Your vector database, retrieval layer, and LLM chain may trigger EU AI Act obligations. Find your risk tier in 2 minutes — before the August 2026 enforcement deadline hits.
Most RAG engineers assume the EU AI Act only applies to frontier model providers — OpenAI, Anthropic, Google. That assumption is expensive. If you deploy a RAG system that serves EU users, you are the deployer under Article 3(4) — and deployers carry real obligations regardless of whose model you call underneath.
The risk tier depends on what your retrieval layer surfaces, which domain it operates in, and whether your answers influence decisions about people. A customer support RAG bot is probably minimal risk. A RAG system that retrieves employee performance records to help managers make promotion decisions may be high-risk under Annex III. The line matters: high-risk means mandatory conformity assessments, technical documentation, and audit trails. Non-compliance penalties reach €15 million or 3% of global annual turnover.
The tool below walks you through the eight high-risk categories in plain language, flags GPAI transparency obligations if you're exposing a general-purpose model, and generates a shareable risk report you can use in your technical documentation.
RAG over HR data, medical records, credit histories, legal case files, or law enforcement inputs. Requires conformity assessment + ongoing monitoring.
Chatbot-style RAG that could be mistaken for a human. Must disclose AI nature to users under Article 50.
Internal knowledge bases, developer docs, public FAQ bots. No mandatory obligations — but disclosure is best practice.
A RAG system that retrieves employee handbook chunks to answer HR questions is probably minimal risk on its own. But the moment it also retrieves individual performance scores, attendance records, or disciplinary notes to generate manager recommendations, it crosses into Annex III (employment and workers management). Run the full assessment to see exactly where your data scope pushes the risk tier.
Building a RAG system over patient records, clinical notes, or diagnostic reports for clinicians triggers the Annex III health category. Even if the LLM only summarizes retrieved chunks and a doctor makes the final call, you're still deploying an AI system that assists in a medical professional context. High-risk classification means you need a technical file, quality management system, and post-market monitoring — before you go live in any EU member state.
LegalTech RAG that retrieves contracts, regulations, or case law to draft legal summaries for attorneys sits in a gray zone. If it assists in decisions that directly affect someone's legal rights (e.g. whether to file a claim, which clauses to enforce), the administration of justice category in Annex III may apply. The assessment tool scores this against the exact regulatory text so you know whether you need a conformity assessment or just solid documentation.
A RAG chatbot that retrieves public documentation to answer product questions is the textbook minimal-risk scenario — but you still have an Article 50 transparency obligation: users must know they're talking to AI. The assessment generates the compliant disclosure language your team needs to drop into the chat UI. Skipping it is the most common EU AI Act mistake at minimal-risk companies.
RAG pipelines that retrieve transaction histories, credit reports, or investment records to generate summaries used in lending or investment decisions fall squarely under Annex III's access to financial services category. This is high-risk regardless of whether a human reviews the output. You need explainability hooks, audit logging, and a right-to-human-review mechanism — the assessment maps each requirement to your specific pipeline architecture.
Specialist EU AI Act compliance platforms charge enterprise prices for features RAG engineers rarely need — multi-stakeholder workflows, ISO certification prep, regulatory lobbying alerts. Here's how TinyTools compares for the core assessment use case:
| Tool | Price | RAG-Specific Guidance | Instant Report | No Login Required |
|---|---|---|---|---|
| TinyTools EU AI Act Assessment | Free | ✓ Yes | ✓ Yes | ✓ Yes |
| Securiti AI Governance | ~$30k/yr | ✗ Generic | ✓ Yes | ✗ No |
| OneTrust AI Governance | ~$25k+/yr | ✗ Generic | ✓ Yes | ✗ No |
| TrustArc AI Risk Manager | ~$15k/yr | ✗ Generic | ✗ Delayed | ✗ No |
| Lumenova AI Compliance | ~$10k/yr | ✗ Generic | ✓ Yes | ✗ No |
| DIY (reading EUR-Lex) | Free | ✗ Manual | ✗ No | ✓ Yes |
Enterprise pricing estimates based on publicly available tiers and analyst sources as of 2026. TinyTools is free and browser-side — no data leaves your device.
Yes. The Act applies wherever the output of your AI system affects persons located in the EU — the same extraterritorial logic as GDPR. If EU users interact with your RAG pipeline, the Act applies to you.
Potentially. If your RAG system is used in HR, performance evaluation, or any Annex III-adjacent process, the employees it affects still have rights under the Act. Internal deployment doesn't exempt you from high-risk obligations.
All three together constitute your "AI system" as a deployer. The assessment covers the full pipeline — the orchestration layer (LangChain), the vector store (Pinecone), and the generative model (OpenAI) — as a single deployment.
For violations related to high-risk systems: up to €15 million or 3% of global annual turnover, whichever is higher. For supplying incorrect information to authorities: up to €7.5 million or 1% of global turnover.
GPAI model rules (Title VIII) were enforceable from August 2025. High-risk system obligations (Annex III) are enforceable from August 2026. The assessment generates action items tagged by deadline so you can prioritize.