If I believe my system is not high-risk, do I still have to do anything?

Yes. Even if your use case appears in Annex III, it may fall outside the high-risk category under certain exceptions, but the Regulation requires you to document that assessment in writing before deploying the system and to produce it if the authority requests it (Art. 6.3 and 6.4). Additionally, if the AI profiles individuals, it is always high-risk.

Why is classifying AI a data governance problem and not a technology problem?

Because answering "does it apply to me?" reliably requires three things that do not depend on the model: an inventory of your AI systems, the purpose of each one (what it decides, about whom, with what data), and the traceability to sustain the classification when questioned. That is a data governance exercise.

High-risk AI (EU AI Act): how to know

Q: How do I know if my AI system is high-risk under the EU AI Act?

Primarily by its use. If the purpose of the system appears in the list in Annex III of Regulation (EU) 2024/1689 — sensitive areas such as employment and workforce management, access to essential services (including credit), critical infrastructure, or education — it is likely high-risk. The law classifies by what the AI is used for, not by the technology.

The first question about the European AI law is neither legal nor technical. It is an inventory question: which category does each of your systems fall into? Everything else depends on that answer — what the law requires of you and what it costs you not to comply. And most companies cannot answer it, simply because they do not have a list of what their AI does.

Let us remove the mystery, without technical jargon.

The law orders AI by risk, not by technology

The EU AI Act [Source: Regulation (EU) 2024/1689, EUR-Lex, 2024, https://eur-lex.europa.eu/eli/reg/2024/1689/oj] does not look at whether you use a large or small model. It looks at what you use it for. And it marks three groups with obligations — the rest, the majority of systems, carries no specific requirements:

Prohibited — forbidden uses (for example, socially scoring individuals). If your case falls here, there is no path to compliance: it simply cannot be used.
High-risk — sensitive uses that are permitted, but with serious obligations. This is where the bulk of the work lies.
Transparency obligations — for example, informing users that they are interacting with an AI. These apply independently of the above.

How to determine whether yours is "high-risk"

There are two routes [Source: Regulation (EU) 2024/1689, art. 6 and Annex III, EUR-Lex, 2024]. The one that affects most organisations is the second: the use of the system appears on a list (Annex III) of sensitive areas — among them employment and workforce management, access to essential services (including credit), critical infrastructure, and education. If your AI decides or influences something on that list, it is likely high-risk.

There is a way out — the law allows you to argue that your specific case does not present a significant risk — but it comes with a catch worth knowing.

The catch: claiming "it is not high-risk" also requires proof

Even if your system appears on the list, it may fall outside the high-risk category if it fits certain exceptions (for example, performing only a preparatory task). But the law demands something: you must document that assessment in writing before deploying the system, and produce it if the authority requests it [Source: Regulation (EU) 2024/1689, art. 6.3 y 6.4, EUR-Lex, 2024]. And there is one limit that admits no exception: if your AI profiles individuals, it is always high-risk.

In other words: saying "mine does not apply" does not spare you the governance work. It changes its form — instead of fulfilling the high-risk obligations, you must be able to justify, with a document, why they do not apply to you. Without an inventory of your systems and their purposes, that justification does not exist.

That is why the problem is one of governance, not of the model

Answering "does it apply to me?" reliably requires three things that have nothing to do with technology:

The list of your AI systems (the ones that exist, not the ones you think exist).
The purpose of each one: what it decides, about whom, with what data.
The traceability to sustain, when questioned, that your classification is correct.

That is precisely a data governance exercise — the same one that makes AI genuinely operate your business. These are not two projects: the foundation that puts your AI to work is what lets you classify it and defend it.

What to do with this

If you do not yet have that list, that is the first step, and it is not a large one: start with one department. In our method, the inventory and risk classification are the first thing committed to writing — within the first fifteen days. Not to reassure you, but so that you — and not a third party — know where you stand.

The application dates for the high-risk regime are subject to a possible deferral under discussion at the European level; it is advisable to confirm them before making calendar-dependent decisions.