Are you covered by the AI Act?
The AI Act follows a risk-tier logic. Placing your system in the right tier determines your obligations — often far lighter than assumed.
The four tiers
- Unacceptable risk: some practices are banned (for example general-purpose social scoring).
- High risk: Annex III systems (credit, employment, biometrics…) or safety components of regulated products. Heavy obligations, including the Article 10 data dossier.
- Limited risk: transparency obligations (for example disclosing you are talking to an AI, or that content is generated).
- Minimal risk: most use cases. Almost no obligation under the AI Act.
The good surprise: often, “you don’t need X”
The value of scoping is not to add work, but to remove it. Many systems that look like “AI” are actually minimal risk. The useful reflex: don’t pile on obligations the Act doesn’t impose.
What about GDPR?
Independent of the AI Act: as soon as you process personal data, GDPR applies, whatever the AI risk tier.
Indicative guidance, not legal advice. When in doubt, a structured assessment removes the ambiguity.