The European AI Act (Regulation (EU) 2024/1689) is a thick stack of legal text, but the idea behind it fits on a beer mat: the greater the risk an AI application poses to people, the stricter the rules. The law does not regulate “AI” as a technology — it regulates what you do with it.
That produces a ladder with four rungs. Below we walk through them, from the top (prohibited) to the bottom (hardly any rules) — and at each rung we look at what it means for someone who simply works with AI in an office, a hospital or a classroom.
Rung 1: prohibited practices
At the top of the ladder sit AI applications the EU considers so harmful that they are simply banned. These prohibitions (Article 5 of the regulation) have applied since 2 February 2025. Examples of what is prohibited:
- Manipulative AI that influences people beyond their awareness in ways that cause harm, or that exploits the vulnerabilities of, say, children or people with disabilities.
- Social scoring: giving people a general score based on behaviour or personal characteristics, with detrimental consequences in unrelated contexts.
- Emotion recognition in the workplace and in education, except for medical or safety reasons.
- Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases.
- Predicting criminal behaviour of individuals based purely on profiling or personality traits.
What does this mean for you as a user? You are unlikely to encounter these systems in your daily work — which is exactly the point. The practical takeaway: if a vendor offers something in this neighbourhood (say, software that monitors employees’ “mood”), that is a red flag to raise internally straight away. Well-intentioned tools can still fall into the prohibited category.
Rung 2: high-risk
The second rung is what most of the legal text is about. High-risk AI systems are allowed, but under strict conditions. These are AI applications in domains where an error can seriously affect someone’s life. The regulation lists, among others:
- AI in recruitment and HR: screening CVs, ranking applicants, supporting decisions on promotion or dismissal.
- AI in education: admissions, assessing students, detecting cheating in exams.
- AI in essential services: credit scoring, risk assessment in insurance.
- AI in law enforcement, migration and the administration of justice.
- AI as a safety component in products and critical infrastructure.
These systems face requirements such as risk management, training data quality, logging, documentation, human oversight and accuracy. Most of those duties fall on the provider (the party that builds the system or markets it under its own name), but the deployer — the organisation putting the system to use — has duties too: using the system according to its instructions, organising human oversight and checking relevant input.
What does this mean for you as a user? If you work with such a system — for example, as a recruiter using AI-assisted CV screening — you are often the person who provides that human oversight in practice. That is not a formality: it means you must be able to judge when the system gets it wrong, and you may and must overrule its output when necessary. This is precisely why Article 4 of the regulation requires AI literacy appropriate to your role.
Rung 3: transparency obligations
The third rung contains AI that is not high-risk, but where people still have the right to know that AI is involved. The core rules:
- Chatbots: if you are communicating with an AI system, that must be made clear — unless it is already obvious from the context.
- AI-generated content: synthetic audio, images and video must be marked as such in a machine-readable way.
- Deepfakes: anyone generating or manipulating realistic-looking images, audio or video must disclose it.
- Emotion recognition and biometric categorisation (where permitted): the people involved must be informed.
What does this mean for you as a user? This is the rung that most often touches your own work. Putting a chatbot on your organisation’s website? Then visitors must know they are not talking to a human. Publishing AI-generated images or video in a context where people might take them for real? Then honesty is required. The rule of thumb is simple and frankly just good manners: do not let people believe something is human or real when it is not.
Rung 4: minimal risk
At the bottom of the ladder sits by far the largest category: AI applications with minimal risk. Think spam filters, text suggestions, translation tools, AI in games, recommendations in a music app. The regulation imposes no specific obligations here; voluntary codes of conduct are encouraged.
What does this mean for you as a user? “Minimal risk under the AI Act” does not mean “risk-free for you”. A language model you use to draft a customer email sits low on the ladder, but it can still invent facts or — if you paste personal data into it — create a GDPR problem. The ladder measures the risk of the system; your use determines the risk of the situation.
Remember the ladder like this: prohibited = not allowed, full stop. High-risk = allowed, but with strict requirements and human oversight. Transparency = allowed, but be honest that it is AI. Minimal risk = no specific AI Act rules, but common sense and the GDPR always apply.
What about generative AI like ChatGPT?
General-purpose AI models (GPAI, including the large language models) have their own track in the regulation, with obligations for the model providers — such as technical documentation and transparency about training data. For you as a user, little changes in day-to-day work: what matters most is which rung the application using such a model sits on. The same chat feature can be minimal risk as a brainstorming aid and part of a high-risk system when it assesses job applicants.
What should you actually do with this?
- Know which AI systems your organisation uses and which rung they sit on. Often nobody knows this precisely — which makes it the obvious first action.
- Working with a high-risk system? Ask for the instructions for use and the arrangements for human oversight.
- Be transparent about chatbots and AI-generated content, even when nobody asks.
- Do not treat “minimal risk” as “no risk”: check output and keep personal data out of public tools.
On top of this, employers face the AI literacy obligation of Article 4 — our page for employers explains how to approach it practically.
Want to test how well you know the risk ladder and the rest of the basics? Take the free quiz, or go deeper with our AI literacy course.