Getting your AI system's risk classification wrong under the EU AI Act carries real financial consequences in both directions. Incorrectly classifying a high-risk system as limited-risk leaves you exposed to fines of up to €15 million or 3% of global annual turnover for missing documentation requirements. Incorrectly classifying a non-high-risk system as high-risk wastes significant compliance resources and may cause you to over-engineer documentation that isn't legally required.
The classification logic in the EU AI Act is more nuanced than most summaries suggest. It is not a single test — it is a sequential decision tree with three distinct pathways, two exemptions, and one override that applies regardless of any other factor.
Want a faster answer? Take the 5-minute risk classification quiz and get an instant determination. This guide explains the underlying legal logic in detail.
Article 6 of Regulation (EU) 2024/1689 establishes the classification framework. The correct way to apply it is as a sequential series of questions, not as a checklist.
Before asking whether a system is high-risk, ask whether it is prohibited outright. Article 5 lists AI practices that are banned entirely, regardless of documentation or conformity assessment. A prohibited system cannot be made compliant — it cannot be placed on the EU market at any price.
Prohibited practices under Article 5 include: subliminal manipulation of behaviour causing harm; exploitation of vulnerabilities of specific groups; social scoring by public authorities; real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions); retrospective remote biometric identification (except authorised by judicial authority); emotion recognition in workplace or education settings; and AI-based profiling to predict criminal behaviour based on protected characteristics. If your system falls into any of these categories, no compliance documentation will legalise it.
Article 6(1) captures AI systems that are safety components of products covered by the Union harmonisation legislation listed in Annex I. Annex I includes medical devices, machinery, radio equipment, motor vehicles, aviation equipment, and several other product categories.
If your AI system is embedded in or constitutes a safety-critical function of one of these products — and the product itself is required to undergo third-party conformity assessment — then your AI system is high-risk under Article 6(1). This pathway applies regardless of what the AI system actually does; the classification is triggered by the product category, not the AI's function.
Annex I systems have a later compliance deadline: August 2, 2028 per the Digital Omnibus agreement, not the December 2, 2027 deadline that applies to standalone Annex III systems.
Article 6(2) captures AI systems listed in Annex III. This is the pathway most providers encounter. Annex III specifies eight domains where AI systems are presumed high-risk due to the nature of their application.
| Annex III Domain | Examples |
|---|---|
| Biometric identification and categorisation | Remote biometric identification, emotion recognition, biometric categorisation by protected characteristics |
| Critical infrastructure | Safety components in water, gas, electricity, road traffic, and digital infrastructure management |
| Education and vocational training | Systems determining access, admission, or assignment; evaluating learning outcomes; monitoring students |
| Employment and worker management | Recruitment, CV screening, candidate ranking, monitoring performance, task allocation |
| Access to essential services | Credit scoring, insurance risk assessment, eligibility for public benefits, emergency services prioritisation |
| Law enforcement | Polygraph testing, assessment of evidence reliability, crime risk profiling, detection of deep fakes in investigations |
| Migration and border control | Risk assessment of persons, verification of travel documents, asylum application assessment |
| Administration of justice | Research assistance and fact interpretation in judicial proceedings |
If your system falls within one of these domains, it is high-risk — unless you can successfully apply the Article 6(3) exemption described below.
Article 6(3) is the most important — and most misunderstood — provision in the classification framework. It creates a pathway for AI systems that technically fall within an Annex III domain to be classified as non-high-risk, if they meet specific criteria.
A system qualifies for the Article 6(3) exemption if it meets at least one of the following four conditions:
The profiling override: Even if your system meets one of the four conditions above, the Article 6(3) exemption does not apply if the system performs profiling of natural persons. Profiling means any automated processing of personal data to evaluate, analyse, or predict aspects of a natural person — including performance at work, economic situation, health, personal preferences, or behaviour. A hiring screening tool that profiles candidates by inferred characteristics cannot use the Article 6(3) exemption regardless of how narrow its procedural scope appears.
Applying the Article 6(3) exemption is not a silent decision. Article 6(4) requires providers who rely on this exemption to document their determination and register it in the EU AI database under Article 49(2). The documentation must record which of the four exemption conditions applies and why — a formal reasoning exercise, not a checkbox.
This is what the $49 Lite Exemption Memo produces: a formal Article 6(3) Non-High-Risk Determination Memo, structured for governance records and formatted for the documentation requirements of Article 6(4).
If your system is built on top of a General Purpose AI model — such as a fine-tuned version of an open-source LLM, or a system using a third-party API — the classification question becomes more complex.
The GPAI model provider has obligations under Chapter V (Articles 53–56) of the EU AI Act, but those are different from the high-risk system obligations under Chapter III. If you use a GPAI model to build a specific application that falls within an Annex III domain — for example, a CV screening tool built on GPT-4 — you are the provider of a high-risk AI system and must comply with Articles 9–15, including producing Article 11 Technical Documentation.
The fact that the underlying model is provided by a third party does not exempt you from the provider obligations that attach to the specific high-risk application you have built.
Two types of classification error carry different risks.
False negative (treating a high-risk system as non-high-risk): This is the more serious error. Missing the Article 11, 13, and 47 documentation requirements triggers potential fines under Article 99 Tier 2 — up to €15 million or 3% of global annual turnover. If the underlying system is actually prohibited under Article 5, the Tier 1 fine of €35 million or 7% of turnover applies.
False positive (treating a non-high-risk system as high-risk): This error wastes compliance resources but carries no regulatory penalty. The risk is commercial — over-engineering compliance for a €49 chatbot application consumes resources that could be directed elsewhere. For SMEs with limited engineering bandwidth, this is a real cost.
The EU AI Act risk classification quiz walks through the Article 6 decision tree with plain-English questions about your system. It covers the Annex III domain check, the Article 6(3) exemption conditions, and the profiling override. At the end, it gives you a classification outcome — high-risk (directing you to the full $197 pack) or non-high-risk (directing you to the $49 exemption memo).
If your system is high-risk, the EU AI Act Compliance Pack Generator produces all three required documents — Article 11 Technical Documentation, Article 13 Instructions for Use, and Article 47 Declaration of Conformity — for $197 one-time.
5 minutes. Article 6 decision logic. Instant classification outcome — high-risk or non-high-risk, with the right document for each.
Take the Free Risk Classification Quiz →Already know you're high-risk? Generate your compliance pack — $197 →
Probably not. A system that only schedules or sends reminders without assessing, ranking, or filtering candidates is likely to qualify for the Article 6(3) exemption as a narrow procedural task. However, if the reminder system collects behavioural data that is later used to profile candidates, the profiling override may apply. Document your reasoning formally.
Yes, if the output of your AI system is used within the EU. Article 2 of the EU AI Act applies to providers who place AI systems on the EU market or put them into service in the EU — regardless of where the provider is established. A US SaaS company whose hiring tool is used by EU employers is subject to the regulation.
On May 7, 2026, the EU Council and European Parliament reached a provisional political agreement extending the Annex III high-risk AI deadline to December 2, 2027. Annex I systems (AI in regulated products) have until August 2, 2028. Article 50(1) chatbot disclosure obligations remain August 2, 2026 — unchanged by the Omnibus. The Omnibus adds a transitional period until December 2, 2026 only for existing AI systems implementing Article 50(2) synthetic content watermarking. These changes are provisional pending formal adoption, expected before August 2026. The fines under Article 99 are unchanged.
Continue reading
Deadline: August 2, 2026
Article 50 transparency obligations apply to every AI product serving EU users, regardless of risk classification. Deadline is August 2, 2026. Generate your formal compliance record for $39.
Generate Article 50 Compliance Record — $39 →