A lot of explanations of the EU AI Act stop at definitions. That is usually where the confusion starts.
In practice, risk classification is not only about the technology itself. It is about how AI is used, who is affected, and what kind of impact it can have.
The four risk levels at a glance
At a high level, the EU AI Act groups systems into four categories:
- Unacceptable risk — These are uses that are considered too harmful and are not allowed.
- High risk — These uses can affect people in serious ways and come with stronger obligations.
- Limited risk — These uses may trigger transparency requirements, but the compliance burden is usually lighter.
- Minimal risk — These uses generally face very limited obligations.
That sounds simple on paper. The harder part is applying it to a real business.
Why classification depends on context
This is the part most companies miss.
The same AI model or tool can be low risk in one setting and much more heavily regulated in another.
For example, using AI to help draft internal meeting notes is very different from using AI to rank job candidates or support decisions that shape access to services, education, or employment.
The real question is not only what tool is involved. It is what role that tool plays in decision-making and how much it affects people.
Example: using AI in hiring
If AI is used to screen applicants, rank candidates, or influence hiring decisions, that can move the use case into high-risk territory.
Why? Because employment decisions have a direct and meaningful impact on people. This is one of the clearest examples of why context matters so much.
Example: using ChatGPT internally
If a team uses a generative AI tool internally for brainstorming, drafting, note-taking, or lightweight productivity work, that is often much lower risk.
There may still be governance questions around data handling, transparency, or internal usage policies, but the regulatory profile is usually very different from AI that directly affects individuals.
Example: AI features inside a SaaS product
This is where things often get more nuanced.
A software company might add AI features for summarization, recommendations, support automation, or analysis. Some of those uses may stay relatively light. Others may become more sensitive if the output starts shaping access, ranking people, filtering users, or influencing decisions with real consequences.
That is why SaaS companies should look beyond the label "AI feature" and ask what the feature actually does in practice.
How to think about your own use case
A simple way to assess classification is to ask:
- Does this AI influence a decision that affects a person?
- Could that decision materially change someone's opportunities, treatment, or outcome?
- Are we using AI internally, or are we applying it in a customer-facing or decision-heavy context?
- Are we building the system, selling it, or simply using it?
Those questions will usually get you closer to the right starting point than trying to memorize categories in the abstract.
Why this matters for SMEs
For smaller companies, the risk is not only non-compliance. It is wasted effort.
If you assume everything is high risk, you can overcomplicate the process and slow the business down.
If you assume nothing applies, you may miss issues that become more expensive later.
The smart move is to get a grounded view early.
Need the bigger picture?
If you want the broader context around who needs to comply and how to approach the regulation overall, read the full guide: