EU AI Act: What Counts as a High-Risk AI System
By the SwarmSync Team · Last Updated
The EU AI Act does not regulate all AI equally. It reserves its most demanding requirements for systems classified as 'high-risk' under Annex III — a specific list of eight categories covering everything from biometric identification to credit scoring to the administration of justice. This guide explains what places an AI system in that list, what obligations follow, and what your team needs to do before deployment.
What makes an AI system "high-risk" under the EU AI Act?
The EU AI Act uses a risk-based pyramid. Most AI — productivity tools, recommendation engines, general chatbots — sits at the base with minimal obligations. A smaller group of systems in categories where AI decisions significantly affect people's lives, rights, or safety is placed in the high-risk tier. High-risk status is not a judgment about how likely the system is to malfunction; it is a judgment about the severity of potential harm if it does.
There are two routes to high-risk classification under the EU AI Act. The first is being an AI system that functions as a safety component of a product already regulated by specific EU product-safety laws listed in Annex I — machinery, medical devices, aviation equipment, and similar. The second, and the one most software teams encounter, is falling into one of the eight use-case categories in Annex III. This guide focuses on Annex III.
A critical nuance: Annex III does not make entire industries high-risk. It targets specific functions within those industries. An AI tool that helps a recruiter write a job description is not high-risk. An AI system that ranks and filters job applicants for an employer — making or substantially influencing who advances — is. The question is always whether the system's specific function matches the specific use case described in the Annex.
The complete Annex III list: all eight categories explained
The table below sets out every category in Annex III of the EU AI Act, with a plain-English description of what the regulation is targeting in each one. These are the only eight categories. Do not infer additional categories from sector analogy — the list is exhaustive unless formally amended by the European Commission under Article 7.
| No. | Category | What it covers (plain English) |
|---|---|---|
| 1 | Biometrics | AI systems used for remote biometric identification of people; biometric categorisation (assigning individuals to categories based on biometric data such as facial geometry, gait, or voice); and emotion recognition in workplaces or educational institutions. Real-time remote identification in public spaces by law enforcement is generally prohibited, not merely high-risk. |
| 2 | Critical infrastructure | AI used as a safety component in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity. The trigger is the safety-component role, not general use within an infrastructure sector. |
| 3 | Education and vocational training | AI systems that determine access to educational or vocational training institutions (e.g. admissions scoring), evaluate students or participants, assess the appropriate level of education for an individual, or monitor and detect prohibited behaviour during tests and assessments. |
| 4 | Employment, workers management, and access to self-employment | AI systems used to make decisions — or to substantially influence decisions — about recruitment and selection, task allocation, performance evaluation, promotion, termination, and behavioural monitoring of employees or self-employed workers. Covers the full employment lifecycle where AI drives or filters decisions that affect individuals. |
| 5 | Access to essential private and public services and benefits | AI systems used by public authorities to evaluate eligibility for public benefits and services, and AI systems used to evaluate creditworthiness or establish credit scores (except for fraud detection). Also covers AI used in risk assessment and pricing for life and health insurance. This is the category that brings credit-scoring and insurance-pricing AI into scope. |
| 6 | Law enforcement | AI systems used by law enforcement authorities to assess individual risk of becoming a victim or committing offences, as lie detectors or similar tools for assessing the reliability of evidence, to profile individuals based on personal characteristics to predict crime, and to analyse deep fakes or similar synthetic content. Also covers AI used as polygraph equivalents. |
| 7 | Migration, asylum, and border control management | AI systems used by competent authorities to assess the security or health risk posed by a person, to verify the authenticity of travel documents, to assist in examination of asylum applications, and to predict irregular migration. The common thread is AI making consequential assessments about individuals at national borders or in immigration proceedings. |
| 8 | Administration of justice and democratic processes | AI systems intended to assist judicial authorities in researching and interpreting facts and the law and in applying the law to a concrete set of facts. Also covers AI used to influence elections or referenda outcomes, including voter profiling. This is the category most directly tied to constitutional democratic safeguards. |
Which of my AI systems might be high-risk? A decision framework
The following numbered steps form a structured decision tree. Work through them in order. A "yes" at any stage that sends you to a high-risk conclusion requires you to proceed with the full set of Annex III obligations; a definitive "no" at an early gate lets you stop and document your reasoning.
- Is the system AI at all under the EU AI Act definition? The regulation covers machine-based systems that infer, from input, how to generate outputs such as predictions, content, recommendations, or decisions. Pure rule-based systems with no learned inference are not AI systems under the Act. If your system is purely deterministic rules, it is outside scope. If it involves any learned model component, continue.
- Is the system used in the EU, or does it affect people in the EU? The EU AI Act applies regardless of where the provider or deployer is established, if the outputs are used within the EU or affect people located in the EU. If neither applies, the Act does not bind you — though other jurisdictions may have equivalent rules.
- Is the system a safety component of an Annex I product? Check the list in Annex I of the EU AI Act: it includes machinery, medical devices, in-vitro diagnostics, aviation systems, motor vehicles, agricultural machinery, and marine equipment, among others. If your AI system is a safety component of one of those regulated products, it is high-risk regardless of what it does. Go directly to the obligations section below.
- Does the primary function of the system match one of the eight Annex III categories? Work through each category in the table above. Focus on what the system actually does, not what industry it is sold into. Mapping by industry sector alone causes both false positives (non-high-risk tools in a listed sector) and false negatives (high-risk tools in unlisted sectors).
- Does the system make or substantially influence individual decisions?Many Annex III categories are triggered not just by using AI in a listed domain but by the system making or substantially influencing consequential decisions about individual people. An AI that produces aggregate statistics for a recruiter's dashboard is in a different position from one that ranks and filters individual candidates. If your system outputs a ranked list, a score, or a recommended action about a specific person in a high-risk domain, it is most likely in scope.
- Does any exemption apply? The EU AI Act contains narrowing provisions for research and development (systems not yet placed on the market), systems used purely for military or national security purposes, and AI intended exclusively for scientific research. If an exemption legitimately applies, document it precisely — regulators will ask.
- If in doubt, assume high-risk and get legal review. The cost of misclassifying a high-risk system as low-risk is orders of magnitude higher than the cost of a legal review. The EU AI Act self-assessment calculator provides a structured scoping tool to guide this analysis and produce a documented classification record.
What obligations apply to high-risk AI systems?
Once a system is classified as high-risk under Annex III, Chapter III Section 2 of the EU AI Act lays out a mandatory set of technical and organisational requirements that must be met before the system can be placed on the EU market or put into service. These are not suggestions; they are legal prerequisites for deployment.
Risk management system
Article 9 requires providers to establish, implement, document, and maintain a risk management system throughout the entire lifecycle of the high-risk AI system. The system must identify and analyse known and foreseeable risks to health, safety, and fundamental rights; estimate and evaluate the risks that may emerge when the system is used as intended or in reasonably foreseeable misuse; and adopt risk mitigation measures. The risk management system is not a one-time exercise — it must be continuously updated as post-market data comes in.
Data and data governance
Article 10 sets requirements for the training, validation, and testing data used in high-risk systems. Data must be subject to governance practices covering data collection, processing, and preparation. Training data must be relevant, representative, free of errors to the extent possible, and complete in light of the intended purpose. Bias must be examined and addressed. These requirements apply to data used at the model level, not just at the application layer.
Technical documentation
Article 11 requires providers to draw up technical documentation before the system is placed on the market and to keep it up to date. The documentation must contain, at minimum, a general description of the system; a description of the training methodology, data, and training processes; information on validation and testing; and details of the monitoring, functioning, and control of the system. This documentation is what national authorities inspect — it must be detailed enough for a competent authority to assess compliance.
Automatic record-keeping and logging (Article 12)
High-risk AI systems must be designed to automatically record events over the system's lifetime. The logs must enable identification of risk situations and substantial modifications, and must support post-market monitoring by the provider and monitoring by the deployer during operation. For biometric systems, additional specific fields must be logged. Logs must be retained for at least six months. For a full breakdown of the logging obligation, see our guide to EU AI Act Article 12 logging requirements.
Transparency and instructions for deployers
Article 13 requires that high-risk AI systems are designed and developed to be sufficiently transparent so that deployers can interpret the system's outputs and use them correctly. Providers must supply instructions for use that cover the system's identity, capabilities and limitations, performance metrics, intended deployment contexts, and the human oversight measures that should be applied.
Human oversight
Article 14 requires high-risk AI systems to be designed so that human oversight is possible and effective. The system must allow the humans responsible for its use to understand its capabilities and limitations, detect and address failures, override or disregard outputs, and interrupt or stop the system. Human oversight must be built in, not bolted on after deployment.
Accuracy, robustness, and cybersecurity
Article 15 requires high-risk AI systems to be designed to achieve an appropriate level of accuracy, robustness, and cybersecurity. They must perform consistently throughout their lifecycle, must be resilient against attempts by third parties to exploit vulnerabilities, and must include technical redundancy and failsafe mechanisms where appropriate for the risk.
Conformity assessment and CE marking
Before placing a high-risk AI system on the market, providers must carry out a conformity assessment demonstrating that the system meets all the above requirements. For most Annex III systems, providers may self-assess. For certain biometric systems, a third-party notified body assessment is required. After a successful assessment, the provider affixes the CE mark and registers the system in the EU database of high-risk AI systems.
Registration in the EU database
High-risk systems must be registered in the EU-level public database before market placement. The database is maintained by the European AI Office and is intended to give authorities, deployers, and the public visibility into which high-risk systems are in use across the EU.
How to determine if your company's AI is in scope
In practice, the scoping exercise involves three parallel workstreams: a technical inventory, a legal mapping, and an organisational assessment.
Build an AI inventory first
You cannot classify what you have not found. Start by identifying every AI system or AI-powered feature your company develops, deploys, or procures — including third-party tools that integrate AI into your workflows. Many companies discover that AI is more pervasive than their initial estimate: embedded in HR tools, in customer-scoring APIs, in fraud-detection services, and in document-processing pipelines.
Map each system to Annex III
For each item in your inventory, work through the decision steps above. Document the mapping explicitly: which Annex III category, if any, is triggered; what the basis for the conclusion is; and who signed off on the analysis. Undocumented classification decisions create audit risk — a regulator who asks why you treated a system as low-risk should find a clear written answer, not a verbal recollection.
Identify which role you occupy
Are you the provider (the entity that developed the system and placed it on the market), the deployer (the entity that puts it into service within its own organisation), or both? The role determines which obligations fall on you. A company that builds an AI recruitment tool and sells it to employers is a provider. An employer that buys that tool and uses it is a deployer. A company that buys a foundation model and builds its own credit-scoring product on top of it may be reclassified as a provider for that downstream product.
Use the self-assessment calculator as a starting point
Scoping analysis is not a one-time event — it should be repeated whenever you launch a new product, substantially modify an existing system, or enter a new market. The EU AI Act self-assessment calculator provides a structured, question-driven framework that walks through the scoping decision and produces a documented output you can keep on file. It does not replace legal advice for complex cases, but it is the right starting point for every system in your inventory.
Penalties for non-compliance
The EU AI Act's enforcement regime (Article 99) sets tiered penalties. The bands are "whichever is higher" of a fixed euro ceiling or a percentage of global annual turnover — except for SMEs and start-ups, for whom it is the lower of the two.
| Type of breach | Maximum fine | Notes |
|---|---|---|
| Prohibited AI practices (Art. 5) | Up to €35M or 7% of global annual turnover | Highest band; reserved for banned uses |
| Breach of high-risk obligations (incl. Annex III requirements, logging, data governance) | Up to €15M or 3% of global annual turnover | The band that applies to most Annex III compliance failures |
| Incorrect or misleading information to authorities | Up to €7.5M or 1% of global annual turnover | Applies to false or misleading information supplied to regulators or notified bodies |
Non-compliance with Annex III obligations tends to cascade: a missing risk management system means inadequate testing, which means inadequate technical documentation, which means a conformity assessment that cannot be completed. Regulators investigating one gap typically find several. Treating compliance as an interconnected system — not a checklist of independent boxes — is the only approach that survives a real audit.
Next steps if your AI system is in scope
If you have determined that one or more of your AI systems is high-risk under Annex III, the practical starting point is a gap analysis: measure your current documentation, data governance, logging, and oversight practices against each Article 9–15 obligation, identify what is missing, and sequence remediation from the obligations that require the longest lead time (risk management systems and training-data governance) to those you can implement more quickly (logging, transparency documentation).
Article 12 logging is frequently the first obligation teams tackle because it is technically concrete — it involves building or adapting infrastructure — and because it also serves the post-market monitoring obligation in Article 9. If your logging is not yet structured around risk identification and modification tracking, AuditProof can help you build Article 12-oriented audit trails and convert your AI process records into evidence that meets the EU AI Act's documentation standard. For initial scoping and classification, begin with the EU AI Act self-assessment calculator.
Frequently asked questions
What is the difference between prohibited AI and high-risk AI under the EU AI Act?
Prohibited AI (Article 5) covers outright banned uses — such as real-time remote biometric identification in public spaces by law enforcement in most circumstances, or social scoring by public authorities. High-risk AI (Annex III) is not banned; it is permitted but must meet a demanding set of obligations before it is deployed. Think of prohibited AI as a red line you cannot cross, and high-risk AI as a lane you can drive in, provided you meet all the road rules.
Does Annex III cover every AI system used in a listed sector?
No. Annex III is more precise than that. It lists specific use cases within each sector, not the sector as a whole. An AI tool used for general HR administration is not automatically high-risk; an AI system that makes binding decisions about worker recruitment, promotion, or task allocation is. The key question is always whether the specific function of the system matches the specific use case in the Annex, not just whether you operate in a listed industry.
Are general-purpose AI models high-risk under Annex III?
General-purpose AI models (GPAIMs) — foundation models or large language models used for many tasks — are not automatically high-risk under Annex III. The EU AI Act has a separate chapter (Title VIII) for GPAIMs, covering transparency and systemic risk at the model level. A GPAIM becomes subject to high-risk obligations when it is integrated into a specific downstream system that falls into an Annex III category. The deployer who builds that downstream system typically takes on the high-risk obligations.
When do Annex III high-risk obligations legally apply?
Under the EU AI Act as enacted, high-risk (Annex III) obligations apply from 2 August 2026. A "Digital Omnibus" reform provisionally agreed in May 2026 is expected to defer this date to 2 December 2027 once formally adopted, but that reform had not been formally adopted as of June 2026. Until adoption, the 2 August 2026 date is the live legal position. Teams should design to the enacted law and monitor the reform closely.
Who is responsible for Annex III compliance — the AI developer or the company using it?
Both can be responsible, but in different roles. The "provider" (the entity that develops or places the system on the market) carries the primary technical obligations: conformity assessment, CE marking, technical documentation, logging, and registration. The "deployer" (the company putting the system into use) must follow the provider's instructions, monitor the system in operation, keep logs under their control, implement human oversight, and carry out data protection impact assessments where needed. If a company adapts or substantially modifies an existing system, it may be reclassified as a provider.
Is credit scoring always high-risk under the EU AI Act?
Credit scoring is listed under Annex III Category 5 — access to essential private and public services and benefits — and is one of the explicitly named use cases. AI systems that evaluate creditworthiness or establish credit scores are high-risk when those scores are used to make decisions that materially affect people's access to credit. Internal scoring tools used only for portfolio analytics without feeding individual credit decisions may sit in a different position, but the boundary requires careful legal analysis.
What is a conformity assessment and who carries it out?
A conformity assessment is the formal process by which a provider verifies that a high-risk AI system meets all of the EU AI Act requirements before placing it on the market. For most Annex III systems, providers may self-assess — running the assessment themselves and documenting the results. For certain biometric systems (primarily remote biometric identification), third-party assessment by a notified body is required. Completing a conformity assessment is a prerequisite for affixing the CE mark and registering the system in the EU database.
What penalties apply if my high-risk AI system is not compliant?
Article 99 of the EU AI Act sets three fine bands. Non-compliance with obligations that apply to high-risk systems (including technical requirements, logging, and conformity assessment) can attract fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher. Prohibited practices face the highest band of up to €35 million or 7%. Providing misleading information to regulators carries a separate band of up to €7.5 million or 1%. For SMEs and start-ups, the fine is the lower of the fixed amount and the percentage, not the higher.
Related guides
Verify AI work and detect fraud with proof
InvoiceProof, AuditProof, and VerifyAPI turn AI output and document batches into verifiable, audit-ready evidence.