Classify an AI feature, model, supplier tool, or business workflow before assigning EU AI Act obligations.
Use the test to separate excluded activity from in-scope AI, identify the operator role, route prohibited, high-risk, GPAI, and transparency categories, and preserve the evidence behind the decision.
Structured answer sets in this page tree.
Cited legal and guidance references.
The EU AI Act applicability test should answer a narrow sequence of questions: is the item an AI system or a general-purpose AI model, is the activity excluded, is there an EU market, use, or output link, which operator role applies, and which risk or transparency category controls the next obligation. Keep the answer as a classification record, not as a broad policy memo.
Begin with the object being classified. The AI Act defines an AI system as a machine-based system designed to operate with varying autonomy that may adapt after deployment and infers, for explicit or implicit objectives, outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Do not treat every automated workflow as an AI system. Recital 12 explains that the definition should not cover systems based only on rules defined by natural persons to automatically execute operations, and that inference is what distinguishes AI systems from simpler traditional software or basic data processing. A general-purpose AI model is different again: the Act treats models as components that need further elements, such as a user interface, to become AI systems.
After the object is described, screen for exclusions. The grounding sources identify exemptions for research, development, and prototyping before market release, and for AI systems exclusively designed for military, defence, or national security purposes.
The exclusion should be written narrowly. If a system built for an excluded purpose is later placed on the market, put into service, or used for a civilian, law-enforcement, public-security, or other non-excluded purpose, the applicability record should be reopened instead of carrying the old exclusion forward.
The AI Act can apply to public and private actors inside and outside the EU when they place an AI system or GPAI model on the EU market, put an AI system into service, use it in the EU, or generate AI output used in the EU. The applicability record should state the exact EU link, not just whether the company is established in the Union.
Then assign the operator role for the same fact pattern. A product team may be a provider for one system, a deployer of a vendor system in another workflow, and a downstream provider if it integrates a GPAI model into its own AI system. Role drives the next evidence request.
Classify in order. First screen for prohibited AI practices because a banned use should not proceed as a normal compliance backlog. Then test high-risk status under product-safety links and Annex III use areas. After that, check transparency obligations for specific interactive or generative AI systems, and GPAI model obligations for model providers.
Minimal or no-risk classification is a residual answer. It should be used only after the prohibited, high-risk, transparency, and GPAI checks have been documented.
The output of the applicability test should be a record that another reviewer can repeat. It should include the product facts, classification answer, source citation, owner, role decision, risk route, excluded-facts analysis, and the evidence used to support each conclusion.
For high-risk systems, the record should point to the downstream compliance artifacts: technical documentation, risk management, data governance, logging, instructions for use, human oversight, accuracy, robustness, cybersecurity, conformity assessment, registration, post-market monitoring, incident reporting, and deployer monitoring where relevant. For GPAI models, preserve model documentation, downstream provider information, representative mandate where required, and systemic-risk material where applicable.
Ask what object is being classified: an AI system, a GPAI model, traditional rules-based software, or a manual activity. The AI system definition turns on machine-based inference of outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Yes, Article 6(3) allows a provider to classify certain Annex III systems as not high-risk where the system does not pose a significant risk of harm and meets the listed conditions, such as a narrow procedural task or preparatory task. The provider should document the assessment and register the system as required.
Keep the system or model description, intended purpose, EU scope facts, exclusion analysis, operator-role map, prohibited and high-risk screens, transparency and GPAI checks, source URLs, approvals, attached product evidence, and reassessment triggers.
Sorena can help turn the applicability steps on this page into cited intake questions, owner assignments, evidence requests, and reusable review logic for EU AI Act work.
Ask source-linked questions about AI Act scope, roles, high-risk routing, GPAI, transparency obligations, and evidence records using the cited sources on this page.
Review your AI Act applicability workflow, source gaps, and next implementation steps with Sorena.
"sufficient level of AI literacy"
"register themselves and their system"
"appoint an authorised representative"
"The AI Act defines 4 levels of risk"
"scope of the obligations for providers"
"inside and outside the EU"
"documentation of the assessment"