EU AI Act Annex III: Is Your AI System High-Risk?
A practitioner's guide to EU AI Act Annex III classification — decide if your AI system is high-risk before the August 2026 deadline.
The most expensive mistake in EU AI Act readiness is not weak documentation or a late conformity assessment. It is misclassifying a system at the start — assuming an internal tool is low-stakes when it actually sits squarely in Annex III. Get the classification wrong and every downstream control is built on sand.
This guide walks through how to decide, defensibly, whether your AI system is high-risk. It is written from delivery: at CC Conceptualise we run these assessments for European enterprises, and the hard part is almost never the obvious cases. It is the borderline systems where a single Article 6(3) judgement changes the entire compliance burden.
TL;DR / Key takeaways
- Two routes to high-risk: a system is high-risk either as a safety component under Annex I (e.g. medical devices, machinery) or because its use case is listed in Annex III (employment, credit, critical infrastructure, education, law enforcement, and more).
- Annex III is not automatic. The Article 6(3) filter can exclude systems doing narrow, procedural, or preparatory work — but never if the system profiles natural persons.
- Prohibited is not the same as high-risk. Prohibited practices are banned outright (fines up to EUR 35M / 7% of turnover); high-risk systems are allowed but regulated (up to EUR 15M / 3%).
- The clock is real: Annex III high-risk obligations apply from 2 August 2026 — conformity assessment, EU database registration, technical documentation, post-market monitoring, and human oversight.
- Classification must be documented. A written, evidenced decision is itself a compliance artefact, not optional housekeeping.
The four risk tiers, briefly
The EU AI Act is a risk-based regulation. Before you can classify a single system you need the map:
| Tier | What it covers | Core obligation | Maximum fine |
|---|---|---|---|
| Prohibited | Social scoring, manipulative AI, untargeted facial-recognition scraping, certain emotion recognition | Cease or redesign — cannot be made compliant | EUR 35M or 7% of global turnover |
| High-risk | Annex I safety components + Annex III use cases | Full lifecycle compliance (see below) | EUR 15M or 3% of global turnover |
| Limited-risk | Chatbots, deepfakes, synthetic content | Transparency / disclosure | (Transparency breaches penalised separately) |
| Minimal-risk | Spam filters, recommendation engines, most internal tooling | None specific | — |
Most enterprise debate happens in one band: is this system high-risk or not? That is the question this guide answers.
Step 1 — Rule out prohibited practices first
Do not start with Annex III. Start with Article 5, the banned list. A system that uses social scoring by public authorities, deploys subliminal or manipulative techniques that cause harm, scrapes facial images untargeted to build recognition databases, or infers emotions in the workplace or education (outside narrow safety/medical exceptions) is prohibited. No amount of documentation or human oversight makes it lawful.
The reason to screen here first is commercial: people frequently conflate "prohibited" with "high-risk and therefore fixable." They are not the same category. The penalty exposure alone — EUR 35M or 7% of global turnover for prohibited practices versus EUR 15M or 3% for high-risk failures — justifies a deliberate first pass.
Step 2 — The Annex I safety-component route
A system is automatically high-risk if it is, or is a safety component of, a product covered by the EU harmonisation legislation in Annex I — medical devices, in-vitro diagnostics, machinery, lifts, vehicles, toys, radio equipment, and similar — and that product must undergo third-party conformity assessment under its sectoral law.
If you build AI inside a regulated physical or medical product, you likely arrive at high-risk through this door regardless of what Annex III says. This is the route enterprise architects in MedTech, industrial, and mobility sectors most often miss because they are looking at the AI-specific list and not their existing CE-marking obligations.
Step 3 — Map your use case to Annex III
If the safety-component route does not catch your system, work through the eight Annex III areas. A system whose intended purpose falls into one of these is, in principle, high-risk:
- Biometrics — remote biometric identification, biometric categorisation, emotion recognition (where not prohibited).
- Critical infrastructure — safety components in the management of road traffic, water, gas, heating, electricity, and digital infrastructure.
- Education and vocational training — admission, evaluation of learning outcomes, assessment of the appropriate level of education, monitoring during tests.
- Employment and worker management — recruitment, CV filtering, interview scoring, promotion and termination decisions, task allocation.
- Access to essential services — credit scoring and creditworthiness, life and health insurance risk assessment and pricing, eligibility for public benefits, emergency dispatch prioritisation.
- Law enforcement — risk assessment of individuals, evidence reliability evaluation, profiling during investigations.
- Migration, asylum, and border control — risk assessment, application examination, document verification.
- Administration of justice and democratic processes — assisting judicial authorities in researching and interpreting facts and law.
Watch out: A CV-ranking tool that produces a "match score" for recruiters is a high-risk employment system, even though a human makes the hire. The Act covers systems that assist or inform decisions in these domains, not only those that decide autonomously.
Step 4 — Apply the Article 6(3) filter
Here is the nuance that separates a real classification from a checkbox. Falling into an Annex III category does not automatically make a system high-risk. Article 6(3) provides a carve-out: a system is not high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights — specifically when it only:
- performs a narrow procedural task;
- improves the result of a previously completed human activity;
- detects decision-making patterns or deviations without replacing or influencing a prior human assessment without proper review; or
- performs a preparatory task to an Annex III assessment.
The decisive exception: if the system performs profiling of natural persons, it is always high-risk. No filter applies.
In practice this is where we spend most of our assessment time. A tool that formats and de-duplicates incoming applications is plausibly a narrow procedural task; a tool that scores and ranks candidates is profiling. The line is real, but it must be argued in writing — and a provider that relies on Article 6(3) must register that conclusion and be able to defend it to a market surveillance authority.
Step 5 — Record and register the decision
Whatever the outcome, the classification itself is a compliance artefact. We recommend a one-page decision record per system: intended purpose, route assessed (Annex I / Annex III), the relevant Annex III point, the Article 6(3) analysis with reasoning, the responsible owner, and the date. If you concluded high-risk, the next moves are concrete — and they map onto our companion guides:
- Work through the August 2026 readiness checklist to sequence the obligations.
- Confirm whether you can self-assess or need a notified body in the conformity assessment guide.
- Assemble the file using our technical documentation template.
What high-risk classification actually triggers
Classifying a system as high-risk is not the destination; it is the start of an obligation set that applies from 2 August 2026:
- A documented risk management system maintained across the lifecycle.
- Data governance covering training, validation, and test datasets.
- Technical documentation sufficient to demonstrate conformity.
- Logging and traceability of system operation.
- Human oversight designed into the system, not bolted on.
- Appropriate accuracy, robustness, and cybersecurity.
- Conformity assessment, the EU declaration of conformity, and CE marking.
- Registration in the EU database before placing on the market.
- Post-market monitoring and serious-incident reporting.
This is also where pairing the Act with ISO/IEC 42001, the AI management-system standard, pays off: it gives you the governance scaffolding to operate these obligations as a system rather than a one-time project. We typically build the classification register and the ISO/IEC 42001 management system together, so the evidence chain is continuous.
Common classification mistakes we see
- Treating "human in the loop" as an exemption. It is a required control, not a downgrade.
- Stopping at Annex III without applying Article 6(3) — over-classifying wastes budget; under-classifying creates liability.
- Forgetting the profiling override, which voids the Article 6(3) filter entirely.
- Ignoring the Annex I route because the team only looked at the AI-specific list.
- Leaving the decision undocumented, which is indefensible the moment a regulator asks.
Where to start
If you operate AI anywhere near employment, finance, critical infrastructure, education, or regulated products, run the classification now — not in Q3 2026. The conformity work that follows a high-risk finding takes months. Our AI and data platform engineering practice helps European enterprises classify systems, build the conformity evidence, and stand up the governance that keeps it current. If you want a second pair of senior eyes on a borderline system, that is exactly the kind of question we like.
FAQ
What makes an AI system high-risk under the EU AI Act? An AI system is high-risk if it is a safety component of a product covered by EU harmonisation legislation (Annex I, e.g. medical devices, machinery), or if it falls into one of the use cases listed in Annex III, such as employment, credit scoring, critical infrastructure, education, or law enforcement. Both routes trigger the full set of high-risk obligations from 2 August 2026.
Does Annex III always mean my system is high-risk? No. There is a filter in Article 6(3). If your system performs a narrow procedural task, improves the result of a prior human activity, detects decision patterns without replacing human judgement, or only does preparatory work, it may not be high-risk. But you must document that assessment, and any system that profiles natural persons is always high-risk.
When do Annex III high-risk obligations start to apply? High-risk obligations for Annex III systems apply from 2 August 2026. This includes conformity assessment, registration in the EU database, technical documentation, post-market monitoring, and human oversight. Plan backwards from that date because conformity work takes months, not weeks.
What are prohibited AI practices and how do they differ from high-risk? Prohibited practices, such as social scoring or untargeted facial-recognition scraping, are banned outright and cannot be made compliant. High-risk systems are permitted but heavily regulated. Confusing the two is dangerous: prohibited-practice fines reach EUR 35M or 7% of global turnover, versus EUR 15M or 3% for high-risk non-compliance.
Can we self-assess conformity for an Annex III high-risk system? For most Annex III categories, providers run an internal conformity assessment based on harmonised standards. Certain biometric systems require a notified body. The decision depends on the specific use case and whether harmonised standards exist, so confirm the route early rather than assuming self-assessment.
Does keeping a human in the loop downgrade a high-risk classification? No. A human approving the AI's output does not remove the high-risk status. The Act explicitly covers systems that assist or inform decisions in Annex III domains. Human oversight is a required control for high-risk systems, not an exemption from classification.
Topics