The AI Act does not treat all artificial intelligence systems the same way. Regulation (EU) 2024/1689 sets out four levels of risk, each carrying different obligations. Understanding these categories helps to place a given use.
Unacceptable risk: the prohibited practices
Some uses are considered a clear threat to people's rights and safety and are therefore banned. The AI Act prohibits eight practices, among them harmful manipulation or deception, exploitation of vulnerabilities, social scoring, assessing or predicting the risk that a person will commit an offence solely on the basis of profiling, building facial-recognition databases through untargeted scraping of images, emotion recognition in the workplace and in education, biometric categorisation revealing sensitive characteristics, and real-time remote biometric identification in public spaces for law-enforcement purposes (with narrowly framed exceptions). These prohibitions have applied since February 2025.
High risk: allowed but strictly regulated
Systems that can seriously affect health, safety or fundamental rights are classified as high-risk. Examples include AI in critical infrastructure, education, employment (CV screening), access to essential services (such as credit scoring), biometrics, law enforcement, migration and asylum, or the administration of justice. These systems must meet strict requirements: risk management, data quality, traceability, documentation, information to deployers, human oversight and robustness.
Limited risk: transparency
Other systems mainly raise a transparency issue. Users must, for instance, be aware that they are interacting with a chatbot, and AI-generated content must be identifiable.
Minimal risk: the vast majority
Most AI systems used today (spam filters, AI in video games) fall under minimal risk and are subject to no new obligations; adherence to voluntary codes of conduct is encouraged.
Conformity and oversight
Before being placed on the market, high-risk systems must undergo a conformity assessment and, for some of them, be registered in an EU database. They are then monitored throughout their lifecycle: providers run post-market monitoring and report serious incidents, deployers ensure human oversight, and authorities carry out market surveillance. Individuals can lodge a complaint with the designated national authority.
Note that the same solution can move from one category to another depending on its use. Providers and deployers should therefore assess the classification of each system against the text and official guidance.