Classifying an LLM-Based System Under the EU AI Act

The first mistake organisations make is treating "LLM" as a risk category. It is not. The EU AI Act handles LLMs at two separate layers — the model itself and the system you build on top of it — and each layer has its own classification logic. Conflating them leads to wrong compliance scoping: either over-engineering a minimal-risk chatbot or, worse, missing high-risk obligations on an LLM that screens job applicants.

This article separates the two layers, maps the classification rules, and identifies where most LLM-based products actually land.

---

Layer 1 — The LLM Itself Is a GPAI Model (Chapter V)

A large language model like GPT-4, Mistral 7B, Llama 3, or Gemini is a general-purpose AI (GPAI) model as defined in Article 3(63) of Regulation (EU) 2024/1689. GPAI models are governed by Chapter V (Articles 51–56), not by the high-risk classification rules in Article 6. Calling an LLM "high-risk" is a category error.

The obligations in Chapter V fall on the GPAI model provider — the organisation that trains and places the model on the market (OpenAI, Mistral, Google, Meta, and so on). Those obligations have applied since 2 August 2025. They include:

• Maintaining technical documentation and keeping it updated (Article 53(1)(a));
• Providing downstream providers with the information they need to comply — delivered via an Annex XII summary (Article 53(1)(b));
• Publishing a summary of training data and a copyright compliance policy (Article 53(1)(c) and (d)).

If the GPAI model is also classified as a systemic-risk model — the threshold is training compute exceeding 10²⁵ FLOP, per Article 51 — the provider faces additional duties under Article 55: adversarial testing (red-teaming), incident reporting, cybersecurity measures, and energy-efficiency reporting.

What this means for you if you build on an LLM. You are almost certainly a downstream provider or deployer, not a GPAI model provider. You receive the Article 53 Annex XII documentation from the upstream model provider. You use it to record the GPAI dependency in your own technical file. You do not take on the GPAI provider's Chapter V obligations simply by calling an API.

---

Layer 2 — The System You Build Is Classified by Its Use

The AI system your company deploys — the chatbot, the document-processing tool, the CV screener — is classified under the standard four-tier framework: prohibited (Article 5), high-risk (Article 6 + Annex III), limited-risk (Article 50), or minimal-risk. The underlying model's risk status is irrelevant to this classification; what matters is the system's intended purpose and the decisions it affects.

When is an LLM-based system prohibited?

Article 5 lists practices banned since 2 February 2025. LLM-based systems can trigger these prohibitions. An LLM deployed to infer employees' emotional states crosses into Article 5(1)(f) (emotion recognition in the workplace). An LLM used to build behavioural profiles that predict re-offending based solely on personal characteristics is prohibited under Article 5(1)(d). If your use case touches any Article 5 scenario, stop — no risk management system saves a prohibited practice.

When is an LLM-based system high-risk?

An LLM-based system is high-risk when it falls into one of the eight Annex III categories and does not qualify for the Article 6(3) filter (discussed below). The two Annex III areas that capture most enterprise LLM deployments are:

Annex III, point 4 — Employment and workers management. An LLM that screens CVs, ranks candidates, recommends promotion or termination, allocates tasks, or monitors worker performance is high-risk under point 4(a). The scope is broad: "substantially influencing" a decision is enough — the LLM does not have to make the decision autonomously.

Annex III, point 5 — Access to essential private and public services. An LLM that assesses creditworthiness or determines loan eligibility (point 5(b)) is high-risk. So is one that evaluates insurance risk or sets pricing for life and health insurance (point 5(c)), or determines eligibility for public benefits.

Other Annex III areas can apply to specialised LLM deployments: an LLM assisting in judicial decision-support falls under point 8 (administration of justice); one used by a border agency to assess migration applications falls under point 7.

The Article 6(3) filter. Even if an LLM-based system falls within an Annex III category, it is not high-risk if the provider can demonstrate that it poses no significant risk to health, safety, or fundamental rights. The filter applies where the system performs a narrow procedural task, improves a previously completed human activity, detects decision patterns without replacing or influencing human assessment, or does preparatory work only. In practice, most LLM systems used in Annex III contexts cannot credibly claim this exemption — an LLM that shortlists candidates influences hiring decisions by definition. Providers claiming the exemption must document the assessment and still register the system under Article 49.

One absolute: any system that profiles natural persons is always high-risk, regardless of the Article 6(3) analysis.

When is an LLM-based system limited-risk?

Article 50 transparency obligations apply from 2 August 2026 to three LLM scenarios that do not trigger Annex III:

1. Chatbots. Any LLM-powered system interacting with natural persons must disclose that it is artificial, unless the AI nature is obvious. The disclosure must happen at the start of the interaction (Article 50(1)).
2. AI-generated content. Text, images, audio, or video that could be mistaken for human-created content must be marked as machine-generated (Article 50(4)).
3. Emotion recognition and biometric categorisation. Where these are not prohibited under Article 5, Article 50(3) requires disclosure to the person subjected to the system.

The compliance burden for limited-risk systems is disclosure only. No technical documentation, no conformity assessment, no risk management system.

Minimal risk

An LLM powering an internal summarisation tool, a code auto-complete, or a spam filter that does not touch Annex III categories falls here. No mandatory obligations. Voluntary codes of practice encouraged.

---

Layer 3 — Your Role: Provider, Downstream Provider, or Deployer

The high-risk obligations differ significantly between a provider (Article 16) and a deployer (Article 26). Article 25 determines when a role shift occurs.

Most companies building LLM-based products are providers of an AI system — they place a product on the market or into service under their own name. If your product incorporates a third-party LLM (OpenAI API, Mistral API, Llama via self-hosting) and you ship the product to customers, you are a provider of the resulting system. You carry the Article 16 provider obligations: risk management system (Article 9), technical documentation (Article 11), data governance (Article 10), transparency information to deployers (Article 13), human oversight design (Article 14), accuracy and robustness measures (Article 15), quality management system (Article 17), conformity assessment (Article 43), and registration (Article 49).

You become a GPAI model provider only if you train or fine-tune a model substantially and place it on the market as a standalone GPAI model. Wrapping an API is not training a model.

Downstream deployers — a bank using your LLM-powered credit-assessment product — inherit the deployer obligations under Article 26: use the system only for its intended purpose, ensure human oversight (Article 14), keep logs for at least six months (Article 26), notify workers' representatives before workplace deployment (Article 26), and run a Fundamental Rights Impact Assessment (Article 27) where required (public-body deployers, and deployers of creditworthiness or life/health-insurance systems under Annex III points 5(b) and 5(c)).

Article 25 role shift. A deployer becomes a provider — and inherits the full provider stack — if it puts its own name or trademark on a high-risk system, substantially modifies it, or changes its intended purpose to a new Annex III use case.

---

The Practical Reality: Where Most LLM Products Land

Mapping across the use-case spectrum:

The most common misclassification is treating a customer chatbot as high-risk because it "uses AI." The correct analysis turns on what decisions the system affects, not what technology it uses.

---

Deadlines That Apply to LLM-Based Systems

The deadline that applies depends on the classification:

• Article 5 prohibitions — in force since 2 February 2025. Already applicable.
• GPAI model obligations (Chapter V) — applied from 2 August 2025. Upstream model providers are already subject to these. Models on the market before that date have until 2 August 2027 to comply.
• Article 50 limited-risk transparency — applies from 2 August 2026 (not deferred).
• High-risk Annex III stand-alone systems — 2 December 2027, under the Digital Omnibus agreed in May 2026 (original deadline of 2 August 2026 is no longer operative).
• High-risk AI embedded in Annex I regulated products — 2 August 2028.

The shift to December 2027 for Annex III systems gives providers additional preparation time, but the documentation work — technical file (Annex IV), risk management records, conformity assessment — takes many months to assemble correctly. Companies that treat December 2027 as a distant deadline typically arrive there unprepared.

---

How Confir Helps

For LLM-based systems, two tasks consistently consume the most time: classifying the system correctly and recording the GPAI dependency.

Confir's classification workflow walks through the intended purpose, the decisions the system affects, and the relevant Annex III categories using plain-English scenarios. The output is a documented, reproducible risk-tier determination — the same inputs produce the same finding every time, because the logic is rule-based and deterministic, not a probabilistic model.

For GPAI dependencies, Confir records the upstream model provider, the Annex XII documentation received, and how that dependency maps to the system's technical file — satisfying the downstream documentation requirement in at most two structured fields. The information stays in the organisation's AI register alongside the system record.

If the system is high-risk, Confir drives the Article 9–15 assessment across four compliance areas (AIRC, AITR, AITO, AIGM), generates the Annex IV technical documentation pack and the Article 47 Declaration of Conformity, and runs the Article 27 FRIA where required.

---

FAQ

Is an LLM itself classified as high-risk under the EU AI Act?

No. An LLM is a GPAI model governed by Chapter V (Articles 51–56), not by the high-risk classification rules in Article 6. The GPAI model obligations apply to the model provider (OpenAI, Mistral, Google, Meta, etc.). Your classification question is about the system you build on top of the LLM, which is classified by its intended purpose and the Annex III categories it may trigger.

My company integrates a third-party LLM into a product. Are we a GPAI model provider?

No, unless you train or fine-tune a model and place it on the market as a standalone GPAI model. If you call a third-party API and build a product around it, you are a downstream provider of an AI system. You receive the Annex XII documentation from the upstream GPAI model provider and use it to populate your own system's technical file.

Does a customer-facing chatbot need a conformity assessment?

Not if it is limited-risk. A chatbot that handles general queries and does not fall into an Annex III category is limited-risk under Article 50 — disclosure at conversation start is the only mandatory obligation. A conformity assessment under Article 43 is only required for high-risk systems.

What triggers the Article 50 disclosure duty for an LLM-based chatbot?

Any LLM-powered system that interacts with natural persons must disclose its artificial nature at the start of the interaction, unless the AI nature is obvious from context. This obligation applies from 2 August 2026. It applies regardless of whether the system is also high-risk — a high-risk chatbot must comply with both Article 50 and the full Article 9–15 provider stack.

What penalties apply to LLM-based systems?

Under Article 99, non-compliance with high-risk obligations (Articles 9–15, 16, 26, 43, 50) carries fines up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. Violation of Article 5 prohibitions carries up to €35,000,000 or 7%. Supplying incorrect information to authorities carries up to €7,500,000 or 1%. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount.

When does the Article 25 role shift apply?

Under Article 25, a deployer or distributor becomes a provider — and assumes the full provider obligation stack — if it puts its own name or trademark on a high-risk AI system, substantially modifies a high-risk system, or changes the system's intended purpose to a new Annex III use case. Rebranding a third-party LLM-based product as your own, or reconfiguring it for a materially different Annex III application, both trigger this shift.

Related guides

• Llama model Article 6 compliance
• Article 6 risk classification tool
• Article 6 high-risk requirements
• Article 43 conformity assessment procedures
• EU AI Act risk classification levels
• Annex III medical imaging AI requirements