The EU AI Act Part One
The 4 risk levels every business must understand
Steve Jackson
Chief Data Officer
Steve has over 20 years experience with getting the most out of data platforms having made his clients 100s of millions in cost savings or sales directly attributable to his work. For the last 5 years he has been building an AI driven travel SaaS and vibe coding his way through all kinds of software development hell!
Why does the EU get a bad reputation for restrictive laws?
In short, the EU regulates impact early. After laws like the General Data Protection Regulation (GDPR), many companies felt friction fast. Consent rules, limits on data use, and real fines changed how products were built. This led to a simple narrative: regulation slows innovation.
The EU are making Europe less competitive than the US and blah blah blah!
Arguments abound online about this and have done since the so called cookie law!
On the one hand you have the haters, on the other, the snowflakes.
The reality is more balanced
- The EU focuses on user safety, privacy and control
- The US often allows faster rollout, then fixes issues later
Which is better?
Personally because of the rise of the machine I prefer the European safety first stance.
For AI, the EU follows the same pattern:
Control where harm can happen, leave the rest alone
For most businesses, this means one thing:
If your AI supports users, you are fine.
If it decides outcomes, rules increase.
The EU AI Act is designed with one idea in mind. Controlling risks.
Risk decides the rules.
Not all AI is treated the same. The law splits AI into four levels. Each level brings a different set of obligations. If you get this right early, you avoid most problems later.
Why this matters
Most companies do not plan to build “high-risk AI”. But many drift into it by accident. A simple feature grows and a tool starts to influence outcomes. Then suddenly, the rules change.
Understanding the four levels is how you stay in control.
The 4 risk levels
Instead of regulating all AI the same way, the act splits AI into four risk levels and applies rules based on impact.
1. Prohibited AI
What it is
This is AI that is banned outright. It is not about compliance. It is about do not build this.
Examples
- Social scoring of people (black mirror anyone?)
- AI that manipulates behaviour in harmful ways
- Systems that exploit vulnerable groups
- Real-time biometric tracking (face recognition and gait) in public spaces. There are exceptions like terrorist threat prevention, searches for missing persons or major crime investigations.
What this means for you
Most commercial products will not go near this.
What to do
- Sanity check your use cases early
- Avoid anything that profiles or manipulates people at scale
What to avoid
- Behaviour nudging that crosses into manipulation
- Hidden scoring systems tied to people
2. High-risk AI
What it is
This is where the strict rules sit. These systems affect rights, access, or safety.
Examples
- Hiring and recruitment systems
- Credit scoring
- Insurance risk assessment
- Medical AI
- Law enforcement tools
What this means for you
If your AI decides outcomes, filters people and affects access to services you may be here. Credit card companies are here. Banks are here. Many legal firms and government authorities are here. Emergency services are here.
What is required
- Risk management processes
- High-quality, controlled data
- Full documentation
- Human oversight (human in the loop)
- Accuracy and reliability checks
- Registration in an EU database
What to do
- Check if your AI impacts real-world outcomes
- Keep humans involved in decisions
- Build with audit and logs from day one
What to avoid
- Fully automated decisions with real impact
- Systems you cannot explain
3. Limited-risk AI
What it is
This is where most business AI sits and the focus here is transparency.
Examples
- Chatbots
- AI-generated content
- Recommendation systems
- Assistants and copilots
What this means for you
If your AI helps users, suggests actions or generates content then this is likely your category.
What is required
- Tell users they are dealing with AI
- Label AI-generated content where needed
What to do
- Add clear AI disclosures
- Make outputs understandable
- Set expectations on accuracy
What to avoid
- Passing AI output as human
- Hiding how content is created
4. Minimal risk
What it is
Low impact systems that are not regulated beyond general law.
Examples
- Spam filters
- Basic automation (if this then that)
- Internal tools
What this means for you
No extra compliance burden.
What to do
- Follow standard data and privacy rules
What to avoid
- Assuming “low risk” forever, systems can evolve
The Red Queen challenge: systems move
(See the book deal below to learn more about the red queen)
Most AI does not stay in one category. It evolves. A system can go from chatbot to an assistant, an assistant to a recommender and then a recommender to a decision engine. Each step increases risk.
How to stay safe
Define your category early. Write down what your AI does and doesn’t do. Keep it tight. Watch for boundary crossings.
Ask:
- Does this affect access, money, or opportunity?
- Does this replace a human decision?
If yes, risk is rising.
Design for control
Even in low-risk systems:
- Keep human override
- Keep clear logic
- Keep audit trails
A simple mental model
Think of it like this:
- Minimal risk → tools
- Limited risk → assistants
- High risk → decision-makers
- Prohibited → manipulation or control of people
Your goal is to stay in tools and assistants and keep the humans as decision makers.
Closing thought
The EU AI Act is not about stopping AI.
It is about stopping uncontrolled impact on people. If you understand where your system sits, you can move fast without stepping into risk.
Next in the series
Part 2 will cover the practical side: the key mistakes businesses make and the critical dos and don’ts when building with AI.