timmyshadylex
All resources

AI Act

Understanding the EU AI Act Risk Classification

Guillaume Libbrecht8 April 20264 min read

A practical guide to the four-tier risk classification system in the EU AI Act, with concrete examples for legal technology applications.

The European Union's Artificial Intelligence Act (Regulation (EU) 2024/1689) introduces the world's first comprehensive legal framework for AI systems. At its core is a risk-based classification system that determines the regulatory obligations for any AI system deployed within the EU market.

For legal technology companies, understanding this framework is not optional -- it directly affects how products are designed, documented, and deployed. Whether you are building contract analysis tools, predictive litigation models, or regulatory compliance engines, your system falls somewhere on this risk spectrum.

Warning

This article provides regulatory analysis for educational purposes. It does not constitute legal advice, legal counsel, or a legal opinion. Organisations should engage qualified legal professionals to assess their specific compliance obligations under the AI Act.

Risk Classification Tiers

The AI Act establishes four tiers of risk, each carrying progressively stricter obligations. The classification is determined primarily by the intended purpose of the AI system and the context of its deployment, not by the underlying technology.

Unacceptable Risk (Prohibited)

Article 5 of the AI Act identifies AI practices that are outright prohibited due to their potential for harm. These include:

  • Social scoring systems by public authorities
  • Real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement)
  • AI systems that exploit vulnerabilities of specific groups (age, disability, social situation)
  • Emotion recognition in workplace and educational settings
  • Untargeted scraping of facial images from the internet or CCTV for facial recognition databases

For legal technology, this tier is largely irrelevant -- but it establishes the regulatory ceiling and signals the EU's stance on fundamental rights protection.

High Risk

This is the tier most relevant to legal technology applications. Article 6 and Annex III define high-risk AI systems, which include those used in:

  • Administration of justice and democratic processes -- systems intended to assist judicial authorities in researching and interpreting facts and the law
  • Access to essential private services -- including creditworthiness assessment and risk pricing
  • Employment and worker management -- recruitment, promotion, and termination decisions
  • Law enforcement -- evidence reliability assessment, crime analytics, profiling

Note

A contract analysis tool that merely extracts clause types is likely not high-risk. However, a system that recommends legal strategies or predicts case outcomes to assist judicial decision-making would almost certainly qualify as high-risk under Annex III, point 8.

High-risk systems must comply with requirements in Chapter III, Section 2, including:

  1. Risk management system (Article 9) -- continuous, iterative process throughout the system lifecycle
  2. Data governance (Article 10) -- training data quality, relevance, and bias examination
  3. Technical documentation (Article 11) -- detailed system description before market placement
  4. Record-keeping (Article 12) -- automatic logging of system operations
  5. Transparency (Article 13) -- clear instructions for deployers
  6. Human oversight (Article 14) -- measures enabling human intervention
  7. Accuracy, robustness, cybersecurity (Article 15) -- appropriate performance levels

Here is an example of how a compliance check might be structured in code:

risk_assessment.py
from enum import Enum
from dataclasses import dataclass
 
class RiskTier(Enum):
    UNACCEPTABLE = "prohibited"
    HIGH = "high_risk"
    LIMITED = "limited_risk"
    MINIMAL = "minimal_risk"
 
@dataclass
class AISystemAssessment:
    system_name: str
    intended_purpose: str
    annex_iii_category: str | None
    risk_tier: RiskTier
 
    def requires_conformity_assessment(self) -> bool:
        return self.risk_tier == RiskTier.HIGH
 
    def requires_transparency_notice(self) -> bool:
        return self.risk_tier in (RiskTier.HIGH, RiskTier.LIMITED)

Limited Risk

Systems with specific transparency obligations under Article 50. These include:

  • Chatbots and conversational AI -- must disclose that the user is interacting with an AI system
  • Deepfake generators -- content must be labelled as artificially generated
  • Emotion recognition systems (where not prohibited) -- must inform natural persons of their operation
  • AI-generated text published to inform the public on matters of public interest -- must be labelled

Tip

If your legal tech product includes a chatbot interface for client intake or document queries, you are likely in the limited-risk category at minimum. The simplest compliance path: display a clear notice that the user is interacting with an AI system, not a human legal professional.

Minimal Risk

The vast majority of AI systems fall here. These systems have no specific regulatory obligations under the AI Act, though providers are encouraged to voluntarily adopt codes of conduct (Article 95).

Examples in legal technology:

  • Spam filters on legal email systems
  • Document formatting and template tools
  • Basic keyword search across legal databases
  • Calendar and scheduling optimisation

Compliance Timeline

The AI Act entered into force on 1 August 2024, with a phased implementation schedule:

MilestoneDateScope
Prohibited practices ban2 February 2025Article 5 prohibitions take effect
GPAI model obligations2 August 2025General-purpose AI model rules apply
High-risk obligations (Annex III)2 August 2026Full compliance required for high-risk systems
High-risk obligations (Annex I)2 August 2027Existing regulated product categories

Important

The 2 August 2026 deadline for high-risk AI systems in Annex III categories is the most significant for legal technology providers. Systems already on the market must be brought into compliance or withdrawn. New systems must achieve conformity assessment before deployment.

"The AI Act is not about banning innovation. It is about ensuring that innovation respects fundamental rights and operates within a framework of trust." -- European Commission, AI Act Impact Assessment

For organisations building or deploying legal intelligence tools, the risk classification has three immediate consequences:

  1. Product architecture decisions -- high-risk classification requires logging, human oversight mechanisms, and bias testing to be designed in from the start, not bolted on afterwards
  2. Documentation burden -- technical documentation under Article 11 is extensive and must be maintained throughout the system lifecycle
  3. Market access -- non-compliant high-risk systems cannot be legally placed on the EU market after the relevant deadline

Key Takeaways

  • The AI Act uses a four-tier risk classification: unacceptable, high, limited, and minimal
  • Legal technology tools that assist in judicial decision-making or legal strategy are likely high-risk under Annex III
  • High-risk systems face seven mandatory requirements including risk management, data governance, and human oversight
  • The key compliance deadline for most legal tech is 2 August 2026
  • Transparency obligations apply even to limited-risk systems like legal chatbots
  • Start compliance preparation now -- retrofitting is significantly more expensive than building compliant by design