← All Demos
EU AI Act Lab · Instrument I · Classification

The Navigator

Where does your AI system land under the EU AI Act? · robert@barcik.training
Take this with a grain of salt. This is an educational tool built by an engineer-educator, not legal advice, and I can't be held liable for decisions based on it — for anything consequential, consult your legal representative. It is grounded in Regulation (EU) 2024/1689 and the politically agreed Digital Omnibus amendments (Parliament 16 June 2026, Council 29 June 2026), which were not yet published in the Official Journal as of this tool's last data refresh (12 July 2026) — verify current dates on EUR-Lex. The European Commission runs its own official questionnaire, the AI Act Service Desk Compliance Checker — use both, and if they disagree, that disagreement is worth writing down.

Answer a few questions about a real AI system — yours, your vendor's, the one your boss just bought — and see the risk tier it lands in, the obligations that follow (with article citations), and the dates that actually apply to you after the 2026 Digital Omnibus. Unlike a checklist, this walks the same reasoning a classification memo does: definition, routes, derogation, role.

Or load a worked example
Scope Role GPAI Banned? High-Risk Filter Disclose Result
Step 1 — Is it even an "AI system"?

The Act's definition Art 3(1) asks whether the system infers from the input it receives how to generate outputs (predictions, content, recommendations, decisions) with some level of autonomy. Classification runs on this and on intended purpose — not on whether it says "AI" in the marketing.

Yes — it infers. An ML model, an LLM, a recommender: input goes in, the system works out the output itself.
Rules out the "traditional software / fixed deterministic rules" carve-out in the Commission's definition guidelines.
No — fixed deterministic rules. Every output is explicitly programmed; nothing is learned or inferred.
Likely outside the Art 3(1) definition — a spreadsheet formula doesn't become AI by being useful.
Not sure.
Common for complex rule engines with statistical components — worth documenting either way.
Scope exclusions — does any of these fully describe the system? (Art 2)
Used exclusively for military, defence or national security purposes Art 2(3)
Developed and used solely for scientific research and development Art 2(6)
Still in pre-market research/testing/development — and not being tested in real-world conditions Art 2(8)
You only use it in a purely personal, non-professional capacity Art 2(10)
Released under a free and open-source licence Art 2(12)
Careful: this exclusion evaporates if the system is high-risk, prohibited (Art 5), or triggers Art 50 transparency — keep answering.
None of these — it's on the EU market or in service, professionally.
Step 2 — Your role in the value chain (Art 3)

Obligations attach to roles, not to companies. The same company is often provider of one system and deployer of five others. Select all that apply to this system.

Provider — you develop it (or have it developed) and place it on the market or into service under your own name Art 3(3)
Deployer — you use it under your authority, professionally Art 3(4)
Importer — you're in the EU, placing on the market a system bearing a non-EU company's name Art 3(6)
Distributor — you make it available on the EU market without being provider or importer Art 3(7)
The Article 25 trap — do any of these apply?

Certain moves silently turn you into the provider, with the full provider obligation set Art 25(1):

You put your own name or trademark on someone else's high-risk system Art 25(1)(a)
You substantially modify a high-risk system already on the market Art 25(1)(b)
You change the intended purpose of a system (incl. a general-purpose AI system) so that it becomes high-risk Art 25(1)(c)
None of these.
Pending Omnibus change: Art 25 gains expanded upstream→downstream information-sharing duties, backed by a new fine tier (up to €15m / 3% of turnover) — agreed, awaiting Official Journal publication.
Step 3 — General-purpose AI models (Chapter V)

This is about providing the model itself, not building a product on top of someone's API. These obligations are already live — they have applied since 2 August 2025, and formal AI Office enforcement (including fines) activates 2 August 2026.

No — we build on someone else's model (API or weights); we don't place a GPAI model on the market ourselves.
Fine-tuning note: you become a model provider only if your modification is substantial — the indicative presumption is compute exceeding roughly one-third of the original training compute. Few fine-tuners cross this.
Yes — we place a general-purpose AI model on the EU market Art 53
Yes, released free & open-source — weights, architecture and usage info publicly available Art 53(2)
Exempts you from the technical-documentation and downstream-info duties — but the copyright policy and training-content summary still apply.
Yes — with systemic risk: training compute above 10²⁵ FLOPs, or Commission-designated Art 51 Art 55
The open-source exemption never applies here. You must notify the Commission within 2 weeks of (expecting to) meet the threshold.
Step 4 — The red lines: prohibited practices (Art 5, banned since 2 Feb 2025)

Does the system do any of the following? Be honest — this tier carries the Act's heaviest fines (up to €35m or 7% of worldwide turnover).

Subliminal, manipulative or deceptive techniques that materially distort behaviour and cause significant harm Art 5(1)(a)
Exploits vulnerabilities of age, disability, or social/economic situation to distort behaviour, causing significant harm Art 5(1)(b)
Social scoring — evaluating people on social behaviour or inferred traits, leading to detrimental treatment in unrelated contexts or disproportionate to the behaviour Art 5(1)(c)
Predicts that a specific person will commit a crime based solely on profiling or personality traits Art 5(1)(d)
Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases Art 5(1)(e)
Infers emotions in the workplace or education (except medical/safety reasons) Art 5(1)(f)
Biometric categorisation inferring race, political opinions, union membership, beliefs, sex life or orientation Art 5(1)(g)
Real-time remote biometric identification in publicly accessible spaces for law enforcement (outside the narrow Art 5(1)(h)(i)–(iii) exceptions) Art 5(1)(h)
Generates non-consensual intimate imagery or child sexual abuse material PENDING — from 2 Dec 2026
New prohibition added by the agreed Digital Omnibus; not yet in force (awaiting Official Journal publication).
None of these.
Step 5a — Route one: product-safety (Art 6(1) + Annex I)

Is the system a safety component of (or itself) a product covered by Annex I legislation — machinery, medical devices (MDR/IVDR), toys, lifts, radio equipment, pressure equipment, vehicles — AND does that product require third-party conformity assessment under that legislation? Both parts must be yes.

Yes, both — e.g. AI in a Class IIa+ medical device, or a safety function in certified machinery.
No — it's software with no regulated-product safety role.
Not sure — it touches a regulated product but I don't know its conformity-assessment route.
Two 2026 updates worth knowing: the agreed Omnibus narrows "safety component" (pure user-assistance, optimisation, efficiency or quality-control functions are out, unless failure could endanger health or safety), and for medical devices, MDCG 2025-6 confirms that self-certified Class I devices do not trigger this route — no third-party conformity assessment, no Art 6(1). Class IIa and up do.
Step 5b — Route two: use cases (Art 6(2) + Annex III)

The two routes are an OR — check this one regardless of 5a. Does the system's intended purpose fall into any of the eight areas? Select all that match.

1 · Biometrics Annex III pt 1
Remote biometric identification (not mere verification); biometric categorisation by sensitive attributes; emotion recognition.
2 · Critical infrastructure Annex III pt 2
Safety components managing critical digital infrastructure, road traffic, or water/gas/heating/electricity supply.
3 · Education Annex III pt 3
Admission/access decisions; evaluating learning outcomes; level placement; exam-cheating detection.
4 · Employment Annex III pt 4
Recruitment/selection: targeted ads, CV filtering, candidate evaluation. Promotion, termination, task allocation, performance monitoring.
5 · Essential services Annex III pt 5
Public-benefit eligibility (public authorities); creditworthiness/credit scoring (not fraud detection); life & health insurance risk/pricing; emergency-call triage and dispatch.
6 · Law enforcement Annex III pt 6
Victim-risk assessment; polygraphs; evidence-reliability evaluation; offending-risk assessment; criminal profiling.
7 · Migration & borders Annex III pt 7
Polygraphs; security/migration/health risk assessment; asylum/visa/residence application processing; identifying persons (not document checks).
8 · Justice & democracy Annex III pt 8
Assisting judges in researching/applying law; influencing elections or voting behaviour (campaign-logistics tools excluded).
None of these areas — general business software, marketing, internal productivity, customer support…
Step 6 — The Article 6(3) filter

An Annex III match is not the end of the story. The system escapes high-risk classification if it "does not pose a significant risk of harm… including by not materially influencing the outcome of decision making" Art 6(3) — shown by meeting at least one condition below. First, though, the override:

The system performs profiling of natural persons — automated processing of personal data to evaluate personal aspects (performance, behaviour, preferences, economic situation, health…)
Then it is always high-risk, no matter what — the profiling carve-out overrides every condition below Art 6(3) last subpara
No profiling of natural persons.

Does the system meet at least one of the four conditions? Select any that genuinely apply:

It performs a narrow procedural task Art 6(3)(a)
It improves the result of a previously completed human activity Art 6(3)(b)
It detects decision-making patterns or deviations without replacing or influencing the prior human assessment Art 6(3)(c)
It performs a preparatory task to an Annex III-relevant assessment Art 6(3)(d)
None apply — the system materially influences the actual decision.
If you invoke this derogation, you must document the assessment before market placement and register in the EU database Art 6(4) Art 49(2). The Commission's practical examples for these conditions are in the draft Art 6(5) classification guidelines (published 19 May 2026, final expected end of 2026) — draft, not settled law.
Step 7 — Transparency duties (Art 50, applies from 2 Aug 2026 — not deferred by the Omnibus)

These sit on top of whatever tier you're in. Select everything that describes the system or how you use it:

It interacts directly with people — chatbot, voice agent, avatar Art 50(1)
Provider duty: people must be told (or it must be obvious) that they're talking to AI.
It generates synthetic audio, images, video or text Art 50(2)
Provider duty: mark outputs as machine-readable/detectable as AI-generated. Grace to 2 Dec 2026 only for systems already on the market by 2 Aug 2026.
You publish deepfakes — AI-generated/manipulated content depicting real people, places or events Art 50(4)
Deployer duty: disclose the artificial origin (lighter form for evidently artistic/satirical works).
You operate emotion recognition or biometric categorisation on people Art 50(3)
Deployer duty: inform exposed persons. (Outside workplace/education — inside those, see Art 5(1)(f) above.)
You publish AI-generated text on matters of public interest Art 50(4)
Deployer duty: disclose — unless a human editor with editorial responsibility reviewed it.
None of these.
Classification record · generated by The Navigator

Where your system lands

Your obligations, by role
Your timeline — what applies when (post-Omnibus dates)
Date caveat: the deferred dates (2 Dec 2027 / 2 Aug 2028) come from the agreed Digital Omnibus text, which was not yet published in the Official Journal as of 12 July 2026. They are fixed calendar dates (Parliament and Council rejected making them conditional on standards readiness) — but verify on EUR-Lex that Regulation (EU) 2026/xxx has been published before relying on them.
Sensible next steps
    Where this tool comes from. This navigator condenses the classification method I teach in depth — the Article 3(1) test, the two Article 6 routes, the derogation walk-through, and the classification memo you should write at the end of it. It is grounded in the full text of Regulation (EU) 2024/1689, the draft Commission classification guidelines, and the agreed 2026 Digital Omnibus. For trainings and course material on engineering AI Act compliance: barcik.training · For the official word: the EU AI Act Service Desk Compliance Checker and the Act itself on EUR-Lex.

    Next instrument in the Lab: The Paper Trail — you classified it; now survive conformity.
    Memo copied to clipboard!