The EU AI Act establishes a four-tier risk classification framework that determines the obligations attaching to each AI system. Understanding where a system falls within this framework is the precondition for every subsequent risk assessment activity.

Tier 1 covers prohibited practices under Article 5; systems falling here must cease operation immediately. Tier 2 covers high-risk systems under Annex III and Article 6, requiring the full AISDP (all 12 modules), conformity assessment, CE marking, and EU database registration. Tier 3 covers limited-risk systems under Article 50, requiring a standard AISDP addressing transparency measures for chatbots, emotion recognition, biometric categorisation, and synthetic content generation. Tier 4 covers minimal-risk systems that trigger no specific obligations, requiring only a baseline AISDP confirming the classification rationale.

The classification determination is the first step in the risk assessment process. Before conducting any detailed risk analysis, the assessor verifies that the system’s Classification Decision Record (CDR) is current, that no reclassification triggers have been activated, and that the classification rationale remains sound given the system’s current deployment context.

Key outputs

• Four-tier classification determination
• CDR currency verification before risk assessment proceeds
• AISDP scope determination (full, standard, or baseline)
• Module 6 AISDP documentation