Free Tool / Regulation (EU) 2024/1689

EU AI Act Risk-Tier Self-Assessment

Answer the questions below about your AI system. We classify it into the EU AI Act risk tiers - Prohibited, High-risk, Limited-risk or Minimal-risk - and show the obligations that apply, in plain English with article references. Everything runs in your browser; nothing is sent anywhere.

About your AI system

0 of 16 answered. Answer every question for the most accurate classification.

Does the system evaluate or classify people over time based on their behaviour or characteristics to produce a social score that leads to detrimental or unfavourable treatment?

Social scoring by public or private actors that causes unjustified or disproportionate detrimental treatment is a prohibited practice. (Article 5(1)(c))

Does it use subliminal, manipulative or deceptive techniques, or exploit vulnerabilities (age, disability, social or economic situation), to materially distort behaviour and cause harm?

Purposefully manipulative or exploitative systems that materially distort behaviour and cause significant harm are prohibited. (Article 5(1)(a) and (b))

Does it use biometric data to categorise people in order to infer or deduce sensitive attributes such as race, political opinions, trade union membership, religion, sex life or sexual orientation?

Biometric categorisation systems that infer sensitive categories are prohibited (narrow lawful-labelling exceptions aside). (Article 5(1)(g))

Does it infer the emotions of people in the workplace or in education settings?

Emotion recognition in the workplace and educational institutions is prohibited, except for medical or safety reasons. (Article 5(1)(f))

Does it build or expand facial-recognition databases through untargeted scraping of facial images from the internet or CCTV footage?

Untargeted scraping of facial images to create or expand recognition databases is prohibited. (Article 5(1)(e))

Is it a real-time remote biometric identification system used in publicly accessible spaces for law-enforcement purposes?

Real-time remote biometric identification in public spaces for law enforcement is prohibited, subject to narrow, pre-authorised exceptions. (Article 5(1)(h))

Is it a remote biometric identification system, or a biometric categorisation / emotion-recognition system, used outside the prohibited cases above?

Biometric identification and categorisation systems (not otherwise banned) are listed as high-risk in Annex III(1). (Annex III(1))

Is it used for recruitment, hiring, task allocation, promotion, termination, or monitoring and evaluating the performance of workers?

AI used in employment, workforce management and access to self-employment is high-risk under Annex III(4). (Annex III(4))

Does it determine access to (or eligibility for) essential private or public services - for example creditworthiness/credit scoring, or risk assessment and pricing in life and health insurance?

Access to essential services, creditworthiness evaluation and insurance risk/pricing for individuals are high-risk under Annex III(5). (Annex III(5))

Is it used to determine access to education, to assign people to programmes, to evaluate learning outcomes, or to monitor and detect prohibited behaviour during tests?

AI in education and vocational training that affects access or assessment is high-risk under Annex III(3). (Annex III(3))

Is it a safety component in the management or operation of critical infrastructure (for example road traffic, or the supply of water, gas, heating or electricity)?

Safety components of critical digital infrastructure, traffic and utilities are high-risk under Annex III(2). (Annex III(2))

Is it used by, or on behalf of, public authorities for law enforcement, migration / asylum / border control, or the administration of justice and democratic processes?

These public-authority use cases are high-risk under Annex III(6), (7) and (8). (Annex III(6) to (8))

Does it interact directly with people as a chatbot, voice agent or other conversational interface?

Systems intended to interact with people must inform users they are dealing with AI, unless it is obvious from the context. (Article 50(1))

Does it generate or manipulate synthetic content (text, images, audio or video), including deepfakes?

Generative output must be marked as artificially generated/manipulated in a machine-readable way, and deepfakes and AI-generated public-interest text must be disclosed. (Article 50(2) and (4))

Does it use emotion recognition or biometric categorisation in any context that is allowed (not covered by the prohibited cases above)?

Where permitted, people exposed to emotion-recognition or biometric-categorisation systems must be informed that they are being subjected to them. (Article 50(3))

Do you develop or fine-tune a general-purpose AI model (for example a foundation / large language model) that can be used across many tasks?

Providers of general-purpose AI models have their own obligations (technical documentation, training-data summary, copyright policy), with stricter rules for models posing systemic risk. (Articles 51 to 55)

Educational tool, not legal advice. This self-assessment is a simplified guide to Regulation (EU) 2024/1689 (the EU AI Act). Article references are to the consolidated text. The true classification of a system depends on its precise intended purpose, deployment context and the role you play (provider, deployer, importer or distributor). Always confirm with qualified legal counsel before relying on this result.

Want a second pair of eyes on this?

We build AI systems that are GDPR and EU AI Act compliant by design. If you want a structured compliance review of your AI system - or help getting a high-risk system through conformity assessment - we are based in Vienna and happy to talk.

Book a compliance review