Transparency rules in2 Aug 2026
Library / Guide

The four risk tiers, explained

The Act does not treat AI as one thing. It sorts uses into four tiers by the risk they pose, and attaches duties accordingly. Knowing the tiers is the fastest way to understand your obligations.

Risk is about the use, not the tool

The Act does not score tools; it scores uses. The same product can sit in two different tiers at once, depending on the job you give it. A general assistant that drafts your internal emails is minimal-risk. The same assistant, pointed at ranking job applicants, is a high-risk use. Nothing about the software changed, only what you did with it.

This is why an inventory of your AI has to record what each tool is for, not simply that you have it. A list of logos tells you nothing about your obligations; a list of uses tells you almost everything. If you use one tool in two materially different ways, treat that as two entries, because each is judged on its own terms.

Prohibited: the hard no

The top tier is a short list of uses banned outright under Article 5, regardless of any safeguards you might add. They include social scoring, scraping faces in bulk to build recognition databases, emotion recognition in the workplace and in schools, and certain manipulative or exploitative systems.

There is no compliance path here; the answer is simply do not do it. Most ordinary businesses never come near these, but it is worth a quick check that nothing you run, especially anything that reads emotion or infers sensitive traits about people, has drifted over the line.

High-risk: the heavy tier

The high-risk tier is the Annex III list: recruitment and worker management, creditworthiness and credit scoring, access to essential public and private services, certain biometric uses, education, and more. These uses can materially affect people's lives, so they carry the bulk of the Act's duties.

For a deployer that means human oversight, a risk management process, record-keeping, attention to the input data you control, transparency to the people affected, and documentation you could show an auditor. If any of your AI lands here, this is where most of your compliance work will be, and the core obligations apply from 2 December 2027 (postponed from 2 August 2026 by the 2026 Digital Omnibus).

Limited-risk: be transparent

The limited-risk tier is about openness rather than heavy control. It covers AI that interacts with people, like chatbots and voice assistants, and AI that generates or manipulates content, like synthetic images, audio, or text. The duty, under Article 50, is to make sure people are not misled.

In practice that means telling people when they are dealing with AI rather than a human, and labelling AI-generated content where required. For most businesses it is a light obligation: a clear notice on a chatbot and a consistent labelling habit.

Minimal-risk: most of what you do

Everything not caught by the tiers above is minimal-risk, and that is the vast majority of business AI use. Spam filters, most productivity assistants, analytics, and the like all sit here.

There is no specific obligation beyond AI literacy under Article 4 and ordinary good sense. You do not file or register anything. The job is simply to use these tools knowingly: aware of their limits, with a person checking any output that matters.

How to find your own tier

Work through it use by use. For each tool in your inventory, ask plainly what you do with it, then place that use in a tier. Most will land in minimal-risk, a few in limited-risk, and the ones to slow down on are anything touching recruitment, credit, insurance, or decisions about individuals.

When a use looks like it could be high-risk, treat it as high-risk until you have confirmed otherwise, and get those reviewed rather than guessed. Veillo runs this classification for each system in your register and flags the high-risk ones for a person to confirm.

Placeholder

This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.

Put it into practice

Classify your AI systems against the Act and generate the documents this guide describes.

A note on cookies

We use strictly necessary cookies to run the site and keep it secure. With your OK, we also use privacy-respecting, EU-hosted analytics to see how Veillo is used. No advertising, no third-party trackers. Read our cookie policy.