EU AI Act: What "High Risk" Actually Means for Your Product

Elena: The EU AI Act came into force in 2024, with the first major provisions applying in 2025 and 2026. The concept everyone struggles with is the risk tiers — what do they actually mean for a founder or product manager?

Elena: Let me work backwards from the most restrictive category. Prohibited AI systems — completely banned — include social scoring by governments, real-time remote biometric surveillance in public spaces except narrow law-enforcement exceptions, and systems that exploit psychological vulnerabilities. If your product does any of these things, it's banned in the EU. Full stop.

Elena: High-risk AI is the category that affects the most startups. High-risk systems require conformity assessment, transparency documentation, human oversight mechanisms, and registration in a new EU database. The list of high-risk applications is in Annex III of the Act: AI in hiring and HR, AI in education assessment, AI in credit scoring, AI in law enforcement, AI in healthcare diagnosis. If your product makes or significantly influences decisions in these domains, you're high risk.

Elena: Limited risk is broader and less onerous: chatbots must disclose they're AI, deepfakes must be labelled, emotion recognition systems must inform users. Most consumer AI products fall here.

Elena: For founders: the hardest question is usually "does my product fall in high risk?" The answer depends on whether your AI makes or materially influences a regulated decision, and how automated that decision is. If you're not sure, you need a lawyer — this is not a question to guess at.