This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
The EU AI Act doesn't regulate "AI" as one thing, it regulates AI systems according to how much harm they could realistically cause. A tool that drafts marketing copy and a tool that decides whether someone gets a job interview are treated completely differently under the Act, even though both are "AI." Understanding which tier your own tools fall into is the single most useful thing you can do before worrying about specific compliance obligations.
In short: The EU AI Act has four risk tiers: unacceptable (banned outright), high-risk (heavy obligations, mostly things like hiring, credit scoring, and safety-critical systems), limited-risk (mainly a transparency/disclosure duty), and minimal-risk (little to no obligation). Most everyday business AI tools, writing assistants, scheduling, general chatbots, sit in the limited or minimal tiers. The tools that matter most to check carefully are ones involved in hiring, lending, insurance pricing, or anything safety-related.
The plain-English answer
Most AI tools a small or mid-size business actually uses, day to day, land in the lower two tiers. A writing assistant, an ad-targeting optimiser, a scheduling tool, a general customer service chatbot, none of these are high-risk under the Act as a rule, though a chatbot may carry a disclosure obligation (covered in a separate guide). The tools worth checking carefully are the ones that make or heavily influence a decision about a specific person, hiring, lending, insurance pricing, and a small number of safety-critical categories most SMBs will never touch. Get the tier right, and most of the anxiety around "is my business AI Act compliant" resolves itself quickly, because most tools simply don't carry the heavy obligations.
Why this matters for your business
A 15-person marketing agency using three or four different AI tools is a completely typical small business position in 2026, and the instinct to assume every one of those tools now carries a heavy new compliance burden is understandable but usually wrong. The actual risk isn't over-compliance, spending time and money treating a low-risk writing tool like a regulated system, it's under-checking the one tool that actually matters, most commonly a hiring or screening tool, because it looks and feels the same as every other AI feature bolted onto a piece of software.
Getting the tier wrong in either direction has a real cost. Treating everything as high-risk wastes time and can lead a business to drop a genuinely useful, low-risk tool out of unnecessary caution. Treating a genuinely high-risk tool as routine misses real obligations, conformity assessment, registration, human oversight, that carry serious penalties for getting wrong.
The four tiers, explained
The EU AI Act's official text and classification rules live in Regulation (EU) 2024/1689, with the European Commission's own AI Act Service Desk providing a more accessible walk-through of Article 6's classification rules and Annex III's specific high-risk categories.
Unacceptable risk (banned outright). A short list of AI uses the Act prohibits entirely: manipulative techniques that exploit vulnerabilities, social scoring systems, real-time biometric identification in public spaces (with narrow exceptions), and predictive policing based purely on profiling. Very few ordinary small or mid-size businesses will ever come close to this particular category in day-to-day operation.
High-risk (heavy obligations). Annex III lists specific categories: biometrics, management of critical infrastructure, education and vocational training, employment and worker management (including CV-screening and hiring tools), access to essential services (credit scoring, insurance pricing), law enforcement, migration and border control, and administration of justice. An AI system in one of these categories, or embedded as a safety component in a regulated product, faces conformity assessment, registration in an EU database, risk management, human oversight, and logging requirements.
Limited risk (transparency obligations). Systems that interact directly with people, chatbots, or generate synthetic content, deepfakes, AI-generated text or images, carry a disclosure duty under Article 50: people need to be told they're interacting with AI, or that content is AI-generated. This is the tier most everyday customer-facing AI tools fall into. See our separate guide on the chatbot disclosure requirement for the practical detail.
Minimal risk (little to no obligation). Everything else, spam filters, AI-assisted inventory management, most internal productivity tools. The vast majority of AI features embedded in everyday business software sit here, with no specific obligation beyond general good practice.
How this relates to GDPR
It's worth being clear that the EU AI Act and GDPR are two separate frameworks that can both apply to the same tool at once, not competing versions of the same rule. GDPR governs personal data processing generally, and applied to AI tools long before the AI Act existed. The AI Act specifically governs the AI system itself, how it's built, tested, and deployed, based on the risk the system poses. A high-risk hiring tool under the AI Act is very likely also triggering GDPR's own Data Protection Impact Assessment requirement, because scoring and ranking job candidates is exactly the kind of processing GDPR treats as high-risk too. The two obligations are designed to be worked through together for exactly this reason, not treated as two separate compliance projects that happen to overlap by coincidence.
This matters practically because a business that's already done a proper GDPR assessment on a hiring or scoring tool has done a meaningful chunk of the work an AI Act high-risk classification also requires, documenting the data involved, the decision being made, and the safeguards in place. Starting from "what does GDPR already require of this tool" is often a faster route into AI Act compliance than starting from scratch with the Act's own text.
What this looks like in practice
Picture the marketing agency owner working through their own tool stack against these tiers. The AI writing assistant the team uses for first-draft blog content and social copy: minimal risk, it doesn't make decisions about specific people, no registration or conformity assessment needed. The ad-targeting tool that optimises which audience segments see which ad: also minimal risk in most configurations, since it's optimising spend, not making a legal or similarly significant decision about an identified individual.
The CV-screening add-on the agency uses when hiring is the one that actually matters. Employment and worker management is explicitly named in Annex III, and a tool that scores or ranks job applicants sits squarely in the high-risk category. That single tool, out of the four the agency uses, is the one that needs the conformity assessment, registration, and human oversight the Act actually requires, not the others. Working through the tiers deliberately, rather than assuming either "it's all fine" or "it's all a problem," is what actually resolves the uncertainty.
There's a separate, fifth category worth knowing about too: obligations that apply to the makers of general-purpose AI models themselves, the large language models underpinning tools like ChatGPT, Claude, and Gemini. These obligations, covering things like technical documentation and copyright compliance, sit with the model provider, not with a business using the model through an ordinary subscription. A marketing agency using an AI writing tool built on a general-purpose model doesn't inherit those provider-level obligations just by being a customer, they're a separate layer of the Act aimed at a different part of the AI supply chain entirely.
What you can do about it
None of this requires hiring outside help for the classification step itself, most businesses can work through their own tool list in under an hour once they know what to look for. Where it's worth bringing in advice is once a tool actually lands in the high-risk tier, the conformity assessment and registration process that follows is genuinely involved, and getting it wrong carries real financial exposure.
A short process for working through your own tool stack:
- List every AI tool or AI feature your business actually uses, including ones bolted onto existing software you might not think of as "an AI tool."
- For each one, ask a single question: does this tool make or materially influence a decision about a specific, identifiable person, especially around hiring, credit, insurance, or anything safety-related. If yes, check it against Annex III specifically.
- For any tool that interacts directly with a customer or generates content people see, check the separate transparency/disclosure obligation, a lighter requirement than high-risk classification but still a real one.
- For anything landing in the high-risk category, treat it as its own project, conformity assessment, registration, and human oversight are not small administrative steps.
- Revisit the list when you adopt a new tool or a vendor changes how an existing tool works, tier classification isn't a one-time exercise.
If you're specifically weighing up whether an AI tool needs a GDPR Data Protection Impact Assessment on top of any EU AI Act obligation, see our guide on GDPR DPIA requirements for AI systems, the two assessments are designed to work together for high-risk tools specifically.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Is ChatGPT or a general-purpose AI assistant high-risk under the EU AI Act?
Generally no, as a general-purpose tool. General-purpose AI models carry their own separate set of obligations under the Act (mainly aimed at the model provider, not a business using the tool), but using a general assistant for drafting or research doesn't put your business in the high-risk tier. What matters is the specific use, if you build a hiring decision tool on top of a general-purpose model, that specific use case can still be high-risk.
What if I'm not sure whether my tool counts as high-risk?
Start with Annex III's specific categories, if your use case isn't named there (employment, credit, insurance, critical infrastructure, and a handful of others), it's very unlikely to be high-risk. If it is named there, treat that as a strong signal to get a proper assessment done rather than guessing either way.
Does the risk tier depend on the AI technology used, or how it's applied?
How it's applied. The exact same underlying AI model can be minimal-risk in one use case and high-risk in another, depending on what decision it's making and about whom. Classify by use case, not by which AI product or vendor you're using.
What are the penalties for misclassifying a high-risk system?
Non-compliance with high-risk system obligations carries penalties of up to €15 million or 3% of global annual turnover, whichever is greater. Prohibited practices carry even higher penalties. This is a real financial exposure, not a symbolic one, which is why getting the classification right for anything touching hiring, credit, or insurance specifically is worth real care.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Working out which EU AI Act deadlines actually apply to your business, and when?
Check the compliance timeline