Skip to main content

06 · High-Risk AI Classification

Sources
note

Annex III high-risk Chapter III, Sections 1–3 obligations: 2 December 2027 under PE-CONS 30/26, pending OJ publication. Annex I high-risk Chapter III, Sections 1–3 obligations: 2 August 2028 under PE-CONS 30/26, pending OJ publication.

Two tracks into high-risk classification (Article 6)

Track 1 — Annex I (regulated products)

AI systems that are a safety component of a product covered by existing EU product safety laws in Annex I (e.g. machinery, toys, medical devices, aviation, motor vehicles, rail, lifts) and that product requires third-party conformity assessment under those Annex I laws.

→ Under PE-CONS 30/26, Article 6(1) / Annex I high-risk systems move to 2 August 2028.

Track 2 — Annex III (use cases)

AI systems listed in specific use-case areas in Annex III. Currently 8 areas:

AreaExamples
Biometrics (non-banned)Remote biometric ID, biometric categorisation, emotion recognition (not banned)
Critical infrastructureAI managing road traffic, water/gas/electricity/heating, digital infrastructure
Education & vocational trainingAdmission decisions, exam scoring, student behaviour monitoring
Employment & HRCV screening, interview analysis, promotion/termination, performance monitoring
Essential public & private servicesBenefits eligibility, credit scoring, emergency call dispatch, insurance risk pricing
Law enforcementVictim risk assessment, evidence reliability evaluation, offending risk (non-solo profiling)
Migration & border controlVisa/asylum examination, border crossing irregular migration risk
Justice & democratic processesCourt ruling assistance, election/voting influence tools

→ Under PE-CONS 30/26, Article 6(2) / Annex III high-risk systems move to 2 December 2027.

Exceptions — Annex III systems that are not high-risk

An AI system listed in Annex III is not classified high-risk if it:

  • Performs a narrow procedural task
  • Improves the result of a previously completed human activity
  • Detects decision-making patterns without replacing human judgment
  • Performs a preparatory task to an assessment (i.e. not the assessment itself)
warning

Exception does not apply if the system profiles individuals — automated processing of personal data to assess work performance, economic situation, health, preferences, reliability, behaviour, location, or movement. Profiling always makes the system high-risk.

Providers whose system falls under Annex III but believe it's not high-risk must document that assessment before market placement.

Obligations on high-risk AI providers

Once classified high-risk, providers must:

ObligationArticle
Risk management system (documented, lifecycle-long)Art. 9
Data governance (relevant, representative, error-free datasets)Art. 10
Technical documentation (Annex IV format)Art. 11
Automatic event logging / record-keepingArt. 12
Instructions for use (for deployers)Art. 13
Human oversight designArt. 14
Accuracy, robustness, cybersecurityArt. 15
Quality management systemArt. 17

Obligations on high-risk AI deployers

  • Implement human oversight as instructed by providers
  • Monitor system performance in production
  • Report serious incidents and malfunctions to providers and national authorities
  • Conduct fundamental rights impact assessments (for certain deployers — public bodies, banks, insurers)

Conformity assessment

See 07 · Conformity Assessment for the full process.

  • For Annex I (product safety) systems: third-party notified body assessment
  • For most Annex III systems: self-assessment (internal conformity assessment) is sufficient
  • Exception: biometric identification systems (public-space RBI, remote biometric ID) require third-party assessment

After assessment: affix CE marking and issue EU declaration of conformity.

Post-market: register in the EU database (for Annex III systems used by or against individuals). Public authorities deploying high-risk AI must register before deployment.

Draft classification guidelines (May 2026)

The Commission opened consultation in May 2026 on draft guidelines clarifying the classification rules — specifically the Article 6 exceptions. These guidelines were due by 2 Feb 2026 (Art. 6(5)) but published in draft form for consultation in May 2026. URL: https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems

Key articles and annexes

TopicReference
Classification rulesArt. 6
Annex I (regulated product laws)Annex I
Annex III (use cases)Annex III
Risk managementArt. 9
Data governanceArt. 10
Technical documentationArt. 11 + Annex IV
Record-keepingArt. 12
Transparency to deployersArt. 13
Human oversightArt. 14
Accuracy/robustness/cybersecurityArt. 15
Quality managementArt. 17
Conformity assessmentArts. 43–49
EU databaseArt. 71
Fundamental rights impact assessmentArt. 27