The AI Readyist

EU AI Act Navigator

Understand which tier your AI systems fall into — and what that means for your P&L, controls, and accountability.

Regulation (EU) 2024/1689
In force from Aug 2026
Risk Tier Reference
Tier 1
Unacceptable Risk
Prohibited outright. Deploying these systems is a legal violation — not a compliance gap.
Banned No compliance path
+

What triggers this

  • Real-time biometric surveillance in public spaces
  • Social scoring by governments or employers
  • AI exploiting psychological vulnerabilities to manipulate behaviour
  • Predictive policing based on profiling
  • Subliminal manipulation techniques

Executive implication

If any system in your portfolio matches these descriptions — even partially — the correct action is immediate decommissioning, not remediation. There is no conformity path. Legal exposure extends to directors personally in most member states.

Enforcement exposure

€35M
or 7% global turnover

Whichever is higher. The highest penalty band in the Act. Criminal referral is possible in some jurisdictions.

Tier 2
High Risk
Heaviest obligations. This is where most enterprise AI programmes live — and most compliance gaps sit.
Significant cost Board-level risk
+

What triggers this

  • HR and recruitment AI (screening, scoring, ranking)
  • Credit scoring and lending decisions
  • Insurance risk assessment
  • Medical devices and clinical decision support
  • Critical infrastructure (energy, water, transport)
  • Education assessment systems
  • Law enforcement tools

What compliance requires

  • Conformity assessment before deployment
  • Human oversight mechanisms built in
  • Audit trail and logging (retained)
  • Registration in the EU AI Act database
  • Technical documentation to prescribed standard
  • Data governance and bias testing
  • Designated accountability owner

Enforcement exposure

€15M
or 3% global turnover

Plus market withdrawal orders, suspension of systems, and reputational exposure. Procurement-blocking in public sector contracts likely.

Tier 3
Limited Risk
Transparency obligations only. Users must know they are interacting with AI.
Low compliance cost Manageable
+

What triggers this

  • Customer-facing chatbots and virtual assistants
  • AI-generated content (text, images, audio, video)
  • Deepfake or synthetic media tools
  • Emotion recognition in customer interactions

What compliance requires

  • Disclose that users are interacting with AI — not a human
  • Label AI-generated content as such
  • Mark synthetic media (deepfakes) clearly
  • No technical documentation or registration required

Enforcement exposure

€7.5M
or 1.5% global turnover

Penalties apply for failure to disclose AI identity. Compliance cost is low — the risk of non-compliance here is primarily reputational.

Tier 4
Minimal Risk
No mandatory obligations. The majority of AI in use today falls here.
No compliance cost No obligation
+

What falls here

  • Spam and content filters
  • Recommendation engines (unless consequential decisions)
  • AI in video games
  • Predictive maintenance (non-critical infrastructure)
  • Internal productivity tools with no personnel decision output

What compliance requires

Nothing mandatory. The Act encourages voluntary adoption of codes of conduct, but imposes no legal requirement. The CIO/CFO task here is simply to confirm systems are correctly classified — not assumed to be minimal risk.

Key risk

Misclassification
is the real exposure

A system that appears minimal risk may be high risk if its outputs feed into decisions about people. Document your reasoning — not just your conclusion.

Tier Classifier
Which tier are your AI systems in?

Answer four questions. Takes 90 seconds. Gets you a starting position — not a legal opinion.

Question 01 / 04
Does any AI system in your portfolio make — or directly inform — decisions about individual people: employment, credit, insurance, healthcare, or access to essential services?
Question 02 / 04
Does any AI system interact directly with customers or employees in a way that could be mistaken for a human — for example, a chatbot, virtual agent, or AI-generated communication?
Question 03 / 04
Does any AI system operate on or near critical infrastructure — energy, water, transport, financial networks — where a failure could affect public safety or continuity of service?
Question 04 / 04
Has your organisation completed a formal inventory of all AI systems in production — including those embedded in third-party software or procured from vendors?