Which EU AI Act duties
apply to your AI?
Answer a few targeted questions and see right away which risk class your AI use case falls into – including the tricky Art. 6(3) exemption – and which duties follow. Based on the current EU AI Act incl. the 2026 Omnibus changes. No sign-up, no data transfer.
Step by step to your risk orientation
We check from the strictest to the mildest class and stop at the first match. The result is a well-founded indication – not legal advice and not a binding classification.
What is your role regarding the AI system?
Your role determines which duties apply. If unsure, choose "both / unclear".
How do you use the system?
Anyone who substantially modifies a system or uses it under their own name becomes a provider themselves – with the provider's duties.
Do you provide a general-purpose AI model (GPAI) yourself?
This means a broadly usable foundation model (e.g. your own large language model) that others build on – not the mere use of ChatGPT & co.
Does the system pursue any of these purposes? (Art. 5)
Multiple selection possible – pick everything that applies, otherwise "None of these".
In which area is the system used?
The high-risk areas under Annex III. Pick the closest fit – or "none".
How does the system intervene in this area?
Decisive (Art. 6(3)): not every system in a high-risk area is automatically high-risk.
Does the system perform profiling of natural persons?
Automated evaluation of personal aspects (e.g. behaviour, performance, interests). If yes, it remains high-risk despite the exemption.
Does any of these apply? (Art. 50)
Multiple selection possible – pick everything that applies, otherwise "None of these".
Your input points to a practice prohibited under Art. 5: –. Such systems may not be placed on the market or used in the EU.
⚠ Note on "AI-generated intimate / abuse imagery": this prohibition is not yet in force. It is based on a provisional agreement (Digital Omnibus, 7 May 2026) and is expected to apply from 2 December 2026 – subject to formal adoption and publication in the EU Official Journal. The other Art. 5 prohibitions have applied since February 2025.
ℹ Whether a prohibition actually applies depends on the detail – a few narrowly defined exceptions exist. Have this point checked legally without fail.
Your use in the area of – points to a high-risk system. This brings extensive duties – depending on your role.
⚠ You were unsure on the Art. 6(3) question. When in doubt, this is treated as high-risk – exactly this point is decisive and should be reviewed.
As a provider, among others: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy & robustness, conformity assessment + CE marking.
As a deployer, among others: use according to the provider's instructions, ensure human oversight, monitor operation, keep logs, inform affected persons, data protection impact assessment where applicable.
⚠ Under current law the duties apply from 2 August 2026. The Digital Omnibus proposes to postpone this to an expected 2 December 2027 (stand-alone systems) or 2 August 2028 (embedded in regulated products) – but as of June 2026 this is not yet finally adopted (subject to adoption and publication in the Official Journal).
Your system sits in the Annex III area –, but only performs a narrow or preparatory function there. It is therefore probably NOT high-risk under Art. 6(3) – even though the area is covered in principle.
⚠ However: as a provider you must document this assessment (Art. 6(4)) before placing it on the market and register the system where applicable. The exemption falls away as soon as profiling of natural persons takes place.
ℹ The Art. 6(3) classification is the trickiest point of the AI Act – we assess it robustly with you.
Your system is probably not high-risk, but is subject to transparency duties – triggered by: –.
✓ Duty: people must be able to tell they are interacting with an AI; AI-generated or altered content must be labelled as such. These duties apply from August 2026.
Based on your answers, the system probably falls into the minimal risk class – without specific duties under the AI Act. Voluntary codes of conduct and good documentation are nonetheless recommended.
ℹ Because you substantially modify the system or use it under your own name, you legally count as a provider – with the provider's duties.
✓ You provide a general-purpose AI model (GPAI): this carries its own duties (technical documentation, copyright / training-data transparency, additional obligations in case of systemic risk) – since August 2025, on top of the risk class above.
✓ Regardless of the class: Art. 4 requires providers and deployers to ensure a sufficient level of AI literacy among their staff (a softening via the Omnibus is planned but not yet adopted). More in our training.
How does this classification work?
The EU AI Act classifies a system into its highest applicable risk class – so we check from strict to mild and stop at the first match: prohibited (Art. 5) → high (Art. 6 + Annex III) → limited / transparency (Art. 50) → minimal.
A special feature is Art. 6(3): even within an Annex III area, a system is not high-risk if it only performs a narrow, preparatory or merely supporting function – unless it carries out profiling of natural persons. Anyone relying on this must document it under Art. 6(4).
The specific duties additionally depend on your role (provider or deployer) and on whether you provide a general-purpose AI model (GPAI) (its own duties since August 2025).
Status June 2026. The AI Act is currently being amended via the "Digital Omnibus" (political agreement May 2026, final publication expected). In particular, the deadlines for high-risk systems have been postponed. We keep the check up to date.
Legal basis: Art. 5, Art. 6, Annex III and Art. 50 EU AI Act (as of 2026, incl. Omnibus compromise).
The four risk classes at a glance
The EU AI Act regulates by risk – the higher the risk, the stricter the duties. The check above guides you automatically to the right class.
Prohibited
Art. 5 · prohibited practices
- e.g. social scoring, manipulative systems, biometric mass surveillance
- In force since February 2025
- Consequence: no placing on the market, no use
High-risk
Art. 6 + Annex III
- e.g. HR/recruiting, credit scoring, critical infrastructure
- Extensive duties depending on role
- Exemption via Art. 6(3) possible · duties from 2 Aug 2026 (Omnibus: exp. Dec 2027)
Limited risk
Art. 50 · transparency
- e.g. chatbots, AI-generated content / "deepfakes"
- Duty: disclose and label
- Applies from August 2026
Minimal risk
the vast majority of systems
- e.g. spam filters, simple assistance features
- No specific duties under the AI Act
- Voluntary codes of conduct recommended
Trained staff: a duty – and worthwhile anyway
One thing applies to every risk class: the AI Act requires a sufficient level of AI literacy. What that means – and why training pays off twice.
The basic rule
Art. 4 · AI literacy
Since February 2025 it applies: providers and deployers must ensure a sufficient level of AI literacy among their staff. A softening to a mere support duty is planned via the Omnibus – but not yet adopted. Until then, the original, stricter version remains decisive.
For high-risk it stays strict
Art. 26 / 14 · human oversight
Anyone operating a high-risk system must ensure human oversight by sufficiently competent and trained people. The planned Omnibus does not touch this duty – it is the hard core.
Worth it anyway
the real lever
Competent teams make fewer mistakes, use AI more confidently and bring projects to the finish line faster. The biggest gain is not ticking a regulatory box, but the practical benefit.
Eligible for funding – often twice over
Under the German Qualification Opportunities Act (§ 82 SGB III), for employees not only the course costs are subsidised, but also part of the wage during training. This wage subsidy often goes unused – our Funding Check shows in two minutes what's possible for you.