EU AI Act Explained: Risk Tiers, Timeline, and Real-World Examples

Disclaimer: This article is for general engineering and product awareness—not legal advice. Classification depends on specific use case, role (provider vs deployer), and how a system is integrated. Consult qualified counsel before relying on any tier assignment.

What it is

The EU AI Act (Regulation (EU) 2024/1689; see also the official text on artificialintelligenceact.eu) is the first-ever comprehensive legal framework on AI worldwide. Its aim is to foster trustworthy AI in Europe by setting out risk-based rules for AI developers and deployers regarding specific uses of AI—not a blanket ban on innovation.

The core design choice: not all AI is treated the same. Obligations scale with the potential harm to people’s safety, rights, and fundamental freedoms.

The four risk tiers

1. Unacceptable risk — banned outright

Prohibited practices include social scoring by public authorities, real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions), emotion recognition in the workplace and in education, and certain manipulative or exploitative AI practices. These cannot be placed on the EU market.

2. High risk — heavily regulated

Annex III and related categories cover systems that materially affect people—e.g. biometric identification, access to essential services (credit, insurance, emergency dispatch), education and vocational training, employment, and law enforcement. Providers must implement risk management, maintain technical documentation, ensure data governance, and enable human oversight before deployment.

High-risk AI that is a safety component of products under Annex I Union harmonisation legislation (medical devices, machinery, vehicles, aviation, and similar) follows the Article 113 staggered dates—notably 2 August 2027 for Article 6(1) obligations.

3. Limited risk — transparency obligations

AI that interacts with people must disclose its artificial nature (e.g. chatbots). AI-generated or manipulated content—deepfakes, synthetic audio, images, video—must be labelled so users know what they are seeing. No full conformity assessment, but clear disclosure duties under Article 50.

4. Minimal risk — largely unregulated

Most everyday AI falls here: internal productivity tools, non-consequential recommendations, and systems with no material legal or similarly significant effect on individuals. No mandatory conformity process—though voluntary codes of conduct and general product law still apply.

Real-world examples by tier

The table below illustrates typical placements. The same underlying technology can move tiers depending on purpose—a language model used for internal drafting is not the same product as one that auto-rejects job applicants.

Risk tier	Example use case	Region / context	Why this tier
Unacceptable	Government social scoring affecting access to services	Public sector (EU scope)	Explicitly prohibited—generalised evaluation of trustworthiness
Unacceptable	Live facial recognition in public streets for police dragnet searches	Law enforcement	Real-time remote biometric ID in public spaces—banned except narrow exceptions
Unacceptable	Emotion inference on call-centre staff or students in exams	Workplace / education	Emotion recognition in workplace and education contexts is prohibited
High risk	Automated mortgage or consumer credit approval	Banking (EU, UK, US fintech selling into EU)	Access to essential private services—creditworthiness decisions
High risk	AI-assisted radiology triage influencing treatment pathways	Healthcare (EU MDR overlap)	Safety-critical health context; often regulated product + AI Act
High risk	Resume screening that ranks or filters job applicants	HR tech (global vendors, EU customers)	Employment and workers management—Annex III
High risk	Insurance premium pricing from individual risk models	Insurance (EU)	Access to essential services—pricing and underwriting
High risk	Emergency dispatch prioritisation (ambulance / fire routing)	Public safety (EU municipalities)	Critical infrastructure and essential public services
High risk	Automated exam scoring determining university admission	Education (EU, Asia edtech exporting to EU)	Access to education—consequential individual outcomes
High risk	Border e-gates using biometric identity matching	Migration / law enforcement	Biometric identification and categorisation
High risk	Predictive policing heat maps influencing patrol deployment	Law enforcement (various jurisdictions)	Law enforcement uses with significant rights impact
Limited risk	Banking customer-service chatbot answering account queries	Financial services (global)	Direct interaction with people—must disclose AI nature
Limited risk	Synthetic spokesperson video for advertising	Marketing (EU campaigns)	AI-generated content must be machine-readable labelled / disclosed
Limited risk	AI-drafted sales or outreach emails to prospects	B2B SaaS, agencies	Transparency when users interact with or receive AI-generated content
Limited risk	Deepfake-style image tools for social posts	Creator economy	Manipulated media labelling obligations
Limited risk	Voice assistant on a consumer smart speaker	Consumer tech	Natural-language interaction requires clear AI disclosure
Minimal risk	Website audit agent scoring business sites (no individual legal effect)	B2B outreach / marketing	Scores businesses, not people’s rights or access to services
Minimal risk	Internal email spam and phishing classification	Enterprise IT (worldwide)	No direct consequential decision about individuals in scope of Annex III
Minimal risk	Warehouse demand forecasting for stock replenishment	Retail / logistics	Operational optimisation without individual legal effects
Minimal risk	AI code completion for developers (Copilot-style)	Software engineering	Productivity aid; deployer obligations lighter unless embedded in high-risk product
Minimal risk	Video game NPC dialogue generation	Gaming	Entertainment context—no Annex III access or safety domain
Minimal risk	Grammar and tone suggestions in a private notes app	Consumer productivity	User-controlled, non-consequential assistance

Who it applies to

Like GDPR, the AI Act has extraterritorial reach. It applies to providers placing AI systems on the EU market or putting them into service in the EU, regardless of where the provider is established. A UK, US, or Singapore company selling AI tools to EU customers is in scope. Deployers—organisations using AI in the EU—also have obligations, especially for high-risk systems.

Implementation timeline

Key application dates below follow Article 113 and the EU AI Act implementation timeline (last updated 1 August 2024). Obligations apply gradually—not all at once on day one.

• 12 July 2024 — Published in the Official Journal (formal notification).
• 1 August 2024 — Entry into force (requirements do not all apply yet).
• 2 February 2025 — Chapter I and Chapter II apply: prohibited AI practices and AI literacy obligations.
• 2 August 2025 — Notified bodies, GPAI models (Chapter V), governance (Chapter VII), confidentiality, and penalties (Articles 99–100) apply. GPAI models on the market before this date must comply by 2 August 2027 (Article 111).
• 2 August 2026 — The remainder of the Regulation applies, except Article 6(1) (general application date under Article 113).
• 2 August 2027 — Article 6(1) and corresponding obligations apply, including high-risk AI embedded as safety components under Annex I product legislation.
• 2 August 2030 — Providers and deployers of high-risk AI intended for use by public authorities must comply (Article 111).
• 31 December 2030 — Large-scale IT systems in Annex X placed on the market before 2 August 2027 must be brought into compliance.

Note: dates in 2028 on the official timeline are mainly Commission evaluation and reporting deadlines—not product compliance cut-offs for embedded high-risk AI. Always confirm against the live implementation timeline for updates.

Penalties

Violation type	Maximum fine
Prohibited AI practices	Up to €35 million or 7% of global annual turnover
High-risk system non-compliance	Up to €15 million or 3% of turnover
Incorrect information to authorities	Up to €7.5 million or 1% of turnover

SMEs and startups benefit from proportionate penalty caps in many cases—but the compliance work for high-risk systems is still substantial.

What it means for a health-website scoring agent

An agent that scores practice websites and generates B2B outreach—without making consequential decisions about individuals—is likely in the limited or minimal risk tier today. It evaluates businesses, not patient eligibility, hiring, or credit access.

Two escalators to watch:

1. Employment use — If the same stack screens health professionals for a hiring platform, that can move into high risk under Annex III (employment and workers management).
2. Transparency — Limited-risk obligations already matter: AI-drafted emails should disclose their artificial nature where Article 50 applies. Build disclosure into the email drafter from day one—not as a retrofit.

Practical checklist for builders

Map each feature to a risk tier—document why, not just “we’re probably fine.”
Separate products by use case; don’t reuse a hiring model’s pipeline for marketing outreach.
Add AI disclosure to chatbots, emails, and synthetic media outputs.
If you touch Annex III domains, budget for risk management, logging, and human oversight.
Track GPAI provider terms if you build on foundation models—obligations shifted in August 2025.

Building production AI in Europe? See also architectural decisions for LLM cost and LLM cost explosion traps — compliance and cost discipline tend to reinforce each other.