--- title: "EU AI Act AI System Classification Edge Cases FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases" author: "Sorena AI" description: "Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "AI system definition" - "high-risk AI" - "GPAI model" - "embedded AI" - "Article 6" - "Annex III" - "GPAI" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act AI System Classification Edge Cases FAQ Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. *FAQ* *EU* ## EU AI Act AI System Classification Edge Cases Use this FAQ to classify borderline software, model, product, supplier, and deployment situations under the EU AI Act before assigning obligations. Covers inference versus simple rules, general-purpose AI models versus AI systems, embedded systems, EU territorial scope, operator roles, and evidence for high-risk assessments. EU AI Act classification starts with the thing being assessed: software or model, standalone service or embedded component, EU market or EU use, provider or deployer role, and intended purpose. Borderline cases should be resolved with the Act's definitions and Article 6 classification rules, then documented with enough technical and commercial evidence to repeat the conclusion. ## When is borderline software an AI system under the EU AI Act? A borderline tool is more likely to be an AI system when it is machine-based, operates with some autonomy, and infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that can influence a physical or virtual environment. A tool is less likely to be an AI system when it only executes rules defined solely by people, such as fixed validation checks, deterministic routing tables, hard-coded eligibility rules, or ordinary calculations with no learning, reasoning, modelling, or inference beyond basic data processing. - Record the inputs, objective, output type, autonomy level, and whether the system derives a model, algorithm, recommendation, prediction, content, or decision from data or encoded knowledge. - Separate deterministic automation from inference: a manually written rule that always produces the same result from the same fields is not enough by itself. - Treat logic- and knowledge-based systems as possible AI systems when they infer from encoded knowledge or symbolic representations, even without machine learning. - Keep the intended-purpose evidence from instructions, sales material, product specifications, and technical documentation because Article 6 high-risk classification depends on purpose and use context. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports the Article 3 AI system definition and Recital 12 distinction between inference-based AI and simpler human-defined rule execution. ## How should GPAI model, AI system, and embedded product edge cases be classified? Do not collapse a general-purpose AI model and an AI system into the same record. The model is the reusable capability; the AI system is the deployed or supplied system that uses a model to serve an intended purpose. A downstream provider can integrate a GPAI model into an AI system and then have system-level obligations for that integration. Embedded and product-linked cases need two checks. First, decide whether the AI component itself is an AI system. Second, decide whether Article 6 makes it high-risk because it is a safety component, is itself a covered product, or falls into an Annex III use case. - For GPAI, identify the model, the provider placing the model on the Union market, and any downstream provider integrating it into a specific AI system. - For embedded software, document whether the AI system is physically integrated into the product or serves product functionality without being physically integrated. - For product safety cases, check whether the AI system is a safety component of a product or is itself a product covered by Annex I legislation and subject to third-party conformity assessment. - For Annex III cases, check whether the intended use falls into a listed sensitive area, then assess whether Article 6(3) permits a not-high-risk conclusion; profiling of natural persons remains high-risk. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports the separate definitions for AI systems, general-purpose AI models, general-purpose AI systems, safety components, and Article 6 high-risk classification. - [European Commission - Guidelines for providers of general-purpose AI models](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Supports the distinction between GPAI model-provider scope and downstream AI ecosystem roles. - [AI Act Service Desk - Article 6 classification rules](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-6?ref=sorena.io) - Official article page for the high-risk classification rules used to screen product-linked and Annex III edge cases. ## Which scope and role questions change the EU AI Act answer? Territorial scope is not limited to EU-established providers. The Act can apply to providers placing AI systems or GPAI models on the Union market, EU deployers, non-EU providers or deployers whose AI-system output is used in the Union, importers, distributors, product manufacturers, authorised representatives, and affected persons located in the Union. Role classification is fact-specific and can change after launch. A distributor, importer, deployer, or other third party can become the provider of a high-risk AI system if it puts its name or trademark on the system, substantially modifies it, or changes the intended purpose so that the system becomes high-risk. - Map the market path: who develops, brands, imports, distributes, deploys, integrates, or productizes the system or GPAI model. - Record the EU connection: Union market placement, Union putting into service, EU establishment or location of the deployer, Union use of outputs, or affected persons located in the Union. - Check whether a supplier answer covers only the model, only the AI system, only the deployment, or the product into which the system is integrated. - Reclassify after material changes to intended purpose, branding, integration, safety function, user population, EU market availability, or human-impacting use case. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports Article 2 territorial scope, Article 3 operator definitions, and Article 25 role changes along the AI value chain. - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ source explaining that the framework applies to public and private actors inside and outside the EU in relevant market or use scenarios. ## What classification evidence should teams keep for EU AI Act edge cases? A defensible classification file should show the same facts a reviewer would need to reach the answer again: the object classified, why it is or is not an AI system, whether it is a GPAI model or a system, the intended purpose, the EU nexus, the operator role, and the high-risk screening result. For high-risk and near-high-risk cases, align the evidence with Annex IV-style system description fields even if the team is still at classification stage: interactions with other hardware or software, form of supply, product integration, development methods, third-party components, output quality, monitoring, limits, and lifecycle changes. - AI system definition evidence: autonomy, inputs, objectives, output type, inference method, model or algorithm derivation, and why simple human-defined rules are or are not enough to describe the tool. - GPAI evidence: model identity, model provider, downstream system provider, integration method, tasks the model can perform, and system-specific intended purpose. - High-risk evidence: Article 6(1) product-safety check, Annex III use-case check, any Article 6(3) not-high-risk rationale, and profiling status. - Role and scope evidence: provider, deployer, importer, distributor, product manufacturer, authorised representative, EU market or output-use facts, branding, substantial modifications, and intended-purpose changes. - Change evidence: version history, technical modifications, deployment context changes, supplier changes, instructions for use, and the date and approver of each reclassification. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Supports the evidence fields from Article 3 definitions, Article 6 classification documentation, Article 25 role changes, and Annex IV technical-documentation content. - [AI Act Service Desk - Article 6 classification rules](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-6?ref=sorena.io) - Supports keeping a documented high-risk or not-high-risk assessment for Annex III edge cases. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text supporting AI system definitions, territorial scope, operator roles, high-risk classification, GPAI definitions, value-chain responsibility changes, and Annex IV evidence fields. - Quote: "AI system" - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ used for public explanation of AI Act scope, risk-based classification, high-risk examples, product safety links, deployer obligations, and GPAI context. - Quote: "risk-based approach" - [European Commission - Guidelines for providers of general-purpose AI models](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance page used for GPAI provider-scope context and the distinction between model-provider obligations and downstream AI-system integration. - Quote: "GPAI models" - [AI Act Service Desk - Article 6 classification rules](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-6?ref=sorena.io) - Official AI Act Service Desk article page for high-risk classification under Article 6, including product-linked and Annex III screening. - Quote: "high-risk" ## Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. *Recommended next step* *Placement: before sources* ## Turn borderline AI system facts into a reviewed classification file Sorena can help convert model, product, supplier, and deployment facts into a source-cited EU AI Act classification record with role, scope, high-risk, and evidence checks. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about AI system definitions, high-risk classification, GPAI boundaries, and operator roles using the cited sources on this page. - [Talk through implementation](/contact.md): Review your EU AI Act classification edge cases, evidence gaps, and escalation points with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases