EU AI Act AI Classification: The 4 Risk Levels Guide • Meteora Web Agency

You have an AI system in production or development. Now the EU AI Act kicks in. The first question is not technical — it's about classification: which risk category does your system fall into? Getting it wrong can mean fines up to €35 million or 7% of global annual revenue. This is not an academic exercise: it's a business decision that can shut down your company.

We at Meteora Web work daily with SMEs and developers integrating AI into their products. We come from accounting and ERP: for us, risk classification is a preventive budget, not an abstract checklist. In this guide we explain how to distinguish the four risk levels defined by Regulation (EU) 2024/1689 — unacceptable, high, limited, minimal — and what you need to do concretely for your system.

Why Classification Is Your First Compliance Step

The EU AI Act does not apply equally to all AI systems. The higher the risk, the more obligations you have. Misclassifying — for example, labeling a high-risk system as limited — means violating the law, with severe penalties. Proper classification lets you focus resources where they matter: spend time and money only on what is mandatory, and nothing more.

Classification is based on two main criteria: the system's purpose and its context of use. It's not just what the AI does, but who uses it and what consequences it may generate. For example, a customer service chatbot is minimal risk. The same conversational engine used to diagnose a disease is high risk. Same technology, different context.

The Four Risk Levels Explained with Real Examples

Unacceptable risk — prohibited systems

No margin here: these systems are banned from the European market. The EU AI Act lists them in Article 5. Examples include:

Subliminal cognitive-behavioral manipulation (e.g., toys that encourage dangerous behavior without the parent noticing).
Social scoring based on behavioral or biometric data.
Real-time biometric identification in public spaces for law enforcement (with very narrow exceptions).
Scraping facial images from the internet to create facial recognition databases.

Concrete example: An app using a smartphone's microphone to analyze children's emotions during play and suggest targeted purchases. Prohibited. If you are developing it, stop and change your approach.

High risk — mandatory compliance

This is the largest category and the one most relevant for SMEs developing AI. High-risk systems must meet strict requirements: risk assessment, transparency, technical documentation, registration in the EU database, human oversight, etc.

Which systems are high risk? Annex III lists 8 areas, including:

Biometrics and identification of persons.
Management of critical infrastructure (e.g., traffic, energy, water).
Education and vocational training (student assessment, access to courses).
Employment, worker management, recruitment.
Access to essential public and private services (credit, insurance, healthcare).
Law enforcement, justice, asylum and border control.

Operational example: An HR software that scans CVs and scores candidates for a job. It is high risk because it can determine access to employment. You need documentation, impact assessment, transparency on decision criteria.

Watch out: Even if your system does not exactly fit an Annex III category, it can still be considered high risk if it profiles or evaluates individuals in a way that significantly affects their rights. A content recommendation system for minors? Probably not. A medical diagnosis assistant? Yes.

Limited risk — transparency obligations

Limited-risk systems have only transparency obligations: you must inform the user that they are interacting with AI, or that content is AI-generated (deepfakes, chatbots, etc.). No complex assessments required, but you must be able to prove the user was informed.

Example: A voice assistant for booking haircut appointments. A simple initial message: “You are speaking with an AI assistant. You can ask to speak with a human operator at any time.”

Minimal risk — no obligations

This includes AI systems that do not fall into the previous categories. Examples: spam filters, movie recommendation engines, warehouse optimization systems. No specific obligations, but you still must comply with other laws (e.g., GDPR).

Note: Minimal risk does not exempt you from liability if the system causes harm. AI is not a lawless jungle.

How to Classify Your System: An Operational Procedure

Reading Annex III is not enough. You need a systematic analysis. At Meteora Web we recommend this 5-step process:

Describe the system: purpose, input, output, target users, deployment context.
Check Article 5: if it falls under prohibited practices, stop. You cannot market it in the EU. Modify or abort.
Check Annex III: if the area of use is one of the 8 listed, you are presumably high risk. Look for exceptions: if the system is only a “minor improvement” or does not produce a substantial output, it may be excluded.
Assess impact: even if not in Annex III, the system can still be classified as high risk if it involves profiling of natural persons (Art. 6(2)).
Document the decision: keep a written record of your reasoning. In case of inspection, you must show you classified correctly.

Decision tool — pseudo-code to get started

You can translate this logic into a simple script to help your team do a first screening. Here is a JavaScript function (adaptable to any language) that returns the risk category based on boolean inputs:

function classifyAISystem(system) {
  // system.area = 'biometrics' | 'critical-infra' | 'education' | 'employment' | ... | null
  // system.isProfiling = true/false
  // system.isBannedPractice = true/false
  // system.isDeceiving = true/false (art. 5)

  if (system.isBannedPractice || system.isDeceiving) {
    return 'unacceptable';
  }

  const highRiskAreas = [
    'biometrics', 'critical-infra', 'education', 'employment',
    'essential-services', 'law-enforcement', 'justice', 'migration'
  ];

  if (highRiskAreas.includes(system.area) || system.isProfiling) {
    return 'high';
  }

  // If the system is a chatbot, voice assistant, content generator?
  if (system.isTransparencyRequired) {
    return 'limited';
  }

  return 'minimal';
}

Obviously this is a simplification: real classification requires thorough legal analysis. But it gives you an initial compass.

Common Classification Mistakes

Underestimating context: a system that is minimal risk in an office becomes high risk when used in employee selection.
Confusing “generative AI” with “limited risk”: an AI image generator is not automatically limited risk. If used to create deepfakes for fraud, it can become unacceptable. Risk depends on use.
Ignoring profiling: even if you are not in an Annex III area, if your system evaluates personal attributes (creditworthiness, psychological traits, etc.) you are high risk.
Forgetting documentation: compliance is not only technical, it is documentary. If you have not written down why you classified the system as “limited risk”, an inspection will put you in trouble.

What to Do Now — Operational Checklist

If you have an AI system (or are developing one), start here:

Conduct a preliminary audit using the 5-step procedure above. Involve a specialized legal advisor.
If unacceptable: do not market in the EU. Rethink the idea.
If high risk: prepare technical documentation, perform an impact assessment, implement human oversight, and register the system in the EU database (managed by the Commission).
If limited risk: implement transparency mechanisms (e.g., a banner for chatbots, watermark for generated content).
If minimal risk: no specific obligations, but monitor regulatory updates. The boundary may shift.
Document every decision: keep a log of classification with date and rationale.

Remember: the EU AI Act is a living law. The Commission will publish guidelines and periodic updates. At Meteora Web we continue to follow the developments for our clients. For a deeper dive, see our complete EU AI Act pillar guide.