EU AI Act

Risk classification

The EU AI Act categorises AI systems into four risk levels:

• Unacceptable risk (banned) – social scoring by governments, real-time remote biometric identification in public spaces (with limited exceptions), manipulation techniques that exploit vulnerabilities, and emotion recognition in workplaces and education
• High risk – AI systems in critical areas including biometric identification, critical infrastructure management, education and employment decisions, essential services access, law enforcement, and border control. These require conformity assessments, risk management systems, data governance, transparency, and human oversight
• Limited risk – AI systems with specific transparency obligations, including chatbots (must disclose they are AI), emotion recognition systems, and deep fake generators
• Minimal risk – the majority of AI systems, such as AI-enabled spam filters and recommendation systems, which face no specific obligations

Obligations for high-risk AI

Providers of high-risk AI systems must implement a risk management system maintained throughout the AI system’s lifecycle, ensure training data meets quality criteria for relevance, representativeness, and accuracy, maintain technical documentation sufficient for conformity assessment, enable logging and traceability of AI system operations, provide clear information to deployers about the system’s capabilities and limitations, design for effective human oversight, and achieve appropriate levels of accuracy, robustness, and cybersecurity.

EU AI Act and the UK

The UK has not adopted equivalent AI legislation. The UK government has pursued a sector-specific, principles-based approach to AI regulation rather than horizontal legislation. However, UK organisations are affected by the EU AI Act where they place AI systems on the EU market (including via SaaS), their AI systems make decisions about EU residents, or they supply AI components to organisations subject to the Act.

The intersection with ISO 42001 (the international standard for AI management systems) provides a structured pathway for organisations seeking to demonstrate responsible AI governance that satisfies both EU regulatory requirements and international best practice.

Cyberfort Group and the EU AI Act

We help organisations assess their AI systems against the EU AI Act’s risk classification and implement the security, governance, and documentation requirements for high-risk AI. Our AI security services include AI risk assessment, security testing of AI/ML systems, and alignment with ISO 42001. Learn more about our AI security services →

Related terms

• ISO 42001 – the international standard for AI management systems, providing a structured approach to AI governance
• LLM security testing – security assessment of large language models, relevant to high-risk AI compliance
• Secure by Design – the development principle that supports the AI Act’s requirement for security by design in high-risk AI

External references

• Wikipedia: Artificial Intelligence Act – legislative history and overview
• EUR-Lex: Regulation (EU) 2024/1689 – full legislative text
• European AI Office – EU body overseeing AI Act implementation
• Wikidata: Q104127753 – canonical entity identifier

Frequently asked questions