Classify an AI system, without ambiguity.
Classification is the decision that drives all your obligations. This page gives you the three tools to make it reproducible and defensible: testable operational definitions, a visual decision flowchart, and a complete classification sheet to download.
The "digital omnibus" package, adopted by the Parliament on 16 June and by the Council on 29 June 2026, postpones the high-risk deadlines: Annex III to 2 December 2027 (instead of 2 August 2026) and Annex I to 2 August 2028 (instead of 2 August 2027), upon its publication in the Official Journal. Unchanged: the prohibited practices (Art. 5, in force since February 2025, now completed by a 9th prohibition - see 3.A), transparency (Art. 50, applicable on 2 August 2026) and the GPAI regime. The postponement does not excuse you from classifying now: the classification is what tells you what you have to prepare.
1. Operational definitions: testable criteria
Each key concept, turned into closed questions answered yes or no, with supporting evidence.
"AI system" (Art. 3(1)) - the 3-question test
| Test | Closed question | Evidence / measurement |
|---|---|---|
| T1 - Inference | Are the outputs inferred from the inputs - through machine learning or logic- and knowledge-based approaches (recital 12) - rather than executed according to rules defined solely by humans? | Provider documentation: trained model (ML, LLM…) or reasoning engine. Answer "no" according to the Commission guidelines (Feb. 2025): basic data processing, classical mathematical optimisation, simple heuristics, systems executing human-defined rules only. |
| T2 - Outputs | Does the system produce predictions, content, recommendations or decisions? | Actual list of the outputs observed in real use. |
| T3 - Autonomy | Does it operate with varying levels of autonomy (no human intervention for each output)? | Description of the flow: is the output produced without prior human validation? |
T1 and T2 = yes → AI system within the meaning of the Regulation (T3 modulates the level of autonomy, not the qualification; adaptiveness after deployment is a clue, not a condition - "may exhibit adaptiveness"). T1 = no → outside the AI Act: document the conclusion and archive it, it is your evidence in case of an inspection. Reference: Commission guidelines on the definition of AI systems (February 2025).
Provider or deployer? The switch test (Art. 25)
| Question | If yes… |
|---|---|
| Do you place the system on the market or put it into service under your own name or trademark? | You are a provider. |
| Have you made a substantial modification to a high-risk system already on the market (retraining on your data, architecture change, modified decision thresholds)? | You become a provider. |
| Have you changed the intended purpose of a system (including a system that was not high-risk) towards a high-risk use? | You become a provider. |
| None of the three, and you use the system under your own authority in a professional context? | You are a deployer (Art. 26: instructions for use, human oversight, logs ≥ 6 months, informing individuals). |
Other concepts, measurable criteria
| Concept | Practical, measurable criterion |
|---|---|
| GPAI | Model trained on large corpora, displaying significant generality (capable of a wide range of tasks) and suitable for downstream integration. Measurable clue: the same model serves several distinct use cases. |
| Systemic risk | Cumulative training compute > 10²⁵ FLOPs (presumption, Art. 51) or designation by the Commission. Measurement: declaration by the model provider. |
| Serious incident | Death or serious harm to health; serious and irreversible disruption of critical infrastructure; infringement of fundamental rights; serious damage to property or the environment (Art. 3(49)). Associated measurement: reporting deadlines of 15 days / 10 days (death) / 2 days (critical infrastructure). |
| Substantial modification | Change not foreseen in the initial documentation that affects compliance or the intended purpose. Test: does the change invalidate a result of the conformity assessment? Yes → new assessment. |
| Placing on the market / putting into service | First making available on the EU market / first use for its intended purpose in the EU. Measurement: contractual date or go-live date - that date is what triggers the obligations. |
2. The decision flowchart
Seven questions, four outcomes. Each diamond points to the measurable criteria detailed in section 3. Download it as a PDF, put it on the wall: it is the working tool of the AI Act lead.
📄 Download the decision flowchart (PDF)
A single system can combine high risk and transparency (e.g. an HR chatbot that shortlists candidates). The "transparency" outcome of the flowchart adds to the high-risk obligations, it does not replace them.
3. The measurable criteria at each step
Step 0. Scope (Art. 2) and legacy status (Art. 111)
Before anything else: does the Regulation apply, and from when? Two preliminary checks, with measurable criteria.
| Case | Measurable criterion | Consequence |
|---|---|---|
| Military / defence / national security | The purpose is exclusively military, defence or national security. A mixed civilian use brings the system back into scope. | Out of scope (Art. 2(3)). |
| Research & development | Scientific R&D activity before placing on the market or putting into service; no external users in real-world conditions (outside sandboxes and supervised testing, Art. 60). | Out of scope until commercialisation (Art. 2(6)-(8)). |
| Personal use | Natural person, strictly personal and non-professional activity. | Deployer out of scope (Art. 2(10)). |
| Open source | System released under a free and open-source licence - unless it is prohibited, high-risk, subject to Art. 50, or a GPAI with systemic risk. | Partial exemption (Art. 2(12)). |
| Legacy status - high risk | High-risk system already placed on the market or put into service before the application date of its regime: the Regulation only applies from a significant change in design. Measurement: documented placing-on-the-market date + tracking of design changes. | Deferred application (Art. 111(2)); public authorities: compliance by 2 August 2030 at the latest. |
| Legacy status - GPAI | General-purpose AI model placed on the market before 2 August 2025. | Compliance required by 2 August 2027 (Art. 111(3)). |
"Out of scope" or "deferred" does not mean "out of the register": still record the system in the inventory with its dated justification. A legacy system falls into the regime at the first significant change in design - so it has to be monitored.
A. Prohibited practices test (Art. 5) - 9 closed questions
A single "yes" = prohibited use. The first eight prohibitions have applied since 2 February 2025; the ninth, added by the digital omnibus, applies on 2 December 2026. Keep evidence of the test (date, respondents, conclusion).
| # | Closed question | Concrete example |
|---|---|---|
| A1 | Does the system manipulate behaviour through subliminal or deliberately deceptive techniques, to the point of causing significant harm? | AI-driven dark patterns pushing compulsive purchases. |
| A2 | Does it exploit vulnerabilities linked to age, disability or social/economic situation? | Advertising targeting over-indebted people with toxic credit. |
| A3 | Does it socially score people with unjustified or out-of-context unfavourable treatment? | A "citizenship" score conditioning access to unrelated services. |
| A4 | Does it predict an individual's criminal risk solely through profiling or personality traits? | Individual "predictive policing" without objective facts. |
| A5 | Does it build a facial recognition database through untargeted scraping (internet, CCTV)? | Mass scraping of public profile photos. |
| A6 | Does it infer emotions in the workplace or in education (outside medical or safety reasons)? | Detecting employee "engagement" in video meetings. |
| A7 | Does it biometrically categorise people to infer race, opinions, trade union membership, religion, sex life or sexual orientation? | Sorting customers by presumed origin from photos. |
| A8 | Does it perform real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (outside strictly authorised exceptions)? | Live facial recognition in the street without a legal basis. |
| A9 | Does it generate or disseminate non-consensual intimate imagery or child sexual abuse material (CSAM) (prohibition added by the digital omnibus, applicable on 2 December 2026)? | AI "undressing" app. |
B. Product route (Annex I) - main criterion and nuances
Measurable criterion: the AI system is a product, or the safety component of a product, covered by harmonisation legislation listed in Annex I and subject to third-party conformity assessment. Check: does your product already carry a CE marking under one of those texts?
Two expert nuances: (1) Annex I distinguishes section A (full application of the high-risk regime: machinery, medical devices, toys, lifts…) from section B (transport: aviation, automotive, rail, marine…), where the requirements are integrated through the sectoral legislation (Art. 2(2)); (2) the digital omnibus narrows the notion of "safety component": user assistance, performance optimisation, service efficiency, automation/convenience or quality control functions no longer trigger high-risk status, unless their failure endangers health or safety. Measurable criterion: documented failure analysis (what happens if the AI component breaks down or gets it wrong?).
- Machinery · toys · lifts · protective equipment · gas appliances · pressure equipment
- Medical devices and in vitro diagnostics
- Civil aviation · automotive · rail · marine · two- and three-wheel vehicles · agricultural vehicles
- Radio equipment · cableway installations
C. Annex III areas - presence indicators
| Area | You are concerned if… | Examples |
|---|---|---|
| 1. Biometrics | The system performs remote identification, categorisation or emotion recognition (non-prohibited uses). | Remote biometric access control. |
| 2. Critical infrastructure | Safety component in the management of energy, water, gas, heating or traffic. | AI control of a power grid. |
| 3. Education | The system decides on access, evaluates, steers students or monitors exams. | Automated grading, proctoring. |
| 4. Employment & HR | It filters applications, evaluates, promotes, terminates or allocates tasks. | CV screening, performance evaluation. |
| 5. Essential services | It conditions social benefits, credit, life/health insurance or emergency calls. | Credit scoring. |
| 6. Law enforcement | Police use: risk assessment, polygraphs, evidence. | Assessing the reliability of evidence. |
| 7. Migration & borders | Examination of asylum/visa applications, risk detection at borders. | Visa file triage. |
| 8. Justice & democracy | Assistance with judicial decisions or influence on elections. | Drafting assistance for judgments. |
D. Art. 6(3) exemption - 4 conditions and a safeguard
A system in an Annex III area escapes high-risk status only if it does not pose a significant risk to health, safety or fundamental rights, because it meets at least one of these conditions:
| Condition | Measurable criterion | Example |
|---|---|---|
| D1 | Narrow procedural task: the system performs a bounded sub-task without influencing the decision. | Converting CVs into a structured format (no scoring). |
| D2 | It improves the result of a human activity already completed, without replacing it. | Rewording an appraisal already written by a manager. |
| D3 | It detects patterns or deviations from previous decisions, without replacing human assessment. | Alert on an atypical HR rating, reviewed by a human. |
| D4 | Task that is preparatory to a relevant assessment. | Grouping documents before a file is processed. |
1) If the system performs profiling of natural persons, the exemption is impossible: high risk, always. 2) The exemption analysis must be documented before placing on the market or putting into service, retained, and the system registered in the EU database (Art. 49(2)). No dated document = no defensible exemption.
E. Transparency (Art. 50) - 4 triggers
| Trigger | Measurable criterion | Obligation |
|---|---|---|
| E1 | People interact directly with the system (chatbot, voice assistant). | Clear information, unless obvious to a reasonably well-informed person. Responsible: provider. |
| E2 | The system generates or manipulates synthetic content (text, image, audio, video). | Machine-readable marking of the outputs. Responsible: provider. |
| E3 | Emotion recognition or biometric categorisation (lawful uses). | Informing the exposed individuals. Responsible: deployer. |
| E4 | Deepfakes, or AI-generated text informing the public without human editorial review. | Visible disclosure of the generated/manipulated nature. Responsible: deployer. |
4. The classification sheet: the complete template
One sheet per system, completed at initial classification then reviewed after each substantial modification. Together with the register, it is your first line of evidence before a market surveillance authority.
| Block | Fields | Completeness criterion |
|---|---|---|
| 1. Identification | Name, register identifier, version, date, author, contributors (business, legal, technical). | Unique identifier linked to the register; at least 2 contributors from different functions. |
| 2. Description | Intended purpose, users, affected persons, context of use, input/output data, underlying model or provider (GPAI?). | An uninvolved third party understands the use as written. |
| 3. Qualification | Tests T1/T2/T3 + conclusion "AI system: yes/no". | Each test answered with its evidence. |
| 4. Scope & legacy status | Art. 2 exclusions (military, R&D, personal, open source) + Art. 111 legacy status (placing-on-the-market date, design changes). | Documented placing-on-the-market date; exclusion justified and dated. |
| 5. Role | Provider / deployer / importer / distributor + Art. 25 switch test. | The 3 switch questions answered. |
| 6. Art. 5 screening | The 9 questions A1-A9 (yes/no + justification). | 9/9 answered; any "yes" = sheet closed with a stop decision. |
| 7. High risk | Annex I (applicable text, section A/B, component failure analysis); Annex III (area and precise point); 6(3) exemption (conditions D1-D4, profiling safeguard, analysis). | Annex point quoted verbatim; dated 6(3) analysis if invoked. |
| 8. Transparency | Triggers E1-E4 + planned information/marking measures. | Each trigger tested. |
| 9. Conclusion | Category retained, obligations triggered (list), deadlines (post-omnibus), FRIA/DPIA required. | Single category + documented transparency add-on. |
| 10. Validation | AI Act lead, legal, AI committee decision if borderline case, next review date. | At least 2 signatures; review planned ≤ 12 months or upon modification. |
A defensible classification = an applied flowchart + traced closed questions + a signed sheet linked to the register. Systematic review: substantial modification, change of intended purpose, new major model version, or 12 months.
Sources for this page
- Regulation (EU) 2024/1689 (EUR-Lex): Art. 2, 3, 5, 6, 25, 26, 27, 49, 50, 111, Annexes I and III;
- Commission guidelines on the definition of AI systems (February 2025) and on prohibited practices (February 2025);
- Draft guidelines on the classification of high-risk systems (Art. 6(5)): published on 19 May 2026, consultation closed on 23 June 2026 - final version to watch;
- "Digital omnibus" package: adopted by the Parliament (16 June 2026) and the Council (29 June 2026) - new high-risk deadlines (2 Dec. 2027 / 2 Aug. 2028), 9th prohibited practice, narrowed notion of safety component.