EU AI Act and autistic AI tools

Brussels is currently refining which AI systems count as high-risk. For health and education AI, the question is decisive. Autistic Mirror deliberately sits outside that category. What that means in practice.

What this is about, in two sentences

The EU AI Act is the first regulation that classifies AI systems by risk. Wherever diagnoses, school placements, rehab access or personnel decisions are involved, the strictest obligations apply. That is exactly where it is decided which AI tools autistic people can safely use and which are neither legally nor ethically tenable.

What the EU AI Act regulates

The AI Regulation (Regulation EU 2024/1689)^[1] entered into force in August 2024 and applies in stages. Bans on certain practices and the AI literacy obligation (Article 4) have applied since 2 February 2025. Obligations for general-purpose AI models have applied since 2 August 2025. The decisive deadline for most providers is 2 August 2026: from that date the full requirements for high-risk AI systems under Annex III take effect.^[1]

The regulation defines four risk tiers: prohibited practices, high-risk systems, limited-risk systems and minimal-risk systems. The tier determines the obligations.

Where the line for health and education AI sits

Annex III names the domains in which AI systems automatically count as high-risk.^[1] Three of them dominate the current DACH HR debate: education and vocational training, employment and worker management, and access to essential services including health and social benefits. Anyone preparing or making decisions in these areas falls into the high-risk corridor.

Annex I additionally couples the regulation to medical-device law. As soon as an AI runs as a safety component of a medical device or as an in-vitro diagnostic, it counts as high-risk regardless of use case.^[3][5]

Article 6(3) provides a narrow exception: a system that performs only a preparatory or purely technical task and creates no significant risk to fundamental rights can fall outside the high-risk category despite operating in an Annex III area. As soon as profiling takes place, however, meaning automated evaluation of personal aspects, the exception no longer applies.

Why Autistic Mirror is not high-risk AI

Autistic Mirror is explicitly not a medical device. This position is stated in the privacy policy section 2.4 and in the terms of use. There is no diagnosis, no therapy, no triage, no recommendation of medical measures. The task is narrowly defined: explain neurological mechanisms of autistic experience and support self-reflection.

Four points carry the classification outside the high-risk corridor:

1. Not a medical device under MDR/IVDR.^[3][5] Annex I therefore does not apply.
2. No decision-preparing function in education, employment or access to essential services. The app evaluates no persons, sorts no applications, allocates no school or rehab places. The three critical Annex III pillars therefore do not apply.
3. No profiling within the meaning of Article 4(4) GDPR. Onboarding inputs (role, co-occurring conditions, age group) configure the system-prompt setting only. There is no automated evaluation of personal aspects, no prediction of behaviour, performance or health. The Article 6(3) exception therefore remains available.
4. No automated decision within the meaning of Article 22 GDPR.^[2][7] Use of the app produces no legal effects or similarly significant impacts. Answers are explanatory, not decisional.

The app does not provide clinical advice. When users explicitly request a diagnostic or treatment path, an output filter declines the request and points to qualified professionals. That is not self-restriction but the clean line between explanation and recommendation.

No emotion recognition, no biometric categorisation

Article 5(1)(f) of the EU AI Act prohibits emotion-recognition systems in the workplace and in education.^[1][4] Autistic Mirror performs no emotion recognition. There is no audio processing, no camera analysis, no voice or face analysis, no biometric categorisation. Inputs are free text. The app therefore also rules out a practice that would be especially risky for autistic people, whose emotional expression is systematically misread.

Transparency duties under Article 50

Even outside the high-risk corridor, the transparency duties of Article 50 apply from 2 August 2026. Users must be able to recognise that they are interacting with an AI system. Autistic Mirror meets this throughout: product name, onboarding, privacy policy and every answer are marked as AI-generated. There is no imitation of human counselling and no simulated therapeutic relationship.

Provider, deployer and GPAI classification

Autistic Mirror is a provider within the meaning of the EU AI Act. Organisations that distribute the app to their staff under a B2B licence are deployers and carry the duties of Article 26 to the extent applicable. Because Autistic Mirror is not high-risk, those duties are essentially limited to internal usage rules and informing employees. The underlying language model is a general-purpose AI model (GPAI) from a third party; the GPAI obligations under Chapter V are carried by the model provider, not by Autistic Mirror.

Why this matters for autistic people

When a generic AI issues a behavioural recommendation in a counselling, school or workplace context, for example "practise eye contact" or "reduce stimming", it intervenes deeply in autistic experience. Without a professional in between. Without a mechanism explanation. Such recommendations often follow a logic that wants to suppress autistic reactions instead of understanding them.

The EU AI Act addresses exactly this risk. It forces providers to declare themselves: do I issue diagnoses or recommendations affecting education, work or health, or do I stay with explanation. The dividing line does not only protect providers from audits, it protects autistic people from tools that try to correct their neurology instead of explaining it.

What high-risk obligations would actually cost

Anyone in the high-risk corridor must build a full conformity regime: documented risk management, data governance with training-data evidence, technical documentation, logging duties, human oversight, accuracy and robustness measurements, conformity assessment. Annex I cases additionally require a notified body.

A widely cited study by the Centre for European Policy Studies estimates the initial conformity cost for a single high-risk AI system at around EUR 29,277, plus annual costs of around EUR 71,400 for a certified quality management system, in each case excluding internal personnel cost and follow-up audits.^[6] For a small team this is only sustainable if the use case genuinely is high-risk. The answer is not to circumvent obligations but to scope the use case cleanly.

What we still meet voluntarily

Even outside the high-risk corridor, GDPR, ePrivacy and national rules apply. Autistic Mirror meets five compliance families in parallel: ISO/IEC 27001 Annex A for information security, OWASP Top 10 for application security, GDPR Articles 5, 9, 22, 25, 32, 35, EN ISO 9241 parts 110 to 210 for software ergonomics, and WCAG 2.1 Level A and AA for accessibility. Plus a 5-layer safety architecture with anti-ABA filter, crisis detection, output safety filter, injection detection and buffer-then-send.

The data protection impact assessment under Article 35 GDPR is documented, the record of processing activities under Article 30 likewise, the technical and organisational measures under Article 32 are written out. There is no tracking, no sale of data, no training of models on user content.

How this differs from generic AI

A generic chatbot without specialisation can slide into diagnostic language at any time, give therapy recommendations or suggest ABA-adjacent strategies. That places it in a legally unclear space the moment it is used for health or education questions, and in an ethically critical space the moment it meets autistic people.

Autistic Mirror has a fixed mechanism-first prompt and an output filter that blocks diagnostic recommendations and ABA content. The tool stays inside the permitted area without removing depth from users. Explanation instead of recommendation. Mechanism instead of diagnosis.

Generic AI

Open topic space. No diagnostic lock. No ABA filter. No crisis detection. Answers optimised for plausibility, not for neurological fidelity.

Autistic Mirror

Narrow use case: explain mechanism. Output filter against diagnostic and treatment recommendations. Anti-ABA filter. Redundant crisis detection in frontend and backend. Buffer-then-send so every answer is checked before display.

A bright spot

Regulation is often experienced as an obstacle. In the case of the EU AI Act it is an offer of clarity: it forces providers to decide whether they want to take diagnostic responsibility or not. Tools that explain mechanisms instead of issuing diagnoses can scale credibly without sliding into the high-risk corridor. That is at the same time the legally clean and the ethically defensible path. For autistic people it means: the tool stays usable, without anyone standing between them and their own neurology.

Autistic Mirror explains autistic neurology individually, related to your situation. Whether for yourself, as a parent, or as a professional.