Is Your AI Feature High-Risk Under the EU AI Act?
AI-generated illustration

Is Your AI Feature High-Risk Under the EU AI Act?

The Act is in force, but the high-risk obligations phase in — here's how to tell whether your feature is in the bucket, and exactly what you owe if it is.

Verdict: treat it as binding soon. Under the European Commission's risk-based AI Act, your feature is high-risk if it is a safety component of a regulated product or falls in a listed use like hiring, credit, or biometrics. If so, you owe risk management, data governance, logging, documentation, human oversight, and robustness.

The Weights Desk · 4 min read

Verdict: binding soon — so classify before you build

The AI Act is already law; the European Commission's framework sorts every system into four risk tiers — unacceptable, high, limited, minimal — and loads almost all the compliance weight onto the high-risk tier (s1). Prohibited uses bite first; high-risk duties phase in later on the Commission's staggered timeline. Treat that gap as a trap, not a reprieve. The prioritised move is to classify honestly today, then stand up a risk-management system and technical documentation — the two things that take longest to retrofit.

There are exactly two doors into high-risk

Door one: your AI is a safety component of a product already covered by EU product-safety law — think medical devices, machinery, vehicles, toys (s1). Door two: your use sits in the Commission's listed high-risk areas — biometric identification, critical infrastructure, education, employment and worker management, access to essential private and public services such as credit scoring, law enforcement, migration and border control, and administration of justice (s1). The consequence to internalise: classification is use-based, not model-based. The same LLM is minimal-risk behind a marketing helper and high-risk behind a hiring filter.

The seven duties, and the one that actually bites

Through either door, the framework requires a risk-management system; high-quality datasets to curb discriminatory outcomes; activity logging for traceability; technical documentation deep enough for authorities to assess compliance; clear information to the deployer; human oversight; and a high level of robustness, security and accuracy (s1). What most teams underestimate is data governance — proving training and evaluation data is representative and bias-checked is far harder than writing a policy doc, and you cannot backfill it after shipping. One honest caveat: this is the classification-and-obligations skeleton only. Conformity assessment, registration, and the general-purpose-AI rules are separate tracks with their own timing, and national implementing detail is still settling — so scope the paperwork wider than these seven lines.

Is a customer-support chatbot high-risk under the AI Act?
Usually no. A general chatbot sits in the limited-risk tier: the Commission's framework requires you disclose that users are interacting with AI, but it does not trigger the full high-risk obligation set unless the feature falls inside a listed high-risk use.
When do the high-risk obligations actually start applying?
The Act entered into force in 2024 and applies gradually. The Commission describes a staggered timeline in which high-risk obligations land later than the prohibitions on unacceptable-risk uses — which is why the honest read is 'binding soon,' and why you should build the stack now.
Does using a general-purpose model make my product high-risk?
Not by itself. High-risk status is decided by how and where the system is used, not by which model powers it. General-purpose AI models carry their own separate obligations, distinct from the high-risk classification of the feature you build on top.
  1. Regulatory framework on Artificial Intelligence — European Commission