The EU AI Act uses a risk-based approach to regulate AI systems, calibrating the intensity of regulation according to the risks they pose. While the term ‘risk’ implies quantification, resulting from the combination of the probability and severity of harm, the AI Act refers to risks to fundamental rights, thereby engaging a qualitative perspective. In this piece, we address this puzzle using a framework that integrates risks with the protection of fundamental rights, the legitimate purposes of providers and deployers, and the cost of regulatory measures. We discuss this framework against the backdrop of potential approaches to quantifying risks, with a specific focus on defining and measuring the main elements of the concept of risk: probability, severity and their combination. We conclude that the approach to quantifying risks directly impacts the classification of AI systems under the AI Act and, consequently, the applicable rules. If the quantification of risks is left to providers and deployers, however, there is potential for ‘risk hacking’, which could lead to the underclassification of AI systems and regulatory shortcuts.