08 · Annex III High-Risk Use Cases
- Regulation (EU) 2024/1689, Annex III (verbatim from the OJ PDF, pp. 127–129) — referred to in Article 6(2)
- Apply from: 2 December 2027 for Article 6(2) / Annex III high-risk Chapter III, Sections 1–3 obligations under PE-CONS 30/26, pending OJ publication. The base Act date was 2 August 2026.
- See also: 06 · High-Risk Classification for classification logic and the Article 6(3) exceptions; 09 · Annex I Products for the other high-risk track.
Annex III is the use-case track into high-risk classification (Article 6(2)). Under PE-CONS 30/26, Chapter III, Sections 1–3 obligations for this track apply from 2 December 2027, pending OJ publication. A listed system escapes high-risk only via an Art. 6(3) exception and if it does not profile individuals.
Annex III is the use-case track into high-risk classification (Article 6(2)). An AI system is high-risk if it falls under one of the 8 areas below — unless it qualifies for an Article 6(3) exception (narrow procedural task, improves a completed human activity, detects patterns without replacing judgment, or preparatory task) and does not profile individuals. The Commission may amend this list by delegated act.
The 8 areas are listed verbatim from the regulation, including the precise sub-points (a)–(e) that the high-level summaries in 06 · High-Risk Classification compress into single examples.
1. Biometrics
In so far as their use is permitted under relevant Union or national law:
- (a) Remote biometric identification systems.
- Excludes biometric verification whose sole purpose is to confirm a person is who they claim to be.
- (b) Biometric categorisation according to sensitive or protected attributes/characteristics, based on inference of those attributes.
- (c) Emotion recognition systems.
2. Critical infrastructure
AI systems intended to be used as safety components in the management and operation of:
- critical digital infrastructure,
- road traffic, or
- the supply of water, gas, heating or electricity.
3. Education and vocational training
- (a) Determining access/admission or assigning people to institutions at all levels.
- (b) Evaluating learning outcomes, including when used to steer the learning process.
- (c) Assessing the appropriate level of education a person will receive or can access.
- (d) Monitoring and detecting prohibited behaviour of students during tests.
4. Employment, workers' management and access to self-employment
- (a) Recruitment or selection — targeted job ads, filtering applications, evaluating candidates.
- (b) Decisions affecting terms of work — promotion/termination, task allocation based on behaviour or traits, and monitoring/evaluating performance and behaviour.
5. Access to and enjoyment of essential private and public services and benefits
- (a) Used by/for public authorities to evaluate eligibility for essential public assistance benefits and services (incl. healthcare), and to grant/reduce/revoke/reclaim them.
- (b) Evaluating creditworthiness or establishing a credit score — except AI used to detect financial fraud.
- (c) Risk assessment and pricing for life and health insurance.
- (d) Evaluating and classifying emergency calls, or dispatching/prioritising emergency first response (police, firefighters, medical aid) and patient triage.
6. Law enforcement
In so far as their use is permitted under relevant Union or national law:
- (a) Assessing the risk of a person becoming a victim of crime.
- (b) Polygraphs or similar tools.
- (c) Evaluating the reliability of evidence during investigation/prosecution.
- (d) Assessing the risk of offending or re-offending (not solely based on profiling per Art. 3(4) of Directive (EU) 2016/680), or assessing personality traits/characteristics or past criminal behaviour.
- (e) Profiling of natural persons (per Art. 3(4) of Directive (EU) 2016/680) in the course of detection, investigation or prosecution.
7. Migration, asylum and border control management
In so far as their use is permitted under relevant Union or national law:
- (a) Polygraphs or similar tools.
- (b) Assessing a risk (security, irregular migration, or health) posed by a person intending to enter or who has entered a Member State.
- (c) Assisting authorities in examining applications for asylum, visa or residence permits, and associated complaints, including reliability-of-evidence assessments.
- (d) Detecting, recognising or identifying persons in the migration/asylum/border context — except verification of travel documents.
8. Administration of justice and democratic processes
- (a) Assisting a judicial authority in researching/interpreting facts and law and applying law to facts (or similar use in alternative dispute resolution).
- (b) Influencing the outcome of an election or referendum or voting behaviour — excludes tools not directly exposed to natural persons (e.g. admin/logistical campaign organisation).
Cross-references
| Topic | Reference |
|---|---|
| Classification rules & Art. 6(3) exceptions | Art. 6 · 06 · High-Risk Classification |
| Provider obligations (risk mgmt, data, docs, oversight) | Arts. 9–17 |
| Conformity assessment (mostly self-assessment; biometrics → notified body) | Arts. 43–49 · 07 · Conformity Assessment |
| EU database registration | Art. 71 |
| Fundamental rights impact assessment | Art. 27 |
| Annex I product-safety track | 09 · Annex I Products |