By Stephen Milner · UtilityForge · Last reviewed: May 2026
The EU AI Act (Regulation 2024/1689) is the world's first binding law specifically governing artificial intelligence. It came into force on 1 August 2024, with obligations rolling out in phases through 2027. The Act applies to any organisation placing an AI system on the EU market or putting one into service in the EU, regardless of where that organisation is based.
The regulation works by assigning AI systems to one of four risk tiers. The tier determines what, if anything, you must do before deployment. This tool walks you through a structured questionnaire and tells you which tier your system likely falls into, along with the specific obligations that tier triggers.
If you build, sell, import, distribute, or deploy AI systems that reach EU users or operate in the EU, this tool is for you. That covers a wide group: software vendors adding AI features to their products, enterprises deploying off-the-shelf AI tools internally, startups building AI-native applications, and organisations using AI to make decisions about people.
The problem it solves is clarity. The Act is 144 articles and 13 annexes long. Working out whether your specific system triggers obligations, and which ones, is not obvious from reading the text. This checker distils the classification logic into a series of concrete questions and gives you a plain-English answer in under five minutes.
The Act organises AI systems into four tiers based on the potential harm they can cause.
Unacceptable risk covers systems that are outright prohibited from 2 February 2025 onward. These include social scoring systems used by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement), AI that exploits psychological vulnerabilities to manipulate behaviour, and systems that infer emotions in workplaces or schools.
High risk is the most regulated category. It captures AI used in eight domains listed in Annex III: biometric identification and categorisation, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and asylum, and administration of justice. High-risk systems must pass a conformity assessment, maintain technical documentation, log interactions, and register in an EU database before deployment. From August 2026, these requirements fully apply.
Limited risk systems face lighter transparency obligations. If you deploy a chatbot, users must know they are talking to an AI. Deepfake content must be labelled. No conformity assessment is required.
Minimal risk covers everything else, such as spam filters, AI in video games, and recommendation systems in unregulated contexts. These carry no mandatory obligations under the Act, though voluntary codes of conduct are encouraged.
Beyond the four tiers, the Act creates a separate track for general-purpose AI (GPAI) models, including large language models and foundation models. Providers of GPAI models must publish technical documentation, maintain policies for copyright compliance, and publish usage summaries. Models assessed as posing systemic risk face additional requirements including adversarial testing and incident reporting. GPAI rules apply from 2 August 2025.
A few variables can shift a system's classification in non-obvious ways.
Safety components matter. An AI system that serves as a safety component of a product already regulated under EU law, such as medical devices, machinery, or vehicles, is treated as high risk even if it would otherwise qualify for a lower tier.
Intended purpose versus actual use is a key distinction. The classification follows the intended purpose as stated by the provider. If a general-purpose tool is marketed specifically for a high-risk use case, that use case drives the classification.
Exemptions exist for research and development activity, purely personal non-professional use, and certain law enforcement operations under specific conditions. Free and open-source model weights receive partial exemptions unless the model is assessed as posing systemic risk.
A hiring platform that automatically filters CVs and ranks candidates falls under the Annex III employment category and is high risk. The operator needs a conformity assessment and must provide for meaningful human oversight of decisions.
A customer service chatbot that handles billing questions is limited risk. The operator must disclose that users are interacting with an AI, but no conformity assessment is needed.
A large language model API offered to third-party developers is a GPAI model. The provider must publish technical documentation and copyright compliance policies from August 2025. If the model exceeds 10^25 FLOPs of training compute, it is presumed to carry systemic risk and faces additional obligations.
A fraud detection model used internally by a bank to flag transactions for human review sits in a grey area. The classification depends on whether the model's output directly affects access to essential financial services. If it does, it is likely high risk under Annex III.
This tool applies the Act's published classification criteria to your inputs. It gives a reliable starting point, not a legal determination. Edge cases, novel deployment contexts, and evolving guidance from the European AI Office can affect the final outcome. If your system sits near a category boundary or operates in a heavily regulated sector, have a qualified legal adviser review the result before finalising your compliance approach.
No. This tool applies the EU AI Act's published classification criteria to your inputs and returns an indicative result. It is not legal advice and does not constitute a professional legal opinion. For a formal compliance determination, especially in high-risk or borderline cases, consult a qualified lawyer with experience in EU technology regulation.
When a system has multiple use cases, the Act classifies it according to its highest-risk application. If your product is marketed for both a low-risk and a high-risk use case, the high-risk rules apply to the entire system. The tool prompts you to enter all intended use cases so it can apply this logic correctly before returning a result.
Prohibited practices have applied since 2 February 2025. GPAI model obligations apply from 2 August 2025. High-risk system requirements under Annex III apply from 2 August 2026. The full regulation covers all remaining systems from 2 August 2027. Systems already in service before August 2026 have a further transition period running to August 2029.
Yes. The Act applies to any provider that places an AI system on the EU market or puts it into service in the EU, regardless of where the provider is established. It also covers providers whose systems produce outputs used in the EU. US, UK, and other non-EU companies are in scope if their AI reaches EU users or operators.
A conformity assessment is the process by which a high-risk AI system is evaluated against the Act's technical requirements before it can be placed on the EU market. Most high-risk systems can be self-assessed by the provider. For a narrower set of systems, including certain biometric identification tools, assessment by an accredited third-party notified body is required.
GPAI models are assessed on a separate track from the four main risk tiers. All GPAI providers must meet baseline documentation and copyright compliance requirements. Models trained on compute exceeding 10^25 FLOPs are presumed to carry systemic risk and face additional obligations including red-team testing, incident reporting to the European AI Office, and cybersecurity measures. These rules apply from 2 August 2025.
Fines vary by violation type. Placing a prohibited AI system on the market can attract fines up to 35 million euros or 7% of global annual turnover, whichever is higher. Non-compliance with obligations for high-risk systems carries fines up to 15 million euros or 3% of turnover. Providing incorrect information to authorities can result in fines up to 7.5 million euros or 1.5% of turnover.
Re-run the checker whenever you make a material change to your AI system's purpose, functionality, or target users, since changes can shift the risk tier. Also review your classification when the European AI Office publishes new guidance or when delegated acts under the regulation are updated. An annual review is a reasonable minimum for systems already in service.