Scope

Buyer-facing evidence map for AI vendors, deployers, and product/compliance teams documenting their risk-tier rationale under the EU AI Act for procurement and review purposes.

Covers

  • Stacked screening of Article 5 (prohibited practices), Article 6 + Annex III (high-risk classification), Article 50 (transparency), and GPAI / upstream model dependencies.
  • Intended purpose and deployment context as inputs to risk-tier reasoning.
  • Role determination (provider, deployer, importer, distributor, substantial modifier).
  • Documentation of the risk-tier rationale as a written record, not a label.
  • Escalation flags when the screening surfaces a possible high-risk or prohibited trigger.

Out of scope

  • Legal determination of risk tier for any specific system.
  • High-Risk Annex III conformity assessment.
  • Notified Body preparation.
  • Systemic-risk GPAI provider obligations (Articles 53–55).
  • Legal advice, certification, warranty drafting.

Source status

This Reference draws on sources at different regulatory maturity levels. When the body of the page references a specific source, the status below applies.

Source Status Notes
EU AI Act (Regulation (EU) 2024/1689), Article 5 Current Regulation text Prohibited practices, in force from 2 February 2025. Triggers absolute prohibition.
EU AI Act, Article 6 + Annex III Current Regulation text High-risk classification rules apply from 2 August 2026. High-risk obligations apply on a staged timeline. Track current Regulation text and any formally adopted Digital Omnibus changes.
EU AI Act, Article 50 Current Regulation text Transparency obligations apply from 2 August 2026. Independent of risk tier.
EU AI Act, Article 51 Current Regulation text GPAI systemic-risk presumption threshold under Article 51. Provider obligations under Articles 53–55.
Commission draft guidelines on high-risk classification Draft guidance Targeted consultation opened 19 May 2026, closes 23 June 2026. Treat as draft, not final.
Commission draft guidelines on Article 50 transparency obligations Draft guidance Published 8 May 2026. Consultation closed 3 Jun 2026; guidelines remain DRAFT pending adoption, expected before 2 Aug 2026.
Digital Omnibus on AI Provisional political agreement 7 May 2026 provisional agreement. Not enacted.

Where a source is in draft or provisional status, this page does not present its content as final law. Buyers and deployers should monitor the corresponding final adoption and update their documentation accordingly.

Problem

A procurement reviewer asking "What is your EU AI Act risk tier?" is testing four things at once.

"Limited Risk" or "Minimal Risk" written in an RFP without documented reasoning is not an answer. The EU AI Act layers separate obligation tracks that each need to be screened independently before a tier label can be defended:

  • Article 5 screens for prohibited practices, which are absolute and cannot be cured by documentation.
  • Article 6 plus Annex III screens for high-risk classification, which depends on use case, sector, and intended purpose, not on technical sophistication.
  • Article 50 screens for transparency obligations, which apply even when the system is otherwise Limited Risk or Minimal Risk.
  • Upstream model and GPAI dependencies introduce their own provider-side obligations that influence the deployer's record.

A risk-tier rationale is the written record of those four screens, plus the role determination and intended-purpose framing that supports them. It is what a buyer, a reviewer, or an internal compliance owner reads when they want to understand how the tier label was reached. The map below pairs the questions a buyer is likely to ask about risk-tier with what they are really testing, the evidence to attach, who owns the review, and the red flags that should not be glossed over.

Core evidence mapping

# Buyer question What the buyer is really testing Evidence to prepare Trevam artifact Review owner Red flag
1 "What risk tier does your system fall under?" Whether the label is reached through documented screening, not assertion Risk Tier Rationale Memo covering Article 5, Article 6 + Annex III, Article 50, and GPAI dependency screens with conclusions per screen Risk Tier Rationale Memo Legal/Compliance Naked label without supporting rationale; "we did the analysis internally" without artifact
2 "Have you screened for prohibited practices under Article 5?" Whether the prohibited-practices test was applied at all, with reasoning per category Article 5 screen recording each prohibited category considered and the basis for exclusion Risk Tier Rationale Memo (Article 5 section) Legal/Compliance Skipped screen on the assumption that no prohibited practice applies
3 "Is the system in Annex III?" Whether the Article 6 + Annex III test was applied against the actual intended purpose and deployment context, with reasoning per category Annex III screen against the eight categories with reasoning per category Risk Tier Rationale Memo (Annex III section) + Intended Purpose Statement Legal/Compliance Treating Annex III as obvious; conflating "we are B2B SaaS" with "we are not Annex III"
4 "Are Article 50 transparency obligations triggered independently of the risk tier?" Whether Article 50 was screened as a separate gate, not absorbed into the tier label Article 50 applicability assessment per sub-paragraph (50(1), 50(2), 50(3), 50(4)) Article 50 Transparency Decision Record Legal/Compliance + Product "Limited Risk, so transparency does not apply"; treating Article 50 as conditional on high-risk
5 "What upstream models or GPAI providers does the system rely on?" Whether model dependencies are mapped and whether GPAI-provider obligations flow through to the deployment context Model dependency register naming providers, model names/versions, modifications, and GPAI systemic-risk status if known Technical File outline (dependency section) Engineering + Legal/Compliance "Black box" answer; provider not named; GPAI systemic-risk presumption (Article 51) not addressed
6 "What role do you take in the supply chain?" Whether the role determination (provider, deployer, importer, distributor, or substantial modifier) is written and defensible Role determination memo with Article 25 / Article 26 reasoning; identification of any substantial modification or rebranding Risk Tier Rationale Memo (role section) Legal/Compliance Claiming "deployer" while modifying or rebranding a third-party model; mixed roles undocumented
7 "What is the intended purpose, and does it pull the system into a higher tier?" Whether the intended purpose is written with enough specificity that scope creep would be visible to a reviewer Intended Purpose Statement covering use cases, users, inputs, outputs, exclusions, foreseeable misuse Intended Purpose Statement Product + Compliance Vague marketing language; intended purpose drafted to minimise apparent scope
8 "How do you screen sector-specific overlays?" Whether sector-specific rules (medical devices, machinery, financial services, employment, education, law enforcement) have been considered alongside Article 6 + Annex III Sectoral screening note covering any horizontal regulation that intersects the system Risk Tier Rationale Memo (sectoral overlay section) Legal/Compliance Treating EU AI Act as the only applicable regime; ignoring product-safety, medical, or sectoral law
9 "What is your rationale for the GPAI dependency status?" Whether the upstream provider's GPAI status was assessed and what flows down to the deployer's record Note on each upstream model: GPAI status, systemic-risk presumption (Article 51) consideration, provider-side documentation references Technical File outline (GPAI note) Engineering + Legal/Compliance Assuming the provider's GPAI status is your status; missing provider documentation reference
10 "How do changes to the system affect the risk tier?" Whether the risk-tier rationale is re-run when the system, model, data, or intended purpose changes Change Log entries with risk-tier impact notes; re-screen triggers and dates Change Log Engineering + Product + Compliance Continuous deployment without risk-tier re-screen; risk tier "fixed" at launch
11 "What internal review owners are named for the risk-tier rationale?" Whether the rationale has accountable owners with current dates, not "the compliance team" Owner table with role, date last reviewed, review cadence Risk Tier Rationale Memo (owner section) Compliance Owner field blank; review last performed before a material change
12 "What is your escalation path if the screening surfaces a high-risk or prohibited flag?" Whether there is a defined route to external counsel, to the buyer's compliance team, or to a Notified Body process when the screen raises a flag Escalation flag register: trigger, owner, route, target time Risk Tier Rationale Memo (escalation section) Legal/Compliance No escalation path; informal "ask legal" without owner or time

Flagged questions

Some procurement questions invite a one-word answer that should never be given without legal/compliance review. Treat each as a routing prompt.

  • "Is your system high-risk?" Requires the Article 5 + Article 6 + Annex III screens in writing. A casual "no" without the screen is a common procurement and review failure mode.
  • "Are you Limited Risk?" Limited Risk is not a single tier label; it is shorthand for "subject to Article 50 transparency obligations but not Annex III." Treat as a category, not a label.
  • "Are you Minimal Risk?" Minimal or no-risk systems generally do not carry AI-system-specific obligations under the AI Act, but organisation-level duties such as AI literacy and buyer-side documentation requests may still matter. Asserting the category without screening Article 5, Article 6, and Article 50 separately is unsafe.
  • "Does Annex III apply to you?" Eight categories with sector-specific framings. "No" without per-category reasoning is the most common audit failure pattern.
  • "Are you a provider or a deployer?" Possibly both. Article 25 substantial-modification rules can reclassify a deployer as a provider. Answer with the role memo, not a one-word label.
  • "Does the Digital Omnibus push your timelines?" The Digital Omnibus on AI is a 7 May 2026 provisional political agreement. Until formal adoption, current baseline dates apply. Do not advise delay.
  • "Is your upstream model provider GPAI-compliant?" Third-party status is not yours to assert. Provide the dependency register and the provider documentation links; let the buyer make its own assessment.

Failure modes

For each: bad pattern · why it fails · safer response · evidence required.

  1. 1. "Our system is Limited Risk."
    Why it fails
    Limited Risk is shorthand, not a single tier. The label without a screen tells the buyer nothing about Article 5 (prohibited), Article 6 (high-risk), or Article 50 (transparency) outcomes.
    Safer response
    "Our risk-tier rationale documents Article 5, Article 6 + Annex III, Article 50, and GPAI dependency screens separately. Memo on file."
    Evidence required
    Risk Tier Rationale Memo.
  2. 2. "We are not Annex III because we are SaaS."
    Why it fails
    Annex III applies based on intended purpose and use case, not on delivery model. A SaaS product used in HR screening, credit scoring, or law enforcement may be Annex III.
    Safer response
    "Annex III screening is performed against each of the eight categories using the documented intended purpose."
    Evidence required
    Risk Tier Rationale Memo (Annex III section) + Intended Purpose Statement.
  3. 3. "Our risk tier is fixed at Limited Risk."
    Why it fails
    risk tier depends on intended purpose, deployment context, model dependencies, and material modifications. None of these are static.
    Safer response
    "Risk-tier rationale is re-screened on material change to the system, model, intended purpose, or deployment context."
    Evidence required
    Change Log + Risk Tier Rationale Memo with version history.
  4. 4. "We rely on [upstream provider] for AI Act coverage."
    Why it fails
    provider and deployer obligations are independent. The Article 25 substantial-modification rule may reclassify a deployer as a provider regardless of the upstream contract.
    Safer response
    "Upstream provider documentation is on file. Our role determination and risk-tier rationale have been assessed independently."
    Evidence required
    Role memo + dependency register.
  5. 5. "We are a deployer, so risk-tier screening does not apply to us."
    Why it fails
    deployers carry their own obligations, including Article 4 AI literacy, Article 26 deployment-context obligations, and Article 50 where applicable. Risk-tier screening still applies as a context.
    Safer response
    "Deployer-side risk-tier context is documented to support Article 4, Article 26, and Article 50 obligations."
    Evidence required
    Risk Tier Rationale Memo (deployer section).
  6. 6. "Our model is not a GPAI model, so Article 51 does not concern us."
    Why it fails
    Article 51 concerns provider-side GPAI obligations, but a deployer using a GPAI model carries documentation requirements about the upstream dependency. The screen is needed even when no GPAI provider obligation applies to the deployer directly.
    Safer response
    "Upstream model dependencies are documented, including GPAI status of each provider. Article 51 systemic-risk presumption considered where applicable."
    Evidence required
    Technical File outline (GPAI section).
  7. 7. "We screened Article 5 and concluded it does not apply."
    Why it fails
    conclusory statements are not evidence. The screen needs to record which prohibited categories were considered and on what basis they were excluded.
    Safer response
    "Article 5 screen documents each of the prohibited-practice categories considered and the basis for exclusion."
    Evidence required
    Risk Tier Rationale Memo (Article 5 section).
  8. 8. "Our intended purpose is to provide AI-powered analytics."
    Why it fails
    vague intended-purpose language hides scope creep risk and prevents reviewers from screening Annex III properly. "AI-powered analytics" does not show whether the system makes employment, credit, or eligibility decisions.
    Safer response
    "Intended Purpose Statement names use cases, users, inputs, outputs, exclusions, and foreseeable misuse with operational specificity."
    Evidence required
    Intended Purpose Statement.
  9. 9. "The Digital Omnibus pushes our high-risk obligations back."
    Why it fails
    as of 7 May 2026, the Digital Omnibus on AI is a provisional political agreement, not enacted law. Trevam buyers should not rely on provisional changes to defer compliance work.
    Safer response
    "Current baseline timelines apply. We are monitoring the Digital Omnibus formal adoption and will update the rationale accordingly."
    Evidence required
    Risk Tier Rationale Memo (watch items section) + Change Log entry on monitoring.
  10. 10. "Our risk-tier rationale was reviewed at launch."
    Why it fails
    "at launch" is not a maintenance posture. Material changes to the system, model, or intended purpose can change the tier, and Article 50 final guidelines or sectoral rule changes can affect screening.
    Safer response
    "Risk-tier rationale carries a last-reviewed date and is re-screened on material change or on regulatory update."
    Evidence required
    Risk Tier Rationale Memo with version history + Change Log entries.

What this is not

This Reference page is not, and should not be cited as:

  • A legal determination of risk tier for any specific system.
  • A High-Risk Annex III conformity assessment.
  • A Notified Body submission preparation.
  • A substitute for counsel.
  • A certification of any provision of the EU AI Act.
  • A guarantee that a system is Minimal Risk, Limited Risk, or not High-Risk.
  • Systemic-risk GPAI provider guidance under Articles 53–55.
  • A substitute for human/legal/compliance review against the specifics of the system, intended purpose, deployment context, and current regulatory state.

The map exists to help vendors and deployers prepare review-ready documentation. Each item is subject to human/legal/compliance review.

How to use the Trevam kit

The EU AI Act Compliance Starter Kit — Buyer Edition v1.6 includes 27 copyable documentation units, including 9 separately editable templates, plus an included AI-assisted completion companion guide. The artifacts most directly used for risk-tier rationale evidence:

  • Risk Tier Rationale Memo — RFP-attachable: the primary artifact for this page. Records Article 5, Article 6 + Annex III, Article 50, GPAI dependency, sectoral overlay, role determination, and escalation flag screens as separate decisions with supporting reasoning.
  • Intended Purpose Statement + Limitations — input to risk-tier reasoning. Use cases, users, inputs, outputs, exclusions, foreseeable misuse.
  • Article 50 Transparency Decision Record — adjacent artifact when the Article 50 transparency screen reaches positive. See the Article 50 applicability Reference.
  • Technical File outline (living document structure) — supporting structure for upstream model and GPAI dependency documentation.
  • Data Governance Plan template — input to data-related considerations when the rationale reaches high-risk territory.
  • Change Log template with re-assessment triggers — captures version, date, scope of change, and impact on risk tier and Article 50 applicability.
  • Risk Management Log (incl. residual risk fields) — adjacent maintenance artifact for risks identified during screening.
  • AI Literacy Evidence Log by role — Art. 4: relevant when the rationale records deployer-side Article 4 obligations.

Annex III red-flag module. Where the screen surfaces a possible Annex III trigger, the Risk Tier Rationale Memo records the flag, the reasoning, and an escalation routing to external counsel or to a Notified Body process. The Trevam kit does not include Annex III conformity assessment material; the red-flag module is a routing point, not a determination.

The AI-assisted completion companion is an optional methodological guide for using approved AI workspaces (e.g. enterprise Claude, ChatGPT, Microsoft 365 Copilot-style assistants, or internal assistants) to draft, evidence-check, red-team, and prepare the kit's outputs for human/legal/compliance review. The companion does not decide risk tier, does not screen Article 5 or Article 6, and does not substitute review.

Last reviewed / update note

Last reviewed: 2026-06-04.

This page is subject to update when one of the following occurs:

  • The European Commission publishes the final adopted high-risk classification guidelines (targeted consultation opened 19 May 2026, closes 23 June 2026).
  • The European Commission publishes the final adopted Article 50 transparency guidelines.
  • The Digital Omnibus on AI is formally adopted by the Council and Parliament (currently provisional agreement of 7 May 2026).
  • A material update to the EU AI Act Service Desk or AESIA guidance affects the screening structure on this page.
  • The Trevam EU AI Act Compliance Starter Kit moves to a new version that changes the artifact set referenced here.

Substantive updates are recorded in the public Trevam update log.

Maintained by Hugo Barrio García, founder/operator of Trevam Intelligence Systems. Trevam builds structured documentation materials for AI procurement and transparency review. This page is not legal advice.

How this page is maintained: it is reviewed against the primary sources listed below whenever a mapped obligation, guideline, or date changes status. The Last reviewed date is updated at each review.

Primary sources