EU AI Act Risk Classification Checklist
Last reviewed: 2026-06-23
Four Practical Risk Buckets
| Risk bucket | What it generally means | First evidence to check |
|---|---|---|
| Unacceptable risk | Uses that may be prohibited. | Manipulation, exploitation, social scoring, certain biometric uses. |
| High-risk | Sensitive uses that may affect health, safety, or fundamental rights. | Employment, education, essential services, law enforcement, migration, safety components. |
| Transparency risk | Users may need to know AI or synthetic content is involved. | Chatbots, deepfakes, synthetic media, user-facing AI output. |
| Limited or minimal risk | Lower-impact uses may still need governance and privacy evidence. | Internal productivity, drafting assistants, low-impact content support. |
Risk Classification Questions
| Question | Why it matters | Evidence to collect |
|---|---|---|
| What is the intended purpose? | Risk is use-case driven. | Product spec, user flow, internal policy. |
| Who is affected by the output? | Impact on individuals changes scrutiny. | User group and workflow map. |
| Does output influence jobs, education, credit, public services, or essential benefits? | These can be high-risk signals. | Decision owner, escalation path, human review. |
| Does the system rank, score, recommend, or decide? | Output function matters. | Output examples, decision criteria. |
| Are users told AI is involved? | Transparency obligations may apply. | UI copy and disclosure text. |
| Is sensitive data involved? | Privacy and risk review may deepen. | Data inventory, DPIA notes, vendor docs. |
Common Evidence Gaps
- No AI system inventory.
- No intended-purpose statement.
- No written distinction between model provider, product provider, and deployer.
- No record of advisory versus decision-making output.
- No human oversight description.
- No chatbot or synthetic-content disclosure.
What ActCheck Can Do
- Describe the system.
- Identify role questions.
- Screen risk-category signals.
- List missing evidence.
- Produce a self-assessment report for internal review.
FAQ
Is every AI system high-risk?
No. Screening starts with intended purpose, affected users, output use, and sensitive contexts.
Can a chatbot be high-risk?
A chatbot may create transparency questions and could raise deeper review questions depending on use, users, and impact.
Should we classify risk before collecting documents?
Collect basic system facts first. Risk screening is more useful when purpose, users, outputs, and oversight are documented.
Use the existing ActCheck assessment flow from the homepage.
Related Pages
- EU AI Act checklist hub
- EU AI Act self-assessment
- Provider vs deployer checklist
- Technical documentation template