it's high-risk |
|---|---|
| AI résumé screener ranking applicants | Employment decisions (Annex III §4) |
| Automated video-interview scoring | Employment |
| AI credit scoring for loan decisions | Essential private services |
| AI grading or admission scoring | Education |
Note the pattern: it's not the technology that makes a system high-risk, it's the decision it influences. The same LLM is minimal-risk when drafting blog posts and high-risk when ranking job applicants.
If you deploy a high-risk system: follow the provider's instructions, assign human oversight, keep logs, and in some cases complete a fundamental rights impact assessment. If you provide one: risk management, data governance, Annex IV technical documentation, conformity assessment, CE marking, registration. Full lists in our SME compliance checklist.
Classify in minutes, not weeks: the AI Risk Classifier ($49) walks each of your AI systems through the EU AI Act's decision logic and outputs a documented risk tier you can drop straight into your risk register.
Tier 3: Limited Risk (Transparency Obligations From 2 August 2026)
Article 50 requires honesty about these systems: tell users when they're talking to AI, label synthetic content, mark deepfakes. Your website's support chatbot, AI-generated product photos, AI-written content — all fine, with disclosure.
Tier 4: Minimal Risk (No Specific Obligations)
The vast majority of business AI: spam filters, grammar checkers, code assistants, recommendation engines, transcription, internal search. No AI Act obligations attach — though Article 4 literacy still covers the people using them, and your AI usage policy should still govern data going into them.
How to Classify Your Systems: A 5-Question Method
- Does it do anything on the Article 5 list? → Prohibited. Stop using it.
- Is it a safety component of a regulated product? → High-risk, Annex I track (Aug 2028).
- Does it influence decisions in an Annex III domain (employment, education, credit, essential services)? → Likely high-risk, Annex III track (Dec 2027). Check the carve-outs and document your reasoning.
- Does it interact with people or generate content? → Limited risk. Transparency duties from Aug 2026.
- None of the above? → Minimal risk. Log it and move on.
FAQ
What are the four risk categories in the EU AI Act?
Prohibited (banned practices like social scoring), high-risk (AI in employment, credit, education, and regulated products), limited risk (transparency duties for chatbots and generated content), and minimal risk (no specific obligations).
When do high-risk obligations apply?
After the May 2026 Digital Omnibus agreement: Annex III standalone high-risk systems by 2 December 2027, and Annex I embedded systems by 2 August 2028.
Stop guessing your tiers. The AI Risk Classifier ($49) gives you a guided, documented classification for every system you use — and pairs with the EU AI Act SME Compliance Kit ($149) when you need the follow-on obligation checklists.
This article is for general information only and is not legal advice. Consult qualified counsel for your specific situation.