A decision guide for placing each AI system into the right risk tier under the EU AI Act, with the triggers that move it up a level and the conformity assessment that follows.
The EU Artificial Intelligence Act — Regulation (EU) 2024/1689 — takes a risk-based approach. Rather than treating all AI the same, it sorts systems into tiers and attaches obligations in proportion to the risk each tier presents. Classifying every AI system in your estate into the correct tier is the foundation on which the rest of compliance is built.
At the top of the risk scale, the Regulation prohibits certain AI practices outright. These are uses considered to present an unacceptable risk to people's safety, livelihoods or rights. Where a use falls into this category, it cannot be placed on the market or put into service — there is no compliance path that makes it permissible. Penalties for prohibited practices are the most severe, reaching up to €35 million or 7% of total worldwide annual turnover.
Below prohibited practices sit high-risk AI systems, which carry the bulk of the Regulation's substantive obligations. Annex III lists the high-risk areas, including:
A system may also be high-risk where it is a safety component of a product, or is a product, covered by certain EU harmonisation legislation. The triggers for the high-risk tier are therefore tied to the intended purpose and the area of use, not the technology in the abstract.
Some AI systems are not high-risk but still carry specific transparency obligations because of how they interact with people. The Regulation sets transparency duties for situations such as AI systems that interact directly with natural persons and certain generated or manipulated content, so that people are aware they are dealing with AI or AI-generated material.
The large majority of AI systems fall outside the higher tiers and are treated as minimal risk under the Regulation. These are not subject to the obligations that attach to high-risk or transparency-tier systems, though general good-practice expectations still apply.
Where a system is classified as high-risk, the Regulation requires it to undergo a conformity assessment before it is placed on the market or put into service, to demonstrate that it meets the applicable requirements. The route to conformity depends on the type of system, and the assessment is revisited where the system is substantially modified. Recording the classification decision and its reasoning for each system makes the conformity step — and any later audit — far more straightforward.
The TrustedAIGov Readiness tooling is built to support classification work aligned to the Regulation — helping your team capture each system's intended purpose, reach a tier decision, and keep the reasoning on record so it is ready for conformity assessment and review. It supports your team's judgement; it does not substitute for your own legal assessment.
Start from a clear view of every AI system in scope, then place each one in the right tier with its reasoning recorded.