The European AI Act (Regulation (EU) 2024/1689) is a thick stack of legal text, but the idea behind it fits on a beer mat: the greater the risk an AI application poses to people, the stricter the rules. The law does not regulate “AI” as a technology — it regulates what you do with it.

That produces a ladder with four rungs. Below we walk through them, from the top (prohibited) to the bottom (hardly any rules) — and at each rung we look at what it means for someone who simply works with AI in an office, a hospital or a classroom.

Rung 1: prohibited practices

At the top of the ladder sit AI applications the EU considers so harmful that they are simply banned. These prohibitions (Article 5 of the regulation) have applied since 2 February 2025. Examples of what is prohibited:

What does this mean for you as a user? You are unlikely to encounter these systems in your daily work — which is exactly the point. The practical takeaway: if a vendor offers something in this neighbourhood (say, software that monitors employees’ “mood”), that is a red flag to raise internally straight away. Well-intentioned tools can still fall into the prohibited category.

Rung 2: high-risk

The second rung is what most of the legal text is about. High-risk AI systems are allowed, but under strict conditions. These are AI applications in domains where an error can seriously affect someone’s life. The regulation lists, among others:

These systems face requirements such as risk management, training data quality, logging, documentation, human oversight and accuracy. Most of those duties fall on the provider (the party that builds the system or markets it under its own name), but the deployer — the organisation putting the system to use — has duties too: using the system according to its instructions, organising human oversight and checking relevant input.

What does this mean for you as a user? If you work with such a system — for example, as a recruiter using AI-assisted CV screening — you are often the person who provides that human oversight in practice. That is not a formality: it means you must be able to judge when the system gets it wrong, and you may and must overrule its output when necessary. This is precisely why Article 4 of the regulation requires AI literacy appropriate to your role.

Rung 3: transparency obligations

The third rung contains AI that is not high-risk, but where people still have the right to know that AI is involved. The core rules:

What does this mean for you as a user? This is the rung that most often touches your own work. Putting a chatbot on your organisation’s website? Then visitors must know they are not talking to a human. Publishing AI-generated images or video in a context where people might take them for real? Then honesty is required. The rule of thumb is simple and frankly just good manners: do not let people believe something is human or real when it is not.

Rung 4: minimal risk

At the bottom of the ladder sits by far the largest category: AI applications with minimal risk. Think spam filters, text suggestions, translation tools, AI in games, recommendations in a music app. The regulation imposes no specific obligations here; voluntary codes of conduct are encouraged.

What does this mean for you as a user? “Minimal risk under the AI Act” does not mean “risk-free for you”. A language model you use to draft a customer email sits low on the ladder, but it can still invent facts or — if you paste personal data into it — create a GDPR problem. The ladder measures the risk of the system; your use determines the risk of the situation.

Remember the ladder like this: prohibited = not allowed, full stop. High-risk = allowed, but with strict requirements and human oversight. Transparency = allowed, but be honest that it is AI. Minimal risk = no specific AI Act rules, but common sense and the GDPR always apply.

What about generative AI like ChatGPT?

General-purpose AI models (GPAI, including the large language models) have their own track in the regulation, with obligations for the model providers — such as technical documentation and transparency about training data. For you as a user, little changes in day-to-day work: what matters most is which rung the application using such a model sits on. The same chat feature can be minimal risk as a brainstorming aid and part of a high-risk system when it assesses job applicants.

What should you actually do with this?

  1. Know which AI systems your organisation uses and which rung they sit on. Often nobody knows this precisely — which makes it the obvious first action.
  2. Working with a high-risk system? Ask for the instructions for use and the arrangements for human oversight.
  3. Be transparent about chatbots and AI-generated content, even when nobody asks.
  4. Do not treat “minimal risk” as “no risk”: check output and keep personal data out of public tools.

On top of this, employers face the AI literacy obligation of Article 4 — our page for employers explains how to approach it practically.

Want to test how well you know the risk ladder and the rest of the basics? Take the free quiz, or go deeper with our AI literacy course.