Agnes reviewing an overview of AI tools sorted by EU AI Act risk category

EU AI Act Risk Classification: Which Category Does Your AI Tool Fall Into?

AI, Compliance, SME

"Does the EU AI Act apply to my AI tools?" That question is coming up more and more from SMB owners. The short answer: probably yes, but that is not as alarming as it sounds. The AI Act works with four risk categories, and most tools you use daily fall into the lightest ones. No need to panic. But you do need to know where you stand.

This article walks through the four risk tiers, shows where common SMB tools land, and explains what each category means in practice.

How the AI Act classifies risk

The EU AI Act uses a pyramid model. The greater the risk an AI system poses to people's rights and safety, the heavier the obligations. There are four levels, from top to bottom:

  1. Unacceptable risk - banned
  2. High risk - strictly regulated
  3. Limited risk - transparency obligations
  4. Minimal risk - no additional obligations

That structure is intentional. Lawmakers did not want to slow down innovation: the vast majority of AI applications fall into the bottom two categories and can be used freely. The stricter rules target systems that directly affect people's lives.

For broader context, read our overview of EU AI Act obligations for SMBs.

Unacceptable risk: banned AI practices

This is the top tier. AI systems that fall here are outright banned in the EU. Enforcement has been active since February 2, 2025.

What falls under this category:

  • Social scoring systems that evaluate people based on personal behavior
  • Real-time biometric identification in public spaces
  • AI that recognizes emotions in workplaces or educational settings
  • Manipulative AI that influences behavior through subliminal techniques
  • AI that targets vulnerable groups for harmful influence

What this means for your SMB: almost certainly nothing. SMBs do not build these systems and typically do not use them either. Still, it is worth checking your tool stack. Some HR and marketing platforms have added features that sit uncomfortably close to this boundary. We covered this in detail in our article on banned AI practices and enforcement.

High risk: strictly regulated

This is where things get concrete for some SMBs. High-risk AI systems are not banned, but they must meet strict requirements that become enforceable in August 2026.

What falls under this category:

  • AI in recruitment and hiring (CV screening, candidate ranking)
  • AI for credit scoring and financial decision-making
  • AI in safety-critical systems (medical devices, infrastructure)
  • AI that makes decisions about access to education
  • AI for law enforcement and migration management

SMB examples to watch for:

  • Recruitment AI. Do you use a platform that automatically filters CVs or ranks candidates? That is likely high risk. Tools like HireVue, Pymetrics, or similar screening AI fall here.
  • Credit scoring. If you offer financial services and use AI to assess creditworthiness, that is high risk.
  • HR decision-making. AI that evaluates employees for promotions, termination decisions, or performance reviews may qualify as high risk, depending on the impact on the individual.

What you need to arrange for high risk:

  • Conduct and maintain a risk assessment
  • Prepare technical documentation
  • Set up human oversight (a person must be able to intervene in decisions)
  • Register the system in the EU AI database
  • Monitor regularly to confirm the system functions correctly

That looks like a long list, but it is manageable if you approach it step by step. Start with an AI inventory so you know exactly which tools you have and how they are used.

Limited risk: transparency obligations

This is where most SMBs land. Limited-risk AI systems can be used freely, as long as you are transparent about their use.

What falls under this category:

  • Chatbots and virtual assistants
  • AI writing assistants (ChatGPT, Copilot, Jasper, Claude)
  • AI content generation (text, images, video)
  • AI translation tools
  • AI-powered customer service

The core obligation: transparency. People need to know they are dealing with AI. In practice:

  • Tell customers when they are talking to a chatbot instead of a human
  • Label AI-generated content when it could be mistaken for human-produced material
  • Be open with employees about which AI tools are part of your workflows

SMB examples:

| Tool | Category | What you need to do | |------|----------|-------------------| | ChatGPT / Copilot for internal writing | Limited risk | Inform employees, label externally shared AI content | | Customer service chatbot on your website | Limited risk | Make clear it is a bot, not a human | | AI translation tool for client communication | Limited risk | Note on critical documents that translation is AI-assisted | | AI image generation for marketing | Limited risk | Label images as AI-generated when covering sensitive topics |

This is not a heavy compliance burden. It mostly requires awareness and a few adjustments to how you communicate.

Minimal risk: no additional obligations

The broadest category. Minimal-risk AI systems can be used without any extra requirements.

What falls under this category:

  • Spam filters
  • Recommendation algorithms (Netflix-style suggestions)
  • AI-powered search engines
  • Automatic spell checking
  • Smart calendar assistants
  • AI in video games

What you need to do: nothing extra. These tools fall outside the AI Act's obligations. You can keep using them as you always have.

Where do your tools land? A quick test

Run your commonly used AI tools through these three questions:

1. Does the tool make decisions that directly affect people's rights or opportunities? Think recruitment, credit, legal decisions. If yes, likely high risk.

2. Does the tool communicate directly with people, or generate content that could be mistaken for human-produced? Think chatbots, writing assistants, content generation. If yes, likely limited risk.

3. Does the tool do neither of the above? Spam filters, autocomplete, smart search results. Likely minimal risk.

This is a rule of thumb, not legal advice. But it gives you a workable starting point.

Why classification is step one

Many SMBs want to jump straight to: "What do I need to do?" Fair question. But without knowing which tools you have and where they fall, that is hard to answer. Classification comes first.

A good AI inventory includes, for each tool:

  • Name and vendor
  • What you use it for
  • What data it processes
  • Which risk category it falls into
  • Which obligations come with that category

Get that inventory in order, and you will know exactly where you need to take action and where you can relax. Our article on building an AI inventory walks you through this step by step.

How ComplianceHive helps

ComplianceHive gives you a central place to register, classify, and monitor your AI tools. You can record the risk category per tool, track the obligations that come with it, and assign responsibilities to team members. Everything in one place, audit-ready.

  • Maintain your AI inventory with risk category per tool
  • Document and follow up on transparency obligations
  • Track vendor compliance through vendor management
  • Build evidence for regulators and customers

The AI Act does not have to be a headache. With the right structure, it is just a matter of keeping track.

This article is for general information and does not constitute legal advice. For legal interpretation, consult qualified counsel.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free