Back to insights
eu-ai-acthigh-riskbelgiumcompliance

What is 'high-risk AI' under the EU AI Act? A plain-language guide for Belgian business owners

Stéphane WillemsStéphane Willems6 min read

Of all the EU AI Act jargon, one term decides almost everything: high-risk. If your AI is high-risk, a substantial set of obligations applies. If it isn't, you have a handful of light duties and you can get on with your day.

So the practical question for every Belgian business owner isn't "what does the whole Act say" — it's "is any of my AI high-risk?" This is the guide I wish more people read before they either panic or shrug.

I'm an engineer who classifies and audits these systems, not a lawyer — this isn't legal advice. But the classification logic is more learnable than it looks.

First: "high-risk" is about use, not sophistication

The most common misunderstanding is thinking high-risk means "advanced" or "powerful." It doesn't. The Act classifies by what the AI is used for and who it affects, not by how clever the technology is.

A basic spreadsheet-style model that decides who gets a loan is high-risk. A genuinely sophisticated AI that writes marketing copy is not. The question is always: does this system make or materially shape decisions that significantly affect people's lives, rights, or safety?

The four risk levels, briefly

The Act sorts AI into four buckets:

  1. Unacceptable risk — banned. Social scoring by authorities, certain manipulation, untargeted face-scraping. Almost no normal business builds these.
  2. High risk — heavily regulated. The category this article is about.
  3. Limited risk — transparency only. Chatbots and AI-generated content: you mainly have to tell people it's AI.
  4. Minimal risk — essentially free. Spam filters, recommendation engines, document summarisers. Most business AI lives here.

The whole game is figuring out whether you're in bucket 2 or bucket 4. Most Belgian KMOs are in bucket 4 and don't need to worry — but the ones in bucket 2 really do.

The high-risk categories that actually catch Belgian SMEs

The Act lists high-risk uses. Stripped to the ones that realistically show up in a Belgian mid-market company:

Employment and workers (the big one)

AI used for recruitment (screening CVs, ranking candidates, targeting job ads) or for decisions about workers (promotion, termination, task allocation, performance monitoring) is high-risk.

This is the category I see catch companies off guard the most. HR teams adopt a CV-screening tool because it saves time, with no idea it's the single most common high-risk trigger for an SME. If you use AI anywhere in hiring or people management, assume high-risk until you've confirmed otherwise.

Access to essential services

AI that decides eligibility for credit / loans, prices insurance based on risk, or controls access to essential private or public services. If you're in financial services or insurance, this is squarely you.

Education and training

AI that determines access to education or scores exams and assessments. Relevant if you run training, certification, or an edtech product.

Safety components

AI acting as a safety function in a product, or in the management of critical infrastructure (energy, water, transport). If your AI failing could hurt someone, it's likely here.

Biometrics

AI that identifies people biometrically, or infers things about them from biometric data. Less common in ordinary SMEs, but if you're doing facial recognition or similar, it's high-risk (and overlaps with banned uses — tread very carefully).

The honest test for "am I high-risk?"

Run your AI systems through these questions:

  1. Does it touch hiring or how you manage staff? → Likely high-risk.
  2. Does it decide who gets credit, insurance, or an essential service? → Likely high-risk.
  3. Does it score people in education or assessment? → Likely high-risk.
  4. Could it hurt someone if it fails (safety / critical infrastructure)? → Likely high-risk.
  5. Does it identify or profile people via biometrics? → Likely high-risk (and check the banned list).

If you answered no to all five, your AI is almost certainly not high-risk. It's minimal or limited risk: keep good data practice, tell people when they're interacting with AI, and you're done.

If you answered yes to any, you don't necessarily have a problem — but you have a classification you need to confirm and document, and if confirmed, a real set of obligations to meet before the August 2026 deadline.

What high-risk actually obligates you to do

If a system is confirmed high-risk, the duties are substantial — this is why you don't want to misclassify into it unnecessarily, and why you can't ignore it if you're genuinely in it. In broad strokes:

  • Risk management — a documented, ongoing process, not a one-off.
  • Data governance — your training/input data examined for quality and bias, with provenance recorded.
  • Technical documentation — written before deployment, describing the system, its data, its testing.
  • Logging — records that let you reconstruct decisions after the fact.
  • Human oversight — a real person able to understand, override, and stop the system.
  • Accuracy and robustness — tested and documented.

These take time to put in place properly. The mistake is treating them as paperwork to generate the week before an audit. They're design decisions — especially human oversight, which has to be built into how the system works, not added afterwards.

The two failure modes to avoid

I see companies fail in two opposite directions:

Over-classifying. A business gets scared, decides everything is high-risk, and spends money on consultants and documentation for a chatbot that was never high-risk. Wasteful, and surprisingly common when fear-driven vendors are involved.

Under-classifying. A business assumes its recruitment AI is "just a tool" and never checks, then discovers during a GDPR complaint or an audit that it's been running a high-risk system with none of the required safeguards. Expensive in a different way.

The fix for both is the same and it's cheap: actually classify your systems, write down the reasoning, and keep the note. A short, honest classification is your best protection in either direction.

The bottom line

"High-risk" isn't a vibe — it's a defined list, and for most Belgian KMOs the honest answer is "we're not high-risk, but two of our systems needed checking and now we've written down why." That note is worth more than any expensive platform.

The ones that genuinely are high-risk — usually because of recruitment, credit, or a safety function — should be treating August 2026 as a real deadline and getting the obligations in place now.

I write a short, practical newsletter that turns this kind of regulation into plain language for Belgian businesses — the AI Act, GDPR and AI, and senior engineering, no hype. Subscribe below if that's useful.

If you'd like the classification done properly — your systems mapped and each one's risk level confirmed in writing — that's exactly what WDC's AI Readiness Audit is for. And if you're planning new AI and want to get the classification right from the start, the AI Opportunity Assessment builds it in.

Ready to start?

Talk to us about your project.

Most engagements start with a 30-minute conversation.

Book a call

Subscribe to our newsletter

Sign up for occasional, practical writing on AI integration, EU AI Act, and senior engineering for Belgian businesses.