Search Client access
Free tool · Compliance

AI Act Risk Classifier: what obligations apply to your system?

State your role and tick what your AI system does. In under a minute you'll know whether you're facing a prohibited practice, a high-risk system, a transparency obligation, or a general-purpose AI (GPAI) model — with the exact articles, the application timeline and the fines under Regulation (EU) 2024/1689.

Free, no sign-up Instant result Your answers never leave your browser
Step 1 1 / 3

What is your role with respect to the AI system?

The AI Act allocates obligations according to the role you play — you may have more than one, but pick the one that best describes your main situation.

What does your AI system do?

Tick everything that applies. If you tick nothing, we understand your system does not fall into any category with specific obligations.

Prohibited practices (Art. 5) — outside the law, whatever your role
High-risk (Annex III and Annex I) — reinforced obligations
Limited risk (Art. 50) — transparency obligations
General-purpose AI model (GPAI) — Chapter V

How many employees does your company have?

Determines whether you have access to the AI Act's support measures for SMEs and startups (Articles 62-63).

Indicative result

Here's what we found for your AI system

Legal notice: this result is indicative and generated automatically from your answers. It does not replace advice from a legal or compliance professional on the specific case of your AI system. If in doubt about an obligation with legal or financial implications, consult the official source or book a session with us.
How it works

Three steps, no data sent anywhere.

01

State your role

Provider, deployer, importer, distributor or product manufacturer — the AI Act allocates obligations differently depending on the role you play.

02

Tick what your system does

Checkboxes on its real uses and functions, no legal jargon, grouped by risk level.

03

It all happens in your browser

The logic is local JavaScript: no answer is sent to a server or stored anywhere.

04

We cross-check against the Regulation

Art. 5 (prohibited), Annex I-III (high-risk), Art. 50 (transparency) and Chapter V (GPAI models), with the real dates after the Digital Omnibus.

05

You get your risk class

With concrete obligations, an application timeline and exact fines — plus a link to go deeper on your case.

Why this tool exists

Five risk levels, a regulation that already applies.

The AI Act — Regulation (EU) 2024/1689 — is the world's first comprehensive artificial intelligence law. It entered into force on 1 August 2024, but it does not apply all at once: it rolls out in phases, and each phase brings different obligations and fines depending on what your system does and the role you play with respect to it. The most common confusion among Spanish SMEs isn't not knowing the AI Act exists — it's not knowing which risk level their specific case falls into, and that classification is what determines whether you need to act now, in a few months, or not at all.

The Regulation organises AI systems into a four-level pyramid. At the base, most everyday uses of AI (internal analytics, task automation, AI as a productivity copilot) generate no specific obligations beyond the AI literacy duty in Art. 4: that whoever operates or uses the system understands its capabilities and limits. Above that, limited risk under Art. 50 requires transparency: it must be clear when someone is interacting with a chatbot, and synthetic content — image, audio, video or text that is generated or manipulated, including deepfakes — must be identified as such. These obligations apply from 2 August 2026, with a transitional period until 2 December 2026 for the technical marking of content already in circulation.

High-risk: the eight areas of Annex III

High-risk covers systems that play a part in decisions with a real impact on people: biometrics, critical infrastructure, education, employment and worker management, access to essential services (credit, insurance, social benefits), law enforcement, migration and border control, and the administration of justice. On top of this comes Annex I: AI systems that are a safety component of a product already regulated under other EU legislation — machinery, toys, medical devices, lifts, aviation, vehicles. This is where SMEs most often get it wrong: a recruitment screening tool, a credit risk scoring system, or a video surveillance system with analytics can fall under Annex III without anyone in the company ever having labelled it "high-risk AI".

And here is the fact that changes the timeline calculation the most: the simplification package known as the Digital Omnibus, with final agreement from the European Parliament (16 June 2026) and the Council of the EU (29 June 2026), postpones the specific obligations for Annex III from 2 August 2026 to 2 December 2027, and those for Annex I (regulated products) from 2 August 2027 to 2 August 2028. The changes take effect once published in the EU Official Journal, expected in July 2026. What is not postponed is the Regulation's general application on 2 August 2026: that is the date the Art. 50 transparency rules, AI literacy and the full enforceability of fines for prohibited practices, GPAI and transparency all kick in.

Prohibited practices and GPAI models

At the top of the pyramid sit the eight prohibited practices in Art. 5 — subliminal manipulation, exploitation of vulnerabilities, social scoring, crime prediction by profiling, mass facial-image scraping, emotion recognition at work or in education, biometric categorisation of sensitive data, and real-time remote biometric identification for law enforcement. These have been banned without exception since 2 February 2025: they are not legalised by adjusting consent, they are withdrawn. Separately from this use-based risk pyramid, Chapter V regulates providers of general-purpose AI (GPAI) models — the base models others build on top of — with technical documentation, training-data summary and copyright-compliance obligations enforceable since 2 August 2025.

In Spain, the reference authority is the Spanish Agency for the Supervision of Artificial Intelligence (AESIA, headquartered in A Coruña, created by Royal Decree 729/2023), but the domestic legal framework detailing its national penalty regime — the draft Organic Law for the proper use and governance of AI, submitted to Congress on 26 May 2026 — is still going through parliament. This delays nothing: as a Regulation rather than a Directive, the AI Act and its Art. 99 fines apply directly across the EU without waiting for each country to pass its own implementing law, just as happens with DORA in the financial sector.

If the test places you in high-risk or prohibited territory, our 90-day plan to bring an SME into compliance with AI Act Annex III gives you the full roadmap, and if you'd rather have a certifiable management system than an ad hoc plan, ISO 42001 for AI management covers much of the same documentation duties. All of this is part of our regulatory compliance practice, where we also cover Spain's ENS, NIS2, DORA and GDPR. And if you're still not sure whether those also apply to you, our companion tool which regulation applies to me? checks all of them at once.

Frequently asked questions

Before you take the test.

What is the AI Act and what already applies today?+

The AI Act is Regulation (EU) 2024/1689, the world's first comprehensive artificial intelligence law. It entered into force on 1 August 2024. The prohibited practices in Article 5 have applied since 2 February 2025, and the obligations for general-purpose AI (GPAI) models since 2 August 2025. Most of the Regulation, including the transparency rules in Article 50, applies from 2 August 2026.

What is the difference between a provider, deployer, importer and distributor?+

The provider develops the AI system or places it on the market under its own brand; the deployer uses it under its own authority in its activity (the most common case for SMEs); the importer places on the EU market a system carrying the brand of a non-EU provider; the distributor makes it available in the supply chain without being its provider or importer. A single company can hold more than one role at once.

My company is an SME — do I have fewer obligations or more time?+

The obligations are the same, but the Regulation includes specific support measures for SMEs and startups (Articles 62-63): priority, free access to regulatory sandboxes, reduced conformity assessment fees, a simplified quality management system for microenterprises, and, in the event of a fine, Article 99(6) applies the lower of the two amounts (fixed sum or percentage of turnover), not the higher.

Is it true that the high-risk obligations have been delayed?+

Yes. The simplification package known as the "Digital Omnibus", with final agreement from the European Parliament (16 June 2026) and the Council (29 June 2026), postpones the specific obligations for Annex III high-risk systems from 2 August 2026 to 2 December 2027, and those for Annex I (regulated products) from 2 August 2027 to 2 August 2028. The changes take effect once published in the EU Official Journal, expected in July 2026.

Is this result legal advice, and are my answers stored?+

It is not legal advice: it is an automated indication based on your answers, meant to show you where to start, not a ruling on your specific case. And no, nothing is stored: the test runs entirely in your browser with JavaScript, without sending any answer to a server.

Want to talk through the result?

Let's go through it together.

Book a free 30-minute session. We'll go through your result, clarify which obligation weighs most in your case, and what concrete steps to take first.

Book a free session →