EU AI Act Scope and Key Definitions: Systems, Risk Categories and Core Concepts

The EU AI Act is often described as a risk-based regulation. That description is useful, but incomplete. Before a business can decide whether an obligation applies, it needs to know what is within material scope, which actor is in scope, whether the territorial link is present, and how the system or model is classified.

These questions should not be collapsed into a single conclusion that the business is in scope or out of scope. Material scope asks what kinds of systems, models and uses are regulated. Personal scope asks which actors have obligations. Territorial scope asks whether the EU market or EU use connection is sufficient. Risk classification then determines the intensity and type of obligations.

Material, personal and territorial scope

Material scope starts with the subject matter: AI systems, general-purpose AI models, prohibited practices, high-risk systems, transparency duties and other regulated uses. Personal scope identifies actors such as providers, deployers, importers, distributors, authorised representatives and product manufacturers. Territorial scope asks whether those actors or the relevant outputs connect to the Union in the way Article 2 describes.

A company can make mistakes by answering only one of these questions. A non-EU provider may assume it is outside the framework because it has no EU office, even though it places a system on the Union market. An EU deployer may assume all obligations sit with its supplier, even though it uses the system under its own authority. A downstream application builder may focus on the model provider's documentation and miss the risk classification of its own AI system.

AI system definition in practice

The Act's AI system definition is technical but should be applied practically. It points to a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, inferring from input how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.

For businesses, the practical question is not whether a tool is marketed as AI. The question is whether the tool has the functional characteristics of an AI system under the Act and whether its outputs are used in a legally relevant context. A rules-only workflow, a spreadsheet formula and a machine-learning scoring system may need different treatment. Product labels are not enough.

GPAI model definition in practice

A general-purpose AI model is a separate concept. It concerns a model with significant generality that is capable of competently performing a wide range of distinct tasks and can be integrated into various downstream systems or applications. The model may sit below many different products. The downstream AI system may then carry obligations based on its own intended purpose and risk category.

This distinction is important for companies that use externally supplied models. A downstream product may rely on a GPAI model but still need its own classification. Equally, a model provider may have GPAI duties even before a specific customer's deployment is assessed. Scope analysis should therefore separate model-level and system-level questions.

Risk categories

The Commission summarises the AI Act as using four levels of risk: unacceptable risk, high risk, transparency risk, and minimal or no risk. The Act does not regulate all AI tools equally. Its practical burden depends on what the system does, who uses it, where it is supplied or deployed, and which role the relevant actor performs.

• Prohibited or unacceptable-risk practices are banned. The Commission explains that these prohibitions applied from 2 February 2025.
• High-risk systems are permitted only within a more demanding compliance framework, including requirements connected to risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness and cybersecurity.
• Transparency-risk systems trigger specific information duties, for example where users interact with AI systems or where AI-generated content creates disclosure concerns.
• Minimal or no-risk systems are not subject to the same intensive obligations under the AI Act, although other laws, contracts or sector rules may still matter.

High-risk logic

High-risk classification has two main pathways. One pathway concerns AI systems that are safety components of products, or are themselves products, covered by specified Union harmonisation legislation. The other pathway concerns standalone AI systems in listed areas, including use areas set out in Annex III. Those areas include, among others, biometric contexts, critical infrastructure, education, employment, access to essential services, law enforcement, migration and justice-related uses, subject to the detailed conditions in the Act.

This is why intended purpose matters so much. The same underlying technology can be low-risk in one context and high-risk in another. A model used to generate generic marketing copy is not the same as an AI system used to rank job applicants, assess access to essential private services, or support safety-related product functions.

Transparency obligations

The AI Act also contains transparency duties that are not the same as high-risk obligations. Article 50 addresses situations such as people interacting with AI systems, emotion recognition or biometric categorisation in relevant contexts, and AI-generated or manipulated content. At a practical level, businesses should ask whether users or affected persons need to be told that AI is involved, or that content has been artificially generated or manipulated.

Transparency duties are easy to miss because they may apply to systems that are not high-risk. A customer-support assistant, generated image, synthetic voice or AI-mediated interaction may raise disclosure questions even where the broader compliance framework is lighter than for high-risk systems.

Core actor definitions

Role definitions determine who must act. A provider develops, or has developed, an AI system or GPAI model and places it on the market or puts it into service under its own name or trademark. A deployer uses an AI system under its authority, except for purely personal non-professional use. An importer is an EU-established actor placing on the market a system bearing the name or trademark of a third-country actor. A distributor makes an AI system available on the Union market without being the provider or importer.

An authorised representative is an EU-based person or body with a written mandate from a provider to perform specified obligations and procedures. A product manufacturer becomes relevant where AI is embedded in, or supplied with, a regulated product. The same corporate group can perform different roles for different systems, and a party can become the provider where it rebrands, substantially modifies or changes the intended purpose of a high-risk AI system in the way described by the Act.

First-step classification workflow

A practical initial review should move through the questions in order rather than jumping straight to a risk label:

• Identify the AI system, GPAI model or AI component being assessed.
• Describe the intended purpose and the real deployment context.
• Separate material scope, personal scope and territorial scope.
• Map every relevant actor: provider, deployer, importer, distributor, authorised representative and product manufacturer.
• Check whether a prohibited practice may be involved.
• Assess whether the system is high-risk through product-safety rules or Annex III use areas.
• Check transparency duties and GPAI model duties separately from high-risk classification.
• Translate the classification into documentation, contract, governance and operational steps.

This workflow helps avoid two common errors. The first is overreach: treating every AI tool as if it were high-risk. The second is underreach: treating AI Act compliance as a supplier issue and ignoring the deployer's own use context, transparency duties or role changes caused by integration and rebranding.

Practical takeaway

The EU AI Act is broad, but structured. A reliable first analysis separates system from model, material scope from personal and territorial scope, and high-risk duties from transparency or GPAI obligations. That structure is more useful than asking only whether the company uses AI.

Once the map is clear, the business can decide what comes next: supplier due diligence, customer-facing documentation, high-risk system planning, GPAI model documentation, transparency notices, or a reasoned conclusion that the use case sits outside the Act's more intensive obligations.

Legal references

• Regulation (EU) 2024/1689, in particular Articles 2, 3, 5, 6, 25, 50, 53, 55 and 113, and Annex III.
• European Commission, AI Act overview, including the Commission's summary of the four risk levels and staged implementation timeline.
• European Commission, General-Purpose AI Code of Practice materials where relevant to GPAI model compliance.