Free tool 5 minutes AI Act 2026

AI Act Traffic Light 2026 — classify your AI risk category in 5 minutes

Dedicada framework from Genai Sapiens Consulting to classify an enterprise AI system in one of the 4 categories of EU Regulation 2024/1689 (AI Act). Five questions, visual traffic light result, applicable obligations checklist and downloadable PDF. Indicative — does not replace professional legal advice.

5 min read By Higini Moré
Editorial minimalist illustration with three abstract green, amber and red traffic-light circles over AI connection network on neutral white background — visual representation of the Genai Sapiens Consulting AI Act Traffic Light framework
AI Act Traffic Light — quick risk category evaluation under EU Regulation 2024/1689.

What is the AI Act Traffic Light?

A free tool from Genai Sapiens Consulting that condenses into 5 questions the classification of an AI system under EU Regulation 2024/1689 (AI Act). Each answer updates the traffic light towards green (minimal), amber (limited) or red (high risk or prohibited) and maps to one of the 4 formal categories of the Regulation.

It is not legal advice. It is an operational bridge between the dense regulatory text and the executive question CEOs, CTOs and compliance leads actually have: which category does my system fall into and what do I need signed before 2 August 2026?

The 5 critical Traffic Light questions

Each question is binary (yes/no) and designed for immediate answer without consulting the Regulation. Conservative rule: if in doubt, the answer is NO until formally documented with legal peer review.

5 Traffic Light questions — effect on final category
#QuestionTraffic light effect
Q1Does your system make autonomous decisions that affect fundamental rights (employment, education, credit, justice, asylum)?🔴 YES → likely Cat II high risk (Annex III) · 🟢 NO → continue
Q2Does it process biometric data, health data or other GDPR Art 9 special categories?🔴 YES → likely Cat II / Art 5 risk · 🟢 NO → continue
Q3Is there inviolable HITL (Human-in-the-Loop) oversight on critical system decisions?🟢 YES → mitigates Cat II risk · 🟠 NO + Cat II = non-compliant
Q4Do you document DPIA (GDPR Art 35), FRIA (AI Act Art 27) and technical report (Art 11)?🟢 YES → governance OK · 🟠 NO → pending Cat II/III
Q5Have you formally classified your system in an AI Act category?🟢 YES → formal classification · 🟠 NO → pending evaluation

Fuente: Genai Sapiens Consulting — AI Act Traffic Light 2026 framework

Result: which AI Act category are you?

EU Regulation 2024/1689 defines four categories with obligations of increasing density. Your Traffic Light answers place you in one of them. The table summarises main obligations and application dates.

4 AI Act categories + examples + main obligations
CategoryTypical examplesMain obligations + application date
Cat I — PROHIBITEDSubliminal manipulation, social scoring, predictive policing, mass biometric scraping, workplace/education emotion recognitionDirectly prohibited. Fines up to €35M or 7% global turnover. Applies from 2-Feb-2025.
Cat II — HIGH RISKAnnex III: employment (HR), education, credit, justice, critical infrastructure, biometrics, asylum, essential servicesRisk management (Art 9), data governance (Art 10), technical documentation (Art 11), event logging (Art 12), transparency (Art 13), HITL human oversight (Art 14), accuracy (Art 15), FRIA deployer (Art 27), EU DB registration (Art 49-71). Applies 2-Aug-2026.
Cat III — LIMITED (transparency)Chatbots, synthetic content generation (deepfakes, images, audio, video), systems interacting with natural personsArt 50 transparency: inform users they are talking to AI and label synthetic content. Applies 2-Aug-2026.
Cat IV — MINIMALSpam filters, AI in video games, trivial recommendations, non-critical internal searchVoluntary code of conduct. Art 4 AI literacy applies from 2-Feb-2025 to ALL categories.

Fuente: EU Regulation 2024/1689 AI Act — Arts 5, 9-15, 26-27, 49-71, 50. EC guidelines Feb 2025.

The AI literacy Art 4 obligation applies from 2 February 2025 to all categories and all actors — provider, deployer, distributor, importer. It is the requirement most frequently omitted in AI compliance inventories.

Interactive evaluation (Spanish)

The interactive 10-question assessment that generates a personalised PDF is currently only available in Spanish — translation is on the Phase 9 roadmap (B24b). You can run the assessment in Spanish at semaforo-ai-act (ES) — answers stay in your browser, no email gate, no tracking. For a faster English workflow, use the 5-question framework above and contact us for validation.

Download the complete PDF framework (Spanish version)

The 2-page PDF captures the 5 questions, the 4-category + obligations table, a 90-day plan and the official citable sources (EUR-Lex, BOE, AESIA, AEPD, EDPB, Commission guidelines). The document to share with your legal team. No form, no email gate, direct download. English PDF is on the Phase 9 roadmap (B30+).

AI Act Traffic Light 2026 — downloadable PDF framework

2 pages · 7 KB · free PDF. The 5 questions + category table + 90-day plan + official citable sources. Version 1.0 — April 2026. Currently Spanish only; English translation on roadmap.

Download PDF (Spanish, 2 pages) ↓

How Genai Sapiens Consulting helps with compliance

The Traffic Light gives you the category. Implementing the obligations — DPIA, FRIA, HITL runbook, Art 11 technical documentation, EU DB registration, post-market vigilance — is real work that takes 2 to 8 weeks depending on company size and number of AI systems. Three packages we deliver at GSC:

  1. Initial AI Act audit (1-2 weeks, €2,500-€4,500) — AI system inventory, formal per-system classification, gap analysis against applicable obligations, 30/60/90 prioritisation.
  2. DPIA + FRIA + HITL runbook package (2-3 weeks, €4,500-€7,500) — GDPR Art 35 DPIA, AI Act Art 27 FRIA, HITL runbook with identified owners, retention policy, access matrix — all delivered as client-owned assets.
  3. End-to-end compliance implementation (6-10 weeks, €12,000-€28,000) — Art 11 technical documentation, Art 12 event logging, Art 13 usage instructions, Art 14 HITL measures, integration with existing stack, team training (Art 4 AI literacy).

Frequently asked questions about the AI Act Traffic Light

When does the AI Act enter into force in Spain?
EU Regulation 2024/1689 (AI Act) entered into force on 1 August 2024 with staggered application. Prohibitions (Cat I) apply from 2 February 2025. Governance obligations and GPAI models from 2 August 2025. High-risk systems from Annex III from 2 August 2026. High-risk systems from Annex I (regulated products) from 2 August 2027. Spain designates AESIA (Spanish AI Supervision Agency, La Coruña) as the competent authority.
What risk categories does EU Regulation 2024/1689 define?
Four categories: Cat I Prohibited (subliminal manipulation, social scoring, predictive policing, mass biometric scraping, workplace/education emotion recognition) — directly prohibited. Cat II High risk (Annex III: employment, education, credit, justice, critical infrastructure, biometrics, asylum) — Art 9-15 obligations. Cat III Limited risk (chatbots, synthetic content, systems interacting with people) — Art 50 transparency. Cat IV Minimal (spam filters, video games) — voluntary code of conduct.
How do I know if my AI system is high risk?
Two paths: (1) Annex I of the Regulation — AI systems incorporated into products regulated by sectoral legislation (medical devices, machinery, automotive, aviation). (2) Annex III — 8 areas: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to private essential and public services, law enforcement, migration and asylum, justice administration and democratic processes. Our Traffic Light evaluates the 5 core questions — for formal validation we recommend legal peer review.
What obligations does a deployer have vs a provider?
The provider (who builds and places the system on the market) has obligations under Art 16-29: risk management system, technical documentation, human oversight by design, CE declaration, EU DB registration, post-market vigilance. The deployer (who uses the system in a professional context) has obligations Art 26-27: use according to instructions, operational human oversight, FRIA (fundamental rights impact assessment) if public sector or high impact, cooperation with authorities. Both share the AI literacy Art 4 obligation already in force.
What fines can AESIA impose under the AI Act?
Three levels: (1) prohibited practices Art 5 — up to €35M or 7% of annual worldwide turnover. (2) non-compliance with high-risk system obligations Cat II — up to €15M or 3%. (3) incorrect information to authorities — up to €7.5M or 1%. For SMEs and startups the lower of the two amounts applies. AESIA is the competent national authority in Spain (La Coruña).

Need AI Act compliance without pain?

Free 30-minute diagnosis with Higini Moré, founder of Genai Sapiens Consulting — no junior intermediary. We review your AI systems, classify each one by AI Act category, identify gaps and tell you whether a light audit, a full DPIA+FRIA or an end-to-end implementation is the right fit.

Book a free 30-min AI Act diagnosis →