Are you covered by the AI Act?

The AI Act follows a risk-tier logic. Placing your system in the right tier determines your obligations — often far lighter than assumed.

The four tiers

  • Unacceptable risk: some practices are banned (for example general-purpose social scoring).
  • High risk: Annex III systems (credit, employment, biometrics…) or safety components of regulated products. Heavy obligations, including the Article 10 data dossier.
  • Limited risk: transparency obligations (for example disclosing you are talking to an AI, or that content is generated).
  • Minimal risk: most use cases. Almost no obligation under the AI Act.

The good surprise: often, “you don’t need X”

The value of scoping is not to add work, but to remove it. Many systems that look like “AI” are actually minimal risk. The useful reflex: don’t pile on obligations the Act doesn’t impose.

What about GDPR?

Independent of the AI Act: as soon as you process personal data, GDPR applies, whatever the AI risk tier.

Indicative guidance, not legal advice. When in doubt, a structured assessment removes the ambiguity.