Most companies deploying AI in the EU still don’t know what tier they’re in
Most companies deploying AI in the EU still don’t know what tier they’re in.
That’s not an opinion. It’s what I see in every engagement.
The EU AI Act (Reg. 2024/1689) has been in force since August 2024. Prohibited practices have been enforceable since February 2025. GPAI obligations kicked in August 2025. And yet I regularly speak to legal, compliance, and technology teams who cannot answer the most basic question:
Is our AI system prohibited, high-risk, limited risk, or minimal risk?
The confusion is understandable. The regulation is 458 pages. The AI Omnibus (May 2026) extended several deadlines but added a 9th prohibited practice category. The Annex III high-risk use case areas are dense and context-dependent. Article 6 classification logic has two paths, each with its own exceptions.
Most organizations are either over-panicking (“everything we do is high-risk”) or under-preparing (“we have until 2027, it’s fine”). Both postures are wrong, and both are expensive.
So I built a free tool.
The EU AI Act Risk Classifier is a standalone, open HTML tool that runs a full classification assessment against your AI system in under 60 seconds.
Describe your system in plain language. Select your role — provider, deployer, importer, distributor. Hit classify.
The tool runs an 8-step analysis covering:
→ Prohibited practices screen — all 9 Art. 5 categories, including the AI Omnibus addition effective December 2026
→ Risk tier determination — Art. 6 Path A (Annex I product safety components) and Path B (Annex III use cases), with specific area citations when high-risk applies
→ Key obligations — prioritised by Article number and your specific role
→ Compliance deadline — the correct date for your tier, accounting for the AI Omnibus extensions (Annex III standalone systems: 2 December 2027; Annex I embedded products: 2 August 2028)
It’s not a substitute for legal counsel. It’s a starting point that gives you and your counsel something concrete to work from — a defensible first-pass classification with Article citations, not a vendor’s vague risk score.
Who this is for
If you are a provider placing an AI system on the EU market — you need to know your tier before you start building your Art. 9 risk management system or Art. 17 quality management system. Classification is the prerequisite for everything else.
If you are a deployer — an enterprise, financial institution, or SaaS company using AI under your own authority — your Art. 26 obligations depend entirely on whether the system your vendor sold you is high-risk. Most vendors won’t tell you clearly. This tool helps you verify.
If you are a GRC, legal, or compliance professional advising clients on EU AI Act readiness — this is a structured intake tool. Run it before the first scoping call. Walk in with a provisional classification, not a blank page.
The deadline reality check
The AI Omnibus gave many organizations a false sense of relief. Yes, the high-risk Annex III deadline moved to December 2027. But:
- Prohibited practices (Art. 5) have been enforceable since February 2025. The 9th prohibition on non-consensual synthetic intimate imagery applies from December 2026.
- GPAI model obligations (Arts. 53–55) have applied since August 2025. If you are building on a foundation model, you have deployer obligations now.
- Art. 50 transparency obligations for chatbots and synthetic media apply from August 2026.
The extension bought time for high-risk conformity assessment. It did not buy time for everything else.
Get the tool
The classifier is a free, self-hostable HTML file. No login. No data collection. Your API key is used in-memory only — never stored, never logged.
Drop it in your browser. Classify your system. Then call us.
→ Download the EU AI Act Risk Classifier
If the classification comes back high-risk and you need help navigating Arts. 9–17, a gap assessment, or an ISO 42001 implementation to underpin your AIMS — that’s exactly what DISC InfoSec does.
Disc Deura is Principal Consultant at DISC InfoSec (Deura Information Security Consulting LLC). CISSP · CISM · ISO 27001 Lead Implementer · ISO 42001 Lead Implementer · PECB Authorized Training Partner. Two decades across KPMG, IBM, and Intel/McAfee FoundStone. EU AI Act and ISO 42001 pioneer-practitioner.
#EUAIAct #AIGovernance #ISO42001 #AICompliance #GRC #CISO #ArtificialIntelligence #Compliance #DataPrivacy #RegulatoryCompliance
AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do
Your Shadow AI Problem Has a Name-And Now It Has a Score
Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
- Most companies deploying AI in the EU still don’t know what tier they’re in
- You Can’t Certify What You Haven’t Mapped: The Case for an ISO 27001 Gap Assessment
- The New Identity Perimeter: Machines, Agents, and the Trust Problem
- Securing the Agentic Enterprise: Where AI Autonomy Meets ISO 42001 and the EU AI Act
- Regulatory Relief Is Not Risk Relief: The EU AI Act Delay Trap
