Risk assessment under the EU AI Act begins with classification and extends through identification, scoring, mitigation, and iterative review. Risk classification applies the four-tier framework, assessing prohibited practices, high-risk categorisation under Annex III and Annex I, and the full obligation set. The Article 6(3) exception assessment evaluates whether a system that falls within Annex III may qualify for an exception. The classification decision record documents the determination with supporting evidence. Reclassification triggers define the events that require reassessment.

Five-method risk identification combines structured workshops, historical analysis, regulatory checklists, adversarial analysis, and stakeholder interviews. Risk scoring and calibration applies likelihood-impact matrices with calibration against documented precedent. Reputational risk extends the assessment beyond regulatory harm. Residual risk and acceptability documents the risk remaining after controls, with deployer communication and periodic review.

The fundamental rights impact assessment maps the system’s effects against the EU Charter. Risk assessment for specific categories addresses biometric, critical infrastructure, employment, and law enforcement contexts. GPAI model risk assessment covers systemic risk evaluation. Iterative risk management ensures risk assessment is a continuous process. The section concludes with artefacts.

Note:

are populated. (FRIA continuation, specific categories, GPAI risk, iterative management, artefacts) are awaiting content from a subsequent batch.