Lesson 2 of 5 · The EU AI Act for Non-Lawyers
Lesson 2
The four risk tiers, in detail
Prohibited. High-risk. Limited-risk. Minimal-risk. The whole architecture of the Act turns on which tier your system sits in. We will place a dozen real systems on the map together.
By the end of this lesson, you will:
- Know each of the four risk tiers and what the Act prohibits, permits with obligations, or leaves alone in each.
- Be familiar with the eight prohibited practices and the seven Annex III high-risk areas.
- Be able to place a real AI system in its risk tier and defend the placement to a colleague.
Tier 1 — Unacceptable risk (prohibited)
The Act outright prohibits a small number of AI practices. The prohibitions took effect on 2 February 2025 and are the part of the Act that is already in full force. There are eight categories. Read them carefully — the wording is narrow on purpose, and the practical implications vary.
1. Subliminal or manipulative techniques. AI that uses subliminal or manipulative techniques beyond a person's awareness to materially distort their behaviour in a way that causes (or is reasonably likely to cause) significant harm.
2. Exploiting vulnerabilities. AI that exploits vulnerabilities of a person or group due to age, disability, or socio-economic situation to materially distort behaviour and cause significant harm.
3. Social scoring. AI used by public authorities (and, in some readings, by certain private actors) to evaluate or classify people based on social behaviour or personal characteristics, where the score leads to detrimental treatment unrelated to the original context.
4. Risk assessment for criminal offences. AI used to assess the risk that a natural person will commit a criminal offence, based solely on profiling or personality traits. Police "predictive policing" tools that rely on personal profiling are caught here. Note the carve-out: AI used to support a human assessment that has its own objective basis is permitted.
5. Untargeted scraping for facial recognition databases. The mass scraping of facial images from the internet or CCTV to build or expand facial recognition databases.
6. Emotion recognition in workplaces and education. Inferring emotions of a person in a workplace or educational institution, except where strictly for medical or safety reasons.
7. Biometric categorisation by sensitive attributes. Classifying people into categories of race, political opinion, trade-union membership, religion, sexual orientation, or similar protected attributes based on biometric data.
8. Real-time remote biometric identification in publicly accessible spaces for law enforcement. With narrow exceptions for serious crimes (terrorism, kidnapping, victim search) subject to judicial authorisation.
If your system does any of these things, the question is not "what obligations apply?" — it is "do not do it." The penalties for prohibited practices are the highest in the Act: up to €35 million or 7% of global turnover, whichever is higher.
Tier 2 — High risk
This is where most of the substantive obligations of the Act apply. There are two routes into the high-risk tier.
Route A — AI as a safety component of a product covered by existing EU product-safety law. If your AI is a safety component of a medical device, a toy, a vehicle, a piece of industrial machinery, or anything else listed in Annex I of the Act, you are in the high-risk tier. The Act layers on top of the existing product-safety regime for those products.
Route B — AI used in one of seven specific high-impact domains listed in Annex III. This is the route most "pure-software" AI systems take into the high-risk tier. The seven domains are:
- Biometrics — remote biometric identification, biometric categorisation, emotion recognition (in contexts not already prohibited).
- Critical infrastructure — AI used as a safety component in the management or operation of road, rail, air, water, gas, electricity, and digital infrastructure.
- Education and vocational training — AI for admissions, evaluating learning outcomes, assessing the level of education an individual should receive, monitoring during tests.
- Employment, workers management, and access to self-employment — AI used in recruitment (especially CV screening, interview ranking), in decisions about promotion or termination, in monitoring workers' performance.
- Access to essential public and private services — public benefits assessments, credit scoring (with narrow exceptions for fraud detection), insurance pricing and eligibility for life and health insurance, emergency call routing and prioritisation.
- Law enforcement — risk assessments, polygraphs (and similar), evaluating the reliability of evidence, profiling.
- Migration, asylum, and border control — risk assessment for security or health risks, examining applications, identity verification.
- Administration of justice and democratic processes — AI used to assist judicial authorities in researching and interpreting facts and law, or AI intended to influence voters in elections.
If your system sits in any of these seven domains, it is, by default, high-risk. There is one important carve-out: a system in an Annex III domain can be deemed not high-risk if it does not pose a significant risk of harm to the health, safety, or fundamental rights of natural persons — for example, because it performs only narrow procedural tasks, improves the output of a completed human activity, or detects deviations from prior patterns without replacing human assessment. The provider has to assess this and document it; the assessment is not a free pass. We come back to it in Lesson 3.
Penalties for non-compliance with high-risk obligations: up to €15 million or 3% of global turnover, whichever is higher.
Aside · The most common Annex III categories you will encounter
If you work in B2B software, the categories that come up most often are employment (HR tech, ATS, performance-management AI), access to services (credit-scoring, insurance underwriting), and education (e-learning grading and proctoring). If you work in B2G, expect law enforcement, migration, and justice to dominate. The biometrics category is much narrower than most people assume — most consumer biometric authentication (Face ID on your phone, the fingerprint reader on your laptop) is not in scope because it is one-to-one verification, not one-to-many identification.
Tier 3 — Limited risk (transparency obligations)
The third tier is much lighter. The Act imposes transparency duties on three kinds of AI system regardless of risk tier:
Chatbots and AI systems that interact with people. Must clearly inform the user that they are interacting with an AI system, unless this is obvious from the context. (You do not need a banner on Siri to say it is an AI.)
Synthetic content (deepfakes and AI-generated text on matters of public interest). Must be labelled as AI-generated in a machine-readable format. There are carve-outs for art, satire, and creative work — but the labelling default is "yes, label it."
Emotion recognition and biometric categorisation (where permitted). Must inform the individuals concerned.
Penalties for transparency breaches: up to €7.5 million or 1% of global turnover, whichever is higher.
Tier 4 — Minimal risk
Everything else. The Act explicitly says it does not regulate this tier, and encourages voluntary codes of conduct. Most consumer AI applications — recommendation algorithms on shopping sites, spam filters, AI-enabled creative tools, in-game NPCs, search ranking — sit here. The Act does not stop you doing anything in this tier; it just leaves you alone.
One note: if a minimal-risk system also processes personal data, the GDPR still applies, even though the AI Act does not. The two laws sit on top of each other in many real systems.
Twelve real systems on the map
To make this practical, here is how a dozen common systems map onto the four tiers. Try to predict the tier before reading the answer.
Worked examples
1. A general-purpose chatbot on a consumer website → Limited risk (transparency: must disclose AI). 2. A CV-screening tool used by a recruitment agency → High risk (Annex III: employment). 3. A spam filter on company email → Minimal risk. 4. A face-recognition system at an airport border for ID verification → High risk (Annex III: migration / biometrics) — and depending on use, may approach the prohibited line. Check carefully. 5. A predictive-policing tool using personal profiling → Prohibited. 6. A credit-scoring model for retail consumer loans → High risk (Annex III: access to services). 7. A fraud-detection model on credit card transactions → Minimal risk in most cases (explicit carve-out from the credit-scoring high-risk category for fraud-detection use). 8. A recommendation algorithm on a video streaming platform → Minimal risk. 9. An AI co-pilot helping doctors interpret X-rays → High risk (Annex I: medical device under MDR). 10. An emotion-recognition system in a call centre to monitor employees → Prohibited (workplace emotion recognition). 11. An AI proctoring system that monitors students during online exams → High risk (Annex III: education). 12. Stable Diffusion deployed as a self-hosted image generator → The model is a GPAI model (Lesson 5); the deployed system is limited-risk if exposed to consumers (transparency on AI-generated content).
Notice three things from these examples. First, the same technology (face recognition) appears in both the prohibited and high-risk tiers depending on use. Second, "fraud detection" carves out an otherwise-high-risk category. Third, deepfake and image-generation tools are in the transparency tier as deployed systems, but the foundation model under them is governed separately as a GPAI model. This is the kind of mapping you will be doing repeatedly in your work.
Exercise — Tier your own systems (20 minutes)
- List three AI systems you use, build, or are responsible for at work. Be specific about the use — "we use AI to do X for Y" — not the technology.
- For each:
- Is the system caught by one of the eight prohibited practices? If yes, you have an immediate compliance issue.
- Does the system fall under an Annex I product-safety regime, or Annex III's seven domains? If yes, it is high-risk by default. Apply the carve-out test — does it pose a significant risk of harm to health, safety, or fundamental rights?
- If neither: does it involve interaction with people, synthetic content, emotion recognition, or biometric categorisation? If yes, you are in the limited-risk tier with transparency duties.
- If none of the above: minimal risk, no AI Act obligations (but check GDPR separately).
- For one of the three, write a one-paragraph defence of your placement. Imagine a sceptical colleague reading it.
Self-check
- Name three of the eight prohibited practices.
- What are the seven Annex III domains? Try without checking the list above.
- When is a system in an Annex III domain not high-risk?
- What does the transparency tier require, in two sentences?
Looking ahead
Lessons 3 and 4 are about the obligations themselves. Lesson 3 covers what providers of high-risk AI systems must do. Lesson 4 covers what deployers of those systems must do. If your system from this lesson sits in the high-risk tier, the next two lessons are about the practical work of being compliant.