When is your SaaS feature actually high-risk under the EU AI Act? The Annex III decision tree.

TL;DR. Annex III of the EU AI Act lists 8 high-risk categories. If your AI feature falls into one, you owe a heavy compliance lift (conformity assessment, technical file, human oversight, EU database registration). If it does not, you are limited-risk or minimal-risk and the burden is much lighter. Most SaaS teams misclassify this step. Here is the 3-question decision tree I use on every audit, plus 8 real examples from recent client work. Code at the bottom. There is a classify.py script in the open-source repo that runs this for you.

The most expensive mistake I see SaaS teams make is calling a high-risk feature "limited-risk" because they want to avoid the conformity assessment. The second most expensive mistake is the opposite: calling everything high-risk because the rule sounds scary, and burying yourself in paperwork you do not need.

Annex III of the EU AI Act lists eight high-risk areas. If your AI feature falls into one of them, you are subject to a different and heavier set of obligations than the Article 50 transparency duties. If your feature does not fall into any of them, you are likely limited-risk or minimal-risk, and the compliance burden is much lighter.

This post is the decision tree I use on every audit, plus eight examples from real SaaS we have audited.