What are high-risk AI systems under the EU AI Act?
- High-risk systems are defined by Annex III use cases or by Annex I product-safety rules.
- They are permitted but carry the Act's heaviest obligations, including conformity assessment.
- A narrow exception exists for genuinely low-impact procedural tasks, but it must be documented.
- Correct classification is the foundation of EU AI Act compliance.
- Current as of June 2026. This is general information, not legal advice.
The two routes to high-risk
A system can be high risk in one of two ways:
- Annex III use cases: Stand-alone AI systems used in specific listed areas. These include biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services (including creditworthiness assessment), law enforcement, migration and border control, and the administration of justice.
- Annex I product safety: AI systems that are themselves a safety component of a product, or are a product, already covered by EU product-safety legislation (such as medical devices, machinery, or vehicles) that requires third-party conformity assessment.
If your system falls into either route, it is high risk and the full obligations apply.
What classification triggers
Once a system is classified as high risk, the provider must put in place:
- A risk management system across the lifecycle.
- Data and data governance measures, including for training, validation, and testing data.
- Technical documentation demonstrating compliance.
- Automatic record-keeping (logging).
- Transparency and clear information for deployers.
- Human oversight measures.
- Appropriate accuracy, robustness, and cybersecurity.
- A conformity assessment before the system is placed on the market, and registration in the EU database.
Deployers of high-risk systems have their own duties, including using the system according to instructions, ensuring human oversight, and monitoring its operation.
A narrow exception
There is a limited exception: a system listed in an Annex III area may not be high risk if it does not pose a significant risk of harm to health, safety, or fundamental rights, for example because it performs a narrow procedural task. Providers relying on this must document their assessment, and the exception does not apply where the system profiles individuals.
Why classification matters most
Because the obligations are extensive and tied directly to classification, getting the tier right is the highest-leverage step. Over-classifying wastes effort; under-classifying creates legal exposure. The reliable method is to assess each system against the Annex III categories and the Annex I product rules, document the reasoning, and revisit it when the system or its use changes.
Key terms
- Annex III
- The list of stand-alone high-risk use cases under the Act.
- Annex I
- EU product-safety legislation that, when it applies, can pull an AI safety component into high-risk.
- Conformity assessment
- The procedure to demonstrate that a high-risk AI system meets the Act's requirements before going to market.
- Classification
- The process of deciding which risk tier a system sits in, based on its use and context.
- High-risk obligations
- The full set of duties on providers and deployers of high-risk AI systems.