SecurSentry
← All notes
EU AI Act

The EU AI Act Risk Tiers, Explained for Small Businesses

Most of the worry about the EU AI Act comes from not knowing which tier your tools sit in. Once you understand the four risk levels — and the one insight that decides them — the picture gets a lot calmer.

The short version

If you have read anything about the EU AI Act, you have probably seen it described in terms of risk levels, and felt a flicker of worry about which one applies to you. Understanding the EU AI Act risk categories is the single most useful thing you can do to settle that worry. Once you know how the four tiers work, most of your tools sort themselves into place. The good news, for most UK SMEs, is that almost everything you use lands in the lighter tiers. Let’s walk through them, plainly.

Why the AI Act sorts AI by risk

The EU AI Act applies heavier rules to AI that can do more harm, and lighter rules — often none — to AI that cannot, so the obligations are proportionate rather than blanket.

The drafters made a deliberate choice not to treat all AI the same. A spam filter and an AI system that decides who gets a mortgage are both “AI,” but the consequences of getting them wrong are worlds apart. So instead of one rulebook for everything, the Act puts each system into one of four tiers and scales the obligations to match. The further down the tiers you go, the lighter the load.

This matters for a small business. It means the scary headlines (conformity assessments, detailed documentation, ongoing oversight) attach to a narrow band of consequential uses, not to the AI writing assistant your team opened this morning. If you want the wider picture of how the Act reaches UK businesses, our EU AI Act small business guide covers scope. Here we are focused on the tiers themselves.

Unacceptable risk (banned): almost certainly not you

The top tier is a short list of AI practices the EU has prohibited outright, and they are the kind of thing a typical SME would never go near.

These are uses the Act considers a clear threat to people’s safety, livelihoods and rights, so they are banned, not merely regulated. The prohibited practices include things like government-style social scoring, manipulative or deceptive systems designed to distort behaviour and cause harm, untargeted scraping of facial images to build recognition databases, inferring people’s emotions in the workplace, and real-time facial recognition in public spaces for law enforcement.

Read that list and the most likely reaction is relief. These are not ordinary business tools. They are practices aimed at preventing serious societal harm. For the overwhelming majority of SMEs, this tier is something to be aware of and then set aside. If nothing you do resembles the above, you are almost certainly clear of it.

High risk: where it could be you (hiring, credit, etc.)

High risk is the tier worth checking carefully: it covers AI used in a defined set of consequential settings, and a few of them — hiring and credit especially — do reach ordinary businesses.

This is the band where real obligations live, and it is defined by where the AI is used. The Act lists the consequential areas, and the ones most likely to touch an SME are:

The key point: you can land in this tier as an end-user, not just as the company that built the AI. If you use a recruitment platform that automatically ranks candidates, or a lending tool that scores applicants, the consequential use is yours even though someone else made the software.

If you think a tool might be high risk

Don't panic, and don't guess. Read the provider's terms. Many state plainly whether their system is intended for high-risk use and what obligations pass to you. Note the use case in your AI tool register, and where hiring, credit or regulated decisions are involved, consider specialist advice. A clearly noted gap is a far better position than an optimistic assumption.

Be honest with yourself here. Saying a tool isn’t high risk is not the same as checking that it isn’t. The heavier high-risk obligations are phasing in through 2026, so this is a tier to understand now rather than later.

Limited risk: the transparency duty (chatbots, AI content)

Limited risk is mostly one practical duty: be honest that AI is involved. Tell people when they are dealing with a machine, and make AI-generated content identifiable.

This tier is where a lot of ordinary, customer-facing AI sits, and the obligation is refreshingly down-to-earth. If your website runs an AI chatbot, people interacting with it should be able to tell they are talking to AI rather than a colleague. If you publish AI-generated content, particularly realistic synthetic images, audio or video, it generally needs to be identifiable as artificially generated.

For most SMEs this is a matter of a clear label, not a major programme of work: a line on the chat widget, a note on a synthetic image. It is one of the easiest obligations to meet well, and meeting it builds trust rather than eroding it. People tend to respect a business that is upfront about where AI is in the loop.

“Limited risk isn’t a hurdle so much as a habit of honesty. Tell people when they’re talking to a machine, and you have done most of what this tier asks.”

Minimal risk: most everyday tools

Minimal risk is the bottom tier and the home of most business AI — writing assistants, summarisers, translators, image generation for everyday use — and it carries no mandatory obligations.

This is where the bulk of the AI you actually use lives. Drafting an email, summarising a long document, translating a message, tidying up a spreadsheet, generating a non-sensitive image for a blog post: these are minimal-risk uses, and the Act imposes no specific rules on them. Responsible use is encouraged as good practice, but there is no compliance checklist waiting for you.

That is the reassuring shape of the whole picture. The tiers narrow sharply as the risk rises. A small number of consequential uses sit near the top; almost everything else sits comfortably at the bottom. If your AI use is mostly the everyday kind, you are mostly in minimal-risk territory, and that is exactly where most SMEs find themselves.

How to work out your own tier (use case, not tool)

To find your tier, look at what each tool is used for, not what it is, because the same AI can sit in different tiers depending on the job you give it.

This is the single insight that makes the whole framework click: the tier follows the use case, not the tool. A general-purpose AI assistant is minimal risk when it drafts your marketing copy and potentially high risk if you wire it into deciding which candidates make the shortlist. Nothing about the software changed. The use did. So the question is never “is this tool risky?” but “what am I using it to do?”

A simple, practical way through it:

  1. List your AI tools. Write down every AI tool your team uses, including the ones that crept in informally. This is the start of an AI tool register, and it is the foundation of everything else.
  2. Note the use case beside each one. Not the product name, the job. “Drafting customer emails.” “Summarising meeting notes.” “Screening applicants.” The job is what determines the tier.
  3. Match each use to a tier. Most will land in minimal or limited risk. Anything touching hiring, credit, education access or essential services goes in a “look closer” pile.
  4. Dig into the closer-look items. For those few, read the provider’s terms, mark honestly what you do and don’t yet have in place, and get specialist advice where the stakes are high.

Done this way, the exercise usually takes a focused afternoon and ends in relief rather than dread: most of the list at the bottom, a short list worth attention at the top, and a clear, honest record of which is which. That record is also the thing you can point to later when a customer, partner or regulator asks how you govern your AI.


The EU AI Act is genuinely complex, and which tier applies can turn on the fine detail of how a specific tool is used. Treat this as an orientation, not a legal assessment. If a tool sits anywhere near the high-risk line, get specialist advice on your particular situation.

SecurSentry is launching soon to help UK SMEs build an AI tool register, sort each use into the right risk tier, and keep an honest record of where you stand, so the evidence is ready when you need to show it. Join the waitlist to be first in line.


This article is general information, not legal or compliance advice. If you have specific contractual, regulatory or legal obligations under the EU AI Act, please seek qualified professional guidance.

Frequently asked questions

What are the four EU AI Act risk categories?

The EU AI Act sorts AI systems into four tiers by the risk they pose. Unacceptable risk covers a small set of practices banned outright. High risk covers AI used in consequential settings such as recruitment, creditworthiness or critical infrastructure, which carries the heaviest obligations. Limited risk covers tools like chatbots and AI-generated content, which mainly carry a transparency duty — people must be told they are dealing with AI. Minimal risk covers everything else, where there are no mandatory obligations. Most everyday business tools fall into the bottom two tiers.

Is my AI tool high risk under the EU AI Act?

Probably not — but it depends on what you use it for, not which product it is. A tool only becomes high risk when it is used in one of the Act's listed consequential areas, such as screening or ranking job applicants, assessing someone's creditworthiness, or making decisions about access to education or essential services. The same tool used for internal drafting or summarising is not high risk. Check how each tool is actually used, and read the provider's terms for tools pointed at those sensitive uses.

What does the limited-risk transparency obligation require?

For limited-risk AI, the headline duty is honesty about the machine. If your website runs an AI chatbot, people interacting with it must be able to tell they are dealing with AI rather than a person. AI-generated content — including realistic synthetic images, audio or video — generally needs to be identifiable as artificially generated. It is one of the more practical obligations for a small business, and usually a matter of a clear label rather than a major project.

Does the EU AI Act apply to UK small businesses?

It can. The Act can reach UK businesses that sell into the EU, process EU residents' data through AI systems, or use EU-built AI whose terms pass obligations downstream. If you operate purely domestically with no EU touchpoints, exposure is likely minimal — but if you rely on cloud-based AI from major providers, it is worth understanding where your uses sit. Our <a href="/blog/eu-ai-act-small-business-guide">EU AI Act small business guide</a> walks through whether you are in scope.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.