Risk categories and obligations
Prohibited practice (Art. 5)
This use is outright banned in the EU — it cannot be mitigated, only stopped. The highest fines in the regulation.
High risk (Annex III/I)
The heaviest set of duties: risk management, data governance, documentation, human oversight, conformity assessment.
GPAI model (Chapter V)
A dedicated regime for providers of general-purpose AI models; extra duties for systemic risk (training above 10^25 FLOP).
GPAI in use
You build on a third-party AI model (such as GPT, Claude or Gemini). The GPAI regime targets that model's provider — but you must be able to rely on their compliance (vendor assessment) and, where outputs reach the public, follow the transparency duty (Art. 50). Note: if you substantially modify the model and place it on the market under your own name, you may become a provider yourself.
Transparency (Art. 50)
A duty to make AI recognisable: disclose chatbots, mark synthetic output machine-readably, label deepfakes.
AI literacy (Art. 4)
Anyone developing or deploying AI must ensure a sufficient level of AI literacy among staff.
Minimal risk
Most AI applications fall here; voluntary codes of conduct are encouraged.