The short answer
The EU AI Act sorts AI systems into four risk tiers: unacceptable (banned), high-risk (heavily regulated), limited-risk (transparency duties), and minimal-risk (largely unregulated). High-risk is the tier that matters most for enterprises, because it carries documentation, oversight, data-governance, and monitoring obligations. Most obligations for high-risk systems apply from August 2026, so any system you put into production today should already be built to meet them.
The four risk tiers, in plain terms
The EU AI Act is risk-based: the more harm a system could do, the more it is regulated. It defines four tiers.
Unacceptable-risk systems - such as social scoring by public authorities or systems that manipulate vulnerable groups - are banned outright. Limited-risk systems, such as chatbots, mainly carry transparency duties: people must be told they are interacting with AI. Minimal-risk systems, such as spam filters, are largely unregulated. The tier that consumes most enterprise effort is high-risk.
What makes a system high-risk?
A system is high-risk in two main situations. First, when it is a safety component of a product already regulated under EU law, for example medical devices, machinery, or aviation. Second, when it falls into one of the use cases the Act lists explicitly in Annex III.
Annex III covers areas such as biometric identification, critical infrastructure management, education and exam scoring, employment and recruitment, access to essential services including credit scoring and insurance pricing, law enforcement, migration and border control, and the administration of justice. If your AI influences decisions in these areas, assume it is high-risk until you have confirmed otherwise.
What obligations come with high-risk?
High-risk systems carry the heaviest compliance load. You need a risk management system across the lifecycle, data governance covering the quality and representativeness of training and input data, and detailed technical documentation that demonstrates conformity.
You also need record-keeping and automatic logging of events, clear instructions for the people who deploy the system, human oversight that lets a person intervene or stop it, and an appropriate level of accuracy, robustness, and cybersecurity. Providers must run a conformity assessment and register the system in the EU database before placing it on the market.
Who is responsible - provider or deployer?
The Act distinguishes the provider, who develops the system and places it on the market, from the deployer, who uses it under their own authority. Most obligations fall on the provider, but deployers have real duties too: using the system according to instructions, ensuring human oversight, monitoring operation, and keeping logs.
The catch for enterprises is that if you substantially modify a high-risk system, or put your own name on it, you can become a provider yourself and inherit the provider obligations. This is why building AI in-house or with a partner needs the same compliance rigor you would expect from a vendor.
The timeline that matters
The EU AI Act entered into force in 2024 and applies in stages. Bans on unacceptable-risk systems and AI literacy obligations applied first, in early 2025. Obligations for general-purpose AI models followed in August 2025.
The obligations for high-risk systems in Annex III apply from August 2026. Systems embedded in already-regulated products have until August 2027. The practical implication: if you are putting a high-risk system into production in 2026, you do not have a grace period to add compliance later - it needs to be built in now.
What to do now
Start with an inventory. List the AI systems you run or plan to run, and classify each by risk tier against Annex III. For anything that lands in high-risk, gap-check it against the obligations above: documentation, data governance, human oversight, logging, and monitoring.
Treat compliance as an operating discipline, not a one-time certificate. The systems that are easiest to keep compliant are the ones instrumented for traceability and oversight from the start. That is exactly what continuous AI operations and governance are for.
This article is general guidance, not legal advice. Confirm your obligations with qualified counsel for your specific systems.
Andreas Eiselt
Founder & CEO, Innovandio