Author: Rimsha Zafar
July 17, 2026

EU AI Act Risk Levels: What Every Business Must Know Before August 2026

Is your organisation prepared for the enforcement of the EU AI Act in August 2026? If your business develops, deploys, or even uses AI systems within the European Union, you need to understand how the EU AI Act risk levels classify your technology and what obligations come with each category.

 

The EU AI Act is the first comprehensive legal framework for artificial intelligence anywhere in the world. It entered into force on 1 August 2024 and takes a risk-based approach to regulation. Rather than applying blanket rules to every AI system, it assigns different compliance obligations based on the level of risk an AI system poses to health, safety, and fundamental rights. This structure means some AI systems face outright bans, while others require strict oversight, transparency disclosures, or no regulation at all.

 

This guide breaks down each EU AI Act risk level, the obligations attached to it, the enforcement timeline, and the penalties for non-compliance. Whether you sit in a compliance, legal, product, or leadership role, this article will help you identify where your AI systems fall and what action to take.

What Are EU AI Act Risk Levels?

The EU AI Act groups AI systems into four distinct risk categories based on how they affect people and society.

The Four-Tier Risk Framework

The European Commission designed a tiered system that applies stricter rules to AI systems with greater potential for harm. Each tier carries its own set of obligations. The four categories are unacceptable risk, high risk, limited risk (also called transparency risk), and minimal risk. This structure allows innovation to continue in low-risk areas while protecting citizens from dangerous or manipulative uses of AI.

Why a Risk-Based Approach?

A blanket regulation would either over-regulate harmless AI or under-regulate dangerous AI. The risk-based model balances innovation with protection. It lets businesses working with low-risk systems operate freely while holding high-risk providers to strict accountability standards. The European Parliament confirmed this approach as the most effective way to safeguard fundamental rights without stifling technological progress.

Who Does This Apply To?

The regulation applies to AI providers, deployers, importers, and distributors operating within the EU or offering AI outputs to EU-based users. Even organisations headquartered outside Europe must comply if their AI systems affect people within EU member states. Businesses already managing GDPR compliance should treat the AI Act as the next layer of regulatory responsibility.

Unacceptable Risk: AI Systems That Are Banned

AI systems classified as an unacceptable risk are completely prohibited under the EU AI Act. These bans took effect on 2 February 2025.

What Falls Under Unacceptable Risk?

The European Commission, through Article 5 of the AI Act, identifies eight categories of prohibited AI practices. These systems are considered a clear threat to fundamental rights, safety, and democratic values. They cannot be developed, deployed, or made available within the EU under any circumstances.

The Eight Prohibited Practices

  • Subliminal manipulation techniques that distort a person’s behaviour and cause harm
  • AI systems that exploit vulnerabilities based on age, disability, or socioeconomic status
  • Social scoring by public authorities that leads to unfavourable treatment of individuals
  • Predictive policing systems based solely on profiling or personality traits
  • Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases
  • Emotion recognition systems used in workplaces or educational institutions (except for medical or safety purposes)
  • Biometric categorisation systems that infer sensitive attributes such as race, political opinions, or sexual orientation
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions)

Limited Exceptions for Law Enforcement

Real-time remote biometric identification may be permitted in specific situations such as searching for missing children, preventing imminent terrorist threats, or locating suspects of serious criminal offences. These exceptions require prior judicial authorisation and strict necessity assessments.

High-Risk AI Systems: Strict Requirements

High-risk AI systems face the most detailed compliance requirements under the EU AI Act. Full obligations apply from 2 August 2026.

Two Pathways to High-Risk Classification

An AI system is classified as high risk through one of two routes. First, if it serves as a safety component of a product covered by existing EU harmonisation legislation, such as medical devices, toys, machinery, or vehicles, and requires third-party conformity assessment. Second, if it falls under one of the use cases listed in Annex III of the regulation.

Annex III Use Case Categories

Annex III of the AI Act identifies eight sensitive areas where AI deployment carries elevated risk. These areas are:

 

  • Biometrics, including remote biometric identification and categorisation
  • Critical infrastructure management and operation
  • Education and vocational training, such as AI-based learning outcome assessments
  • Employment, worker management, and access to self-employment
  • Access to essential private and public services, including creditworthiness assessments
  • Law enforcement, including evidence evaluation and crime analytics
  • Migration, asylum, and border control management
  • Administration of justice and democratic processes

Compliance Obligations for High-Risk Systems

Providers of high-risk AI systems must implement risk management systems, ensure training data quality, maintain technical documentation, enable logging and traceability, provide clear user information, and guarantee meaningful human oversight. These systems must also be registered in the EU database. Organisations already familiar with sensitive personal information requirements will recognise the data governance standards expected here.

Limited Risk: Transparency Obligations

Limited-risk AI systems carry fewer obligations but must meet specific transparency requirements under Article 50 of the EU AI Act.

What Counts as Limited Risk?

AI systems that interact directly with people or generate content fall into this category. The primary concern is that users might not realise they are engaging with AI or consuming AI-generated material. The regulation addresses this through mandatory disclosure obligations.

Key Transparency Rules

Providers must inform users when they interact with an AI system, such as a chatbot. AI-generated or manipulated content, including deepfakes, must be clearly labelled as artificially produced. Text published to inform the public on matters of public interest must also carry disclosure labels if it was generated by AI.

Deepfakes and Synthetic Media

The regulation places particular emphasis on deepfakes. Any image, audio, or video file that has been generated or substantially modified by AI must carry visible labelling. This supports broader efforts to combat misinformation and protect user consent in digital interactions. These transparency rules apply from 2 August 2026.

Minimal Risk: Voluntary Compliance

The majority of AI systems available today fall into the minimal risk category and face no mandatory obligations under the EU AI Act.

Examples of Minimal-Risk AI

Spam filters, AI-enabled video games, inventory management systems, and recommendation engines are typical examples. These systems do not pose meaningful threats to fundamental rights or safety. The regulation intentionally leaves them unregulated to encourage innovation across the EU market.

Voluntary Codes of Conduct

Although no legal obligations apply, the EU AI Act encourages providers of minimal-risk systems to adopt voluntary codes of conduct. These codes may cover aspects like transparency, fairness, and accountability. Adopting such standards can build stakeholder trust and position organisations favourably ahead of any future regulatory changes.

Why Minimal Risk Still Matters

Even though minimal-risk AI systems are exempt from regulation, businesses should still document their AI practices. Regulatory landscapes shift quickly, and demonstrating proactive governance builds credibility with customers, investors, and partners. Tools like the best consent management platforms can help organisations maintain transparency across all digital operations, including AI-driven ones.

General-Purpose AI (GPAI) Models: A Separate Layer of Obligations

The EU AI Act introduces distinct rules for general-purpose AI models, which became applicable on 2 August 2025.

What Are GPAI Models?

General-purpose AI models can perform a wide range of tasks and serve as the foundation for many downstream AI systems. Large language models like GPT-4 are prominent examples. Because these models can be integrated into applications across multiple risk categories, the regulation applies obligations at the model level rather than the application level.

Standard GPAI Obligations

All GPAI providers must supply technical documentation, comply with EU copyright law regarding training data, and publish a sufficiently detailed summary of the content used to train their models. These requirements promote transparency and allow downstream deployers to assess how the models were built.

Systemic Risk Models

GPAI models that exceed a computational threshold of 10^25 FLOPs, or that the European Commission designates as particularly impactful, are classified as carrying systemic risk. These models face additional obligations, including adversarial testing, model evaluation, incident reporting to the AI Office, and adequate cybersecurity protections. The EU Code of Practice for GPAI Models, published in July 2025, provides a voluntary compliance pathway for meeting these requirements.

EU AI Act Compliance Timeline: Key Dates

The regulation follows a phased enforcement approach, giving organisations time to prepare for each set of requirements.

Already in Effect

Since 2 February 2025, all prohibited AI practices under Article 5 have been enforced. AI literacy obligations also became applicable on this date. Organisations should have already audited their AI systems to confirm none fall into the unacceptable risk category.

August 2025 Milestones

From 2 August 2025, governance rules and obligations for GPAI model providers took effect. Providers of GPAI models placed on the market after this date must comply with documentation, copyright, and transparency requirements.

August 2026: Full Enforcement

The majority of the AI Act’s rules come into force on 2 August 2026. This includes all obligations for high-risk AI systems listed in Annex III, transparency requirements under Article 50, and the Commission’s enforcement powers, including fines. Any organisation that deploys or provides AI within the EU should treat this as the hard deadline for compliance. 

Penalties for Non-Compliance

The EU AI Act imposes significant financial penalties for organisations that fail to meet their obligations under each risk level.

Fine Structure

Violations related to prohibited AI practices carry the highest fines: up to 35 million euros or 7% of global annual turnover, whichever is greater. Non-compliance with high-risk system obligations can result in fines of up to 15 million euros or 3% of global turnover. Providing incorrect or misleading information to authorities may attract penalties of up to 7.5 million euros or 1% of turnover.

Enforcement Mechanisms

Each EU member state will designate national competent authorities to supervise and enforce the AI Act. The European AI Office, established within the Commission, will oversee compliance for GPAI models directly. Enforcement powers include requesting information, ordering evaluations, requiring risk mitigation measures, and restricting market access for non-compliant systems.

Proportionality for SMEs

The regulation includes provisions to ensure penalties remain proportionate for small and medium-sized enterprises and start-ups. However, this does not exempt smaller organisations from compliance. Businesses of all sizes should invest in cookie consent solutions for enterprise and AI governance frameworks to manage regulatory obligations effectively.

How to Assess Your AI System's Risk Level

Organisations should follow a structured approach to determine where their AI systems fall within the risk classification framework.

Step 1: Identify Your AI Systems

Start by cataloguing every AI system your organisation develops, deploys, or integrates. Include third-party AI tools used internally. Many businesses use AI without formal documentation, which creates blind spots during regulatory audits.

Step 2: Check Against Prohibited Practices

Review each system against the eight prohibited practices in Article 5. If any system uses subliminal manipulation, social scoring, emotion recognition in prohibited contexts, or untargeted biometric scraping, it must be decommissioned immediately.

Step 3: Evaluate High-Risk Classification

Determine whether any system falls under Annex III use cases or serves as a safety component in products covered by EU harmonisation legislation. If so, prepare for full high-risk compliance, including risk management systems, data governance, technical documentation, and human oversight measures.

Step 4: Apply Transparency and Minimal Risk Labels

For systems that interact with users or generate content, apply transparency obligations. Everything else falls under minimal risk. Even for minimal-risk systems, consider adopting voluntary codes of conduct to demonstrate responsible AI governance. Tools like a Cookie Consent Management Platform can help centralise consent and transparency management.

Final Thoughts

The EU AI Act risk levels create a clear and enforceable framework for AI governance across Europe. Every organisation using AI must identify where its systems sit within the four-tier classification. With prohibited practices already enforced and high-risk obligations taking full effect in August 2026, the window for preparation is closing. Compliance is not just about avoiding fines. It is about building trust, protecting rights, and operating responsibly in an AI-driven economy.

Prepare for the AI Act with Seers AI

Seers helps organisations manage consent, transparency, and compliance obligations across privacy and AI regulations. Get your systems audit-ready before the August 2026 enforcement deadline.

START FREE TODAY

Frequently Asked Questions (FAQs)

What are the four EU AI Act risk levels?

The EU AI Act classifies AI systems into four risk categories: unacceptable risk, high risk, limited risk (transparency risk), and minimal risk. Each category carries different compliance obligations, ranging from complete prohibition to voluntary codes of conduct. The classification is based on how much potential harm an AI system poses to fundamental rights, safety, and democratic values within the European Union.

Which AI systems are banned under the EU AI Act?

AI systems that use subliminal manipulation, exploit vulnerable groups, enable social scoring, deploy untargeted facial recognition scraping, use emotion recognition in workplaces or schools, or perform real-time biometric identification in public spaces are prohibited. These bans took effect on 2 February 2025. Limited exceptions exist for law enforcement under strict judicial oversight and necessity assessments as defined by the European Commission.

How does Annex III classify high-risk AI systems?

Annex III identifies eight sensitive areas where AI use carries elevated risk: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and democratic processes. AI systems used in these areas must meet strict compliance requirements, including risk management, data quality controls, technical documentation, human oversight, and registration in the EU database. The list is reviewed annually.

When does the EU AI Act become fully enforceable?

The regulation follows a phased approach. Prohibited practices became enforceable from 2 February 2025. GPAI model obligations apply from 2 August 2025. The majority of rules, including high-risk system obligations and transparency requirements, come into full effect on 2 August 2026. Providers of GPAI models placed on the market before August 2025 have until August 2027 to comply.

What penalties does the EU AI Act impose for non-compliance?

Penalties vary by violation type. Prohibited practice breaches attract fines up to 35 million euros or 7% of global annual turnover. High-risk non-compliance can result in fines up to 15 million euros or 3% of turnover. Providing misleading information carries penalties of up to 7.5 million euros or 1% of turnover. National authorities and the European AI Office share enforcement responsibilities.

Do minimal-risk AI systems need to comply with the EU AI Act?

Minimal-risk AI systems such as spam filters and recommendation engines face no mandatory obligations under the EU AI Act. However, the regulation encourages providers to adopt voluntary codes of conduct covering transparency, fairness, and accountability. Proactive governance is recommended because regulatory frameworks evolve, and demonstrating responsible AI practices strengthens stakeholder trust and market positioning.

What transparency obligations apply to chatbots and deepfakes?

Under Article 50, providers must inform users when they interact with an AI system such as a chatbot. AI-generated or manipulated content, including deepfakes, must be clearly labelled as artificially produced. Text published to inform the public must also carry AI disclosure labels. These transparency requirements apply from 2 August 2026 and support trust in digital interactions.

How do GPAI model obligations differ from high-risk AI obligations?

GPAI obligations apply at the model level, not the application level. All GPAI providers must supply technical documentation, comply with copyright law, and publish training data summaries. Models exceeding 10^25 FLOPs face additional requirements, including adversarial testing and incident reporting. High-risk obligations apply to specific use-case deployments and cover risk management, data quality, and human oversight.

Does the EU AI Act apply to businesses outside Europe?

The regulation applies to any organisation whose AI systems affect people within the European Union, regardless of where the business is headquartered. This includes AI providers, deployers, importers, and distributors operating in the EU market. Businesses outside Europe that offer AI-powered services or products to EU users must comply with the applicable risk-level obligations.

How should organisations start preparing for EU AI Act compliance?

Begin by cataloguing all AI systems your organisation develops, deploys, or integrates. Check each system against prohibited practices listed in Article 5. Evaluate whether any systems fall under Annex III high-risk categories. Apply transparency obligations where needed and document governance practices even for minimal-risk systems. Establish internal accountability structures and allocate resources for ongoing compliance.

What role does the European AI Office play in enforcement?

The European AI Office, established within the European Commission, oversees compliance for general-purpose AI models directly. It has the power to request information, order model evaluations, require risk mitigation measures, and impose fines of up to 3% of global turnover. National competent authorities handle enforcement for other AI system categories within their respective member states.

Can high-risk AI systems still operate in the EU?

High-risk AI systems are permitted but must meet strict compliance requirements before market placement and throughout their lifecycle. Providers must implement risk management systems, ensure data governance, maintain technical documentation, enable traceability, and guarantee human oversight. Systems must be registered in the EU database. Ongoing monitoring and conformity assessments are mandatory to maintain market access.

 

Rimsha Zafar

Rimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.

ORCIDResearchGateGoogle ScholarLinkedIn 

Unlock Accurate Insights with Google Consent Mode v2

Is Your Website at Risk of Losing Conversions?


Take our Free Cookie Audit and find out

Ready to Build Trust and Drive Business Growth?

Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.