EU AI Act Risk Classification Guide for SaaS Products
The hardest part of EU AI Act preparation is often deciding what your AI system is under the Act.
Separate product purpose from AI capability
Do not classify only by model type. A language model, recommendation model, or classifier can be low, limited, or high risk depending on the system purpose. A chatbot answering product questions is different from a chatbot screening job applicants or advising on healthcare decisions. Start with the intended purpose, affected users, decision impact, and operational context.
Check high-risk trigger areas
High-risk analysis should look for employment decisions, creditworthiness, education access, healthcare outcomes, biometric identification, critical infrastructure, law enforcement, migration or asylum, legal decision support, access to essential services, and other significant impacts. If any answer points to these areas, slow down and collect more evidence before generating final documents.
Catch conflicting answers
Conflicts matter. For example, a user may say the AI is only a support chatbot but also say it makes final credit decisions. Or they may say humans review all outputs but also say the workflow is fully automated. A good compliance workflow should flag those contradictions and ask for correction before generating documents.
Document assumptions
Classification is not only a label. Keep a short explanation of why the system was classified as high risk, limited risk, or minimal risk. Note assumptions, human oversight, escalation routes, vendor dependencies, and unanswered questions.
ComplyAI is a first-draft generator, not a law firm. Contact: support@complyai.tech.