EU AI Act high-risk systems explained (Annex III)

“High-risk” is the category that triggers the EU AI Act's full obligation set — risk management, technical documentation, human oversight, conformity assessment, and registration. Knowing whether you are high-risk is the single most important question for most providers and deployers.

Two routes to high-risk

• Annex III (stand-alone) — listed use cases such as recruitment, credit scoring, education, law enforcement, and biometrics. Apply from 2 December 2027 — provisional, pending formal adoption (Digital Omnibus reschedule).
• Annex I (embedded in products) — AI that is a safety component of a regulated product (e.g. medical devices, machinery). Apply from 2 August 2028 — provisional, pending formal adoption (Digital Omnibus reschedule).

The Annex III categories

• Biometrics and biometric categorisation
• Critical infrastructure safety components
• Education and vocational training
• Employment, recruitment, and worker management
• Access to essential private and public services (incl. credit scoring)
• Law enforcement, migration, asylum, and border control
• Administration of justice and democratic processes

What high-risk requires

A risk management system (Art. 9), data governance (Art. 10), Annex IV technical documentation (Art. 11), human oversight (Art. 14), accuracy and robustness (Art. 15), a fundamental rights impact assessment for some deployers (Art. 27), conformity assessment (Art. 43), and EU database registration (Art. 49).

Find out where you stand

Use our free EU AI Act Risk Checker to get an instant tier, or see the obligations for your segment under solutions by use case.