EU AI Act High-Risk AI Systems: The Complete Annex III Guide for 2026

The EU AI Act does not regulate all AI systems equally. Its most demanding obligations — risk management systems, technical documentation, human oversight requirements, conformity assessment, and EU database registration — apply specifically to AI systems classified as high-risk under Annex III of the regulation. If your AI system falls within any of the eight Annex III categories, you face a full compliance program before December 2, 2027. If it does not, your obligations are significantly lighter.

Getting the classification right is therefore the most important compliance decision your organization will make. Under-classify and you miss obligations that carry fines up to EUR 15 million. Over-classify and you spend significant resources on requirements that do not apply. This guide covers every Annex III category precisely, the legal test for classification, the Article 6(3) exception, and what classification means for your compliance timeline.

How high-risk classification works under Article 6

Article 6 of the EU AI Act establishes two independent routes to high-risk classification. The first, under Article 6(1), applies to AI systems that are safety components of products covered by EU harmonization legislation listed in Annex I — medical devices, machinery, automotive systems, and similar regulated product categories. These systems are high-risk if the underlying product requires third-party conformity assessment.

The second route, under Article 6(2), is the one most organizations need to focus on. It applies to AI systems listed in Annex III regardless of the product category they operate in. An AI system falls under Article 6(2) if its intended purpose places it within any of the eight Annex III categories. Classification is based on intended purpose and use context, not on the technical architecture of the system. A large language model is not inherently high-risk. The same model used to automate hiring decisions is.

The eight Annex III categories — precise definitions from the regulation

1. Biometrics

Annex III covers three types of biometric AI systems. First, remote biometric identification systems — systems that identify natural persons at a distance using biometric data such as facial features, gait, or voice without their active participation. Biometric verification systems that confirm a specific person is who they claim to be are explicitly excluded from this category. Second, biometric categorization systems that infer sensitive or protected attributes from biometric data — including race, political opinion, trade union membership, religious belief, sex life, or sexual orientation. Third, emotion recognition systems used in contexts other than documented medical or safety applications — noting that emotion recognition in the workplace and educational settings is also a prohibited practice under Article 5(1)(f).

Organizations building or deploying facial recognition, voice analysis, gait analysis, or any system that draws inferences from physical characteristics should treat biometric classification as a primary classification concern.

2. Critical infrastructure

AI systems used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating, or electricity are high-risk under Annex III. The key concept here is safety component — the AI must perform a function that is relevant to the safety of the infrastructure, not merely support operational efficiency. An AI system managing load balancing across a power grid is in scope. An AI system used for HR scheduling at a utility company is not.

3. Education and vocational training

Four categories of educational AI are high-risk. Systems that determine access to, or admission to, educational or vocational training institutions at any level. Systems that evaluate the learning outcomes of persons where the results are used to steer their learning process. Systems that assess the appropriate level of education for an individual. Systems that monitor and detect prohibited behavior during tests or examinations.

AI systems used in university admissions, professional certification, standardized testing, learning management platforms that make consequential decisions, and adaptive learning systems that classify students into educational pathways all fall within this category. The key threshold is consequential impact — AI used purely as a teaching aid without influencing access or assessment decisions is likely outside scope.

4. Employment, workers management, and access to self-employment

This is among the most commercially significant Annex III categories. Three types of employment AI are high-risk. Systems for recruitment or selection — including placing targeted job advertisements, filtering job applications, evaluating candidates in interviews, and assigning scores used in hiring decisions. Systems that make decisions on promotion, termination, or task allocation based on individual behavior or characteristics. Systems that monitor and evaluate performance and behavior of workers in employment relationships.

If your organization uses AI to screen CVs, rank candidates, score video interviews, assign work tasks, evaluate productivity, or inform performance reviews, you are almost certainly operating within Annex III category 4. This applies whether the system is used internally or built for other employers as a provider.

5. Access to essential private and public services and benefits

Four sub-categories apply here. AI systems used by public authorities to evaluate eligibility for essential public services, benefits, or assistance including healthcare services. AI systems that evaluate the creditworthiness of persons or establish their credit score — with a specific exclusion for AI used solely for the purpose of detecting financial fraud. AI systems used for risk assessment and pricing in life insurance and health insurance. AI systems that evaluate and classify emergency calls from natural persons, and systems that dispatch emergency first response services.

Credit scoring, loan decisioning, insurance underwriting AI, and emergency dispatch AI are all explicitly named. Financial organizations using AI to assess loan eligibility, insurance providers using AI for pricing or underwriting, and public sector organizations using AI for benefits determination face full Annex III compliance obligations.

6. Law enforcement

Law enforcement AI is high-risk where used by or on behalf of competent authorities as permitted under Union or national law. Five sub-categories are covered: systems assessing the risk of a natural person becoming a victim of criminal offences; systems used as polygraphs or similar tools; systems evaluating the reliability of evidence in criminal investigations or prosecutions; systems assessing the risk of reoffending or risk of a natural person committing an offence based on profiling; and systems for profiling of natural persons in the course of detection, investigation, or prosecution of criminal offences.

7. Migration, asylum, and border control management

AI systems used by or on behalf of competent authorities for migration, asylum, and border control are high-risk across four sub-categories: polygraph-equivalent tools; systems assessing security, irregular migration, or health risks of persons seeking entry to the EU; systems assisting examination of asylum, visa, or residence permit applications; and systems for detecting, recognizing, or identifying persons in migration context — with travel document verification systems excluded.

8. Administration of justice and democratic processes

Two categories apply here. AI systems intended to assist judicial authorities in researching and interpreting facts and the law or in applying it to a concrete set of facts. AI systems intended to influence the outcome of elections or referenda or the voting behavior of natural persons, or used to influence political opinions — with an exclusion for tools used to organize political campaigns from an administrative or logistical point of view.

The Article 6(3) exception

An AI system that falls within an Annex III category is not automatically high-risk if it meets any of four conditions under Article 6(3). The system performs only a narrow procedural task. The system is intended to improve the result of a previously completed human activity. The system is intended to detect decision-making patterns or deviations from prior decision-making patterns without replacing or influencing the prior human assessment. The system is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III.

There is an important exception to these exceptions: any AI system that profiles natural persons is always considered high-risk, regardless of whether it would otherwise meet the Article 6(3) criteria. Profiling means any form of automated processing of personal data to evaluate, analyze, or predict aspects of a natural person including performance at work, economic situation, health, personal preferences, interests, behavior, location, or movements.

Organizations relying on the Article 6(3) exception must document their assessment before placing the system on the market, and are subject to the EU database registration obligation under Article 49(2).

What Annex III classification triggers

If your system is high-risk under Annex III, the following obligations apply with a compliance deadline of December 2, 2027 for most categories.

For providers: A documented risk management system under Article 9 that operates throughout the system lifecycle. Data governance practices for training, validation, and testing datasets under Article 10. Technical documentation meeting all eight elements in Annex IV under Article 11. Automatic logging capability built into the system under Article 12. Instructions for use with all required elements for deployers under Article 13. Technical capability for human oversight including override, halt, and output interpretation under Article 14. Declared accuracy metrics and cybersecurity measures under Article 15. A quality management system under Article 17. Conformity assessment under Article 43 — Annex VI internal control for most Annex III systems. EU Declaration of Conformity under Article 47. CE marking under Article 48. EU database registration under Article 49. Post-market monitoring plan under Article 72. Serious incident reporting procedures under Article 73.

For deployers: Use the system only in accordance with the provider instructions. Assign human oversight to persons with adequate competence and authority under Article 26(2). Retain automatically generated logs for a minimum of six months under Article 26(6). Inform employees before deploying a system that affects them under Article 26(7). Inform affected individuals that they are subject to a high-risk AI system under Article 26(8). Conduct a Fundamental Rights Impact Assessment under Article 27 if you are a public body or private entity providing services of general public interest including banking, insurance, healthcare, and utilities.

The practical classification question

Most organizations face the same practical challenge: their AI system does something that is adjacent to an Annex III category but not clearly within it. A customer service chatbot that occasionally discusses loan products. A performance analytics tool used by HR teams. A recommendation engine used in an educational context.

The classification test is the intended purpose and the context of use — not the technical capability. If the system is intended to support or inform a decision in an Annex III context, classification as high-risk is likely. If it is a general-purpose tool used incidentally in an Annex III sector without making sector-specific decisions, the argument for non-classification is stronger — but must be documented under Article 6(3) and registered.

The safest approach is a documented classification assessment for every AI system your organization builds or deploys, regardless of initial judgment. The assessment creates a defensible record and satisfies the Article 6(3) registration requirement if you determine a system is not high-risk.

---

Based on Regulation (EU) 2024/1689, Official Journal version 13 June 2024. This article does not constitute legal advice. For formal compliance assessments, consult qualified legal counsel.