What are high-risk AI systems?
Art. 6(2) of Regulation (EU) 2024/1689 defines: An AI system is high-risk if it is used in one of the areas listed in Annex III and poses a significant risk to the health, safety or fundamental rights of natural persons.
High-risk AI systems are subject to the most comprehensive obligations under the EU AI Act – including Technical Documentation, risk management system, data governance, human oversight and FRIA.
The 8 categories under Annex III
1. Biometrics
AI systems for real-time and post remote biometric identification, biometric categorisation and emotion recognition in the workplace or educational institutions.
Examples: Facial recognition in public spaces, biometric access controls, emotion recognition during examinations.
2. Critical infrastructure
AI systems used as safety components in the management and operation of critical digital infrastructure, road traffic, water, gas, heating and electricity supply.
Examples: AI-controlled traffic management systems, energy grid optimisation, autonomous vehicle components.
3. Education and vocational training
AI systems for determining access to educational institutions, evaluating learning outcomes, determining the level of education, and monitoring examinations.
Examples: Automated application screening for universities, AI grading systems, proctoring software.
4. Employment, workforce management and access to self-employment
AI systems for recruitment, promotion, dismissal, task allocation, performance monitoring and evaluation in the employment context.
Examples: CV screening tools, AI-powered video interview analysis, performance management systems, promotion recommendations.
Note: This category is particularly relevant for HR departments. The AGG (General Equal Treatment Act) and the EU anti-discrimination directives apply in parallel.
5. Access to and enjoyment of essential private and public services
Divided into several subcategories:
- 5(a) – Creditworthiness assessment of natural persons (except detection of financial fraud)
- 5(b) – Risk assessment and pricing in life and health insurance
Examples: Credit scoring, insurance pricing. Particularly relevant for the financial sector.
6. Law enforcement
AI systems for crime risk assessment, polygraphs and similar tools, assessment of the reliability of evidence, profiling of persons.
Examples: Predictive policing, automated evidence analysis, recidivism risk assessment.
7. Migration, asylum and border control
AI systems for risk assessment in relation to migration, processing of asylum applications, border control and visa processing.
Examples: Automated examination of visa applications, risk assessment of travellers, document verification.
8. Administration of justice and democratic processes
AI systems to assist in the interpretation of facts and the law, in the application of the law and in influencing elections.
Examples: Judicial decision support systems, automated legal analysis, election influence through microtargeting.
Obligations for high-risk AI systems
Comprehensive obligations apply to every high-risk AI system:
| Obligation | Article | Responsible |
|---|---|---|
| Risk management system | Art. 9 | Provider |
| Data governance | Art. 10 | Provider |
| Technical documentation | Art. 11 + Annex IV | Provider |
| Record-keeping | Art. 12 | Provider |
| Transparency and information | Art. 13 | Provider |
| Human oversight | Art. 14 | Provider + Deployer |
| Accuracy, robustness, cybersecurity | Art. 15 | Provider |
| FRIA | Art. 27 | Deployer |
| Conformity assessment | Art. 43 | Provider |
| EU database registration | Art. 49 | Provider + Deployer |
Is your system high-risk?
Use our free risk check to determine in 2 minutes whether your AI system falls under Annex III. If classified as high-risk, you can directly generate the required compliance drafts.