AI Chatbot Risk Classification Under the EU AI Act
Classify your chatbot under the EU AI Act: limited-risk (Article 50, Aug 2026), high-risk (Annex III), or prohibited (Article 5). Penalties included.
Most chatbots are not high-risk. That is the right place to start, because the question "what tier does my chatbot sit in?" turns almost entirely on what the chatbot does — not what it is built on or what its vendor calls it. A FAQ bot answering questions about your return policy and a bot that evaluates whether a loan applicant is creditworthy are both "chatbots." Under Regulation (EU) 2024/1689, they sit in completely different compliance categories.
This guide works through the classification logic step by step, names the concrete obligations that follow from each tier, and flags where the prohibited-practices boundary sits for manipulative or deceptive conversational AI.
The four tiers and where chatbots typically fall
The EU AI Act places every AI system into one of four risk tiers:
- Unacceptable risk — prohibited outright under Article 5, with effect from 2 February 2025.
- High risk — Article 6 + Annex III (stand-alone systems) or Annex I (safety components of regulated products). Heavy obligations: risk management under Article 9, technical documentation under Article 11, human oversight under Article 14, conformity assessment under Article 43.
- Limited / transparency risk — Article 50. Disclosure obligations only: tell users they are interacting with an AI.
- Minimal risk — everything else. No mandatory obligations under the Act.
GPAI models (large language models and the like) are a separate, cross-cutting category under Chapter V, Articles 51–56. The underlying model powering a chatbot sits in that category on its own — the chatbot layer is classified separately based on its deployment context and function.
The important practical point: most customer-service, sales, and support chatbots land at limited risk. They disclose and carry on. A chatbot becomes high-risk only if its outputs make or materially influence a decision in one of the eight Annex III domains.
When a chatbot is limited-risk: Article 50(1)
Article 50(1) applies to any AI system "intended to interact directly with natural persons" — chatbots are the primary target. The obligation is straightforward: users must be informed, at the start of the interaction, that they are talking to an AI. This obligation applies from 2 August 2026.
There is a narrow exception: where the context makes it obvious. A clearly labelled automated phone menu or a chatbot in a coding IDE that no reasonable person would mistake for a human can rely on this, but it is a narrow carve-out and should not be assumed without a documented assessment.
A standard customer-service FAQ bot, a retail product recommendation assistant, a technical support chatbot that escalates to humans — all of these are limited-risk. Article 50(1) disclosure is their only mandatory obligation under the Act.
If the chatbot generates synthetic content — for instance, it produces AI-generated images, audio, or video — Article 50(2) also applies, requiring that the synthetic nature of the content be marked. That is a separate obligation, not triggered by conversation alone.
When a chatbot becomes high-risk: the Annex III test
A chatbot is high-risk under Article 6 when it falls within one of the eight Annex III use-case areas. The question is whether the chatbot's output makes or substantially informs a decision that directly affects a natural person in one of those areas.
The eight Annex III headings most relevant to chatbot deployments:
- Employment and worker management (Annex III, point 4) — a chatbot that screens CVs, ranks applicants, conducts automated interview scoring, or informs decisions about promotion, task allocation, or termination.
- Access to essential services (Annex III, point 5) — a chatbot that evaluates creditworthiness (point 5(b)), informs insurance risk assessment or pricing (point 5(c)), determines eligibility for public benefits, or contributes to emergency dispatch prioritisation. Fraud detection is explicitly excluded from 5(b).
- Education and vocational training (Annex III, point 3) — a chatbot that makes or informs admission decisions, assessment outcomes, or academic performance evaluations.
- Biometrics (Annex III, point 1) — a chatbot that performs biometric categorisation or emotion recognition on users. Note: certain biometric and emotion-recognition uses are outright prohibited under Article 5, not merely high-risk (see below).
- Law enforcement (Annex III, point 6) — a chatbot that contributes to risk profiling of suspects or evidence reliability assessments.
- Migration and border control (Annex III, point 7) — a chatbot that contributes to visa eligibility or asylum claim assessment.
Two concrete examples:
FAQ bot at a bank — answers questions about interest rates, products, and account features; escalates to human agents for decisions. No Annex III function. Limited-risk under Article 50(1).
Loan-eligibility chatbot — collects financial data from applicants and outputs a creditworthiness score or approval recommendation that feeds directly into the lending decision. Annex III, point 5(b). High-risk.
The Article 6(3) filter
An Annex III listing does not automatically make a system high-risk. Article 6(3) creates a documented exception for systems that do not pose a significant risk of harm to health, safety, or fundamental rights. A chatbot may qualify if it performs a narrow procedural task (e.g. document collection), improves the result of a previously completed human activity, or detects patterns without replacing or influencing human assessment.
However, two constraints matter: any system that profiles natural persons is always high-risk regardless of the 6(3) analysis. And providers claiming the exemption must document their assessment and register the system (Article 49).
When a chatbot is prohibited: Article 5
Article 5 prohibitions have applied since 2 February 2025. A chatbot that crosses these lines is not merely high-risk — it cannot be deployed at all.
The prohibitions most likely to catch a conversational AI:
- Article 5(1)(a) — subliminal techniques or other manipulative methods that circumvent rational agency in a way that causes or is likely to cause significant harm. A chatbot engineered to exploit cognitive biases, create false urgency, or manufacture artificial attachment to extract financial decisions falls here.
- Article 5(1)(b) — exploiting the specific vulnerabilities of a group (age, disability, social or economic situation). A debt-collection chatbot that targets elderly users with known cognitive decline and uses personalised pressure tactics is a plausible candidate.
- Article 5(1)(f) — emotion recognition in the workplace or educational settings. If a chatbot analyses the emotional state of employees or students to influence decisions about them, it is prohibited regardless of the underlying purpose. Not high-risk. Banned.
The line between limited-risk and prohibited is crossed when a chatbot moves from disclosing that it is AI to actively deceiving or manipulating users in ways that damage their interests. The Article 50(1) obligation to disclose AI identity is itself a safeguard against the Article 5(1)(a)/(b) harm vector — but disclosure alone does not cure a manipulative design.
Obligations that attach to a high-risk chatbot
If a chatbot clears the Annex III threshold and fails the Article 6(3) filter, the full high-risk stack applies. The key obligations, with correct article numbers:
| Obligation | Article |
|---|---|
| Risk management system (iterative, documented, maintained throughout lifecycle) | Article 9 |
| Data and data governance (training data, bias testing, quality measures) | Article 10 |
| Technical documentation (see Annex IV for the required content) | Article 11 |
| Record-keeping / logging | Article 12 |
| Transparency to deployers (instructions for use, capabilities and limitations) | Article 13 |
| Human oversight (design for human intervention; meaningful override) | Article 14 |
| Accuracy, robustness, cybersecurity | Article 15 |
| Quality management system (providers) | Article 17 |
| Conformity assessment before placing on the market | Article 43 |
| EU declaration of conformity | Article 47 |
| Registration in the EU database | Article 49 |
| Post-market monitoring | Article 72 |
| Reporting of serious incidents | Article 73 |
Most Annex III chatbots use the internal self-assessment route under Annex VI (Article 43). The notified-body route under Annex VII applies to biometric systems (Annex III, point 1) and a few others.
Who bears these obligations?
If your company builds and places a high-risk chatbot on the market under its own name — you are the provider (Article 16) and carry the heaviest obligations, including the conformity assessment, technical documentation, and post-market monitoring.
If your company deploys a third-party high-risk chatbot under your authority in a professional context — you are the deployer (Article 26). Your obligations are lighter: follow the provider's instructions, ensure human oversight, keep logs for at least six months (Article 26), and (in some cases) run a Fundamental Rights Impact Assessment under Article 27.
Article 25 creates a risk: if you substantially modify a third-party chatbot or repurpose it for a use case outside the provider's intended purpose, you become the provider for that modified version and inherit the full provider obligations.
The FRIA (Article 27)
Not every deployer runs a FRIA. Article 27 applies to public bodies and certain private deployers — specifically those deploying chatbots used for creditworthiness assessment (Annex III, point 5(b)) or life/health insurance risk assessment (point 5(c)). Most private-sector deployers of recruitment or HR chatbots do not automatically owe a FRIA, but the line is worth checking for the specific use case.
Deadlines
| What | Applies from |
|---|---|
| Article 5 prohibitions (manipulative/deceptive chatbots) | 2 February 2025 — already in force |
| Article 50 transparency for limited-risk chatbots | 2 August 2026 |
| High-risk Annex III stand-alone chatbots (Digital Omnibus) | 2 December 2027 |
| High-risk AI as safety component of Annex I products | 2 August 2028 |
The high-risk deadline shifted. Under the Digital Omnibus — a political agreement reached between Parliament and Council on 7 May 2026, with formal adoption expected before 2 August 2026 — the original 2 August 2026 date for stand-alone Annex III systems has been deferred to 2 December 2027. The Article 50 disclosure date was not deferred; it remains 2 August 2026.
December 2027 is not a long runway. Technical documentation under Annex IV, a risk management system, bias testing across training data, conformity assessment — these are multi-month efforts for most teams.
Penalties
Non-compliance with Article 50 transparency obligations, or with provider/deployer obligations for high-risk systems, carries a maximum fine of €15,000,000 or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher (Article 99(4)).
Deploying a prohibited chatbot under Article 5 — a manipulative or deceptive design — carries €35,000,000 or 7% (Article 99(3)).
For SMEs and start-ups, Article 99(6) caps the fine at whichever figure is lower (the percentage or the fixed amount), a proportionality protection worth knowing.
The underlying LLM: a separate question
Many chatbots run on a general-purpose AI (GPAI) model — an LLM supplied by a third-party provider. Under Chapter V of the Act, that underlying model is subject to its own obligations (Article 53 for all GPAI providers; Article 55 for those with systemic-risk models), which have applied since 2 August 2025.
The chatbot layer and the GPAI layer are classified independently. The GPAI provider's obligations do not substitute for your chatbot-level obligations, and vice versa. If you are the chatbot provider, you need to understand what technical documentation and safety information the GPAI provider has made available to you — that feeds into your own Article 11 documentation.
How Confir helps
Classifying a chatbot requires answering a precise sequence of questions: does it fall in an Annex III domain, does the Article 6(3) filter apply, and are you the provider or the deployer? Getting those questions wrong assigns you the wrong obligation set.
Confir's classification module walks through each question in plain English and applies the Annex III logic deterministically — same inputs, same finding, every time. If the chatbot is high-risk, Confir scopes the exact obligation set for your role (provider or deployer) and generates the Annex IV technical documentation structure and the Article 47 Declaration of Conformity. The engine is rule-based, not AI-assisted, which matters for a compliance output that has to hold up under regulatory scrutiny.
Pricing starts at €600 per year.
FAQ
Is a customer-service chatbot high-risk under the EU AI Act?
No, in most cases. A chatbot that answers product questions, handles returns, and escalates complex issues to human agents does not make decisions in an Annex III domain. It is limited-risk under Article 50(1): you must inform users they are talking to an AI, from 2 August 2026. That is the only mandatory obligation.
What makes a chatbot high-risk?
Function, not technology. A chatbot becomes high-risk under Article 6 when its output makes or materially informs a decision in one of the eight Annex III areas — creditworthiness, recruitment screening, benefit eligibility, exam assessment, and similar. The chatbot's technical architecture is irrelevant; what matters is the decision it drives.
Can a chatbot be prohibited rather than just high-risk?
Yes. Article 5 prohibitions apply since 2 February 2025. A chatbot using manipulative or subliminal techniques to cause significant harm (Article 5(1)(a)), exploiting the specific vulnerabilities of a group (5(1)(b)), or performing emotion recognition on employees or students (5(1)(f)) is prohibited — not merely subject to additional compliance requirements.
What is the Article 50 disclosure obligation for chatbots?
Under Article 50(1), any AI system designed to interact directly with people must inform users, at the start of the interaction, that they are interacting with an AI. This applies from 2 August 2026. There is a narrow exception where the context makes this obvious. If the chatbot also generates synthetic media (images, audio, video), Article 50(2) requires that the synthetic nature of the content be marked.
What changed for the high-risk deadline?
The Digital Omnibus — a political agreement reached 7 May 2026 — deferred the high-risk compliance deadline for stand-alone Annex III systems from 2 August 2026 to 2 December 2027. High-risk AI embedded in Annex I regulated products is now deferred to 2 August 2028. Article 50 transparency obligations and Article 5 prohibitions were not deferred.
Does the underlying LLM affect how the chatbot is classified?
Not directly. The GPAI model powering the chatbot is classified separately under Chapter V. Your chatbot is classified based on what it does at the application layer — the decision domain it operates in and the outputs it produces. The GPAI provider's obligations under Articles 53 and 55 run parallel to your chatbot-level obligations, not in substitution for them.
Related guides
- Articles 6-11 risk classification levels
- ChatGPT compliance inventory
- Articles 6-29 compliance checklist
- Article 6 classification decision tree
- Article 6 high-risk determination
- Article 8 compliance requirements
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →