EU AI Act High-Risk AI: The Compliance Checklist Your Legal Team Actually Needs

Which AI systems are high-risk?

Annex III of the EU AI Act lists the categories of AI systems that are classified as high-risk. Understanding whether your AI systems fall within these categories is the essential first step of compliance — the obligations only apply to systems that qualify as high-risk, and the categories are more specific than the general language suggests.

The eight categories are: biometric systems (including emotion recognition and biometric categorisation); AI used in critical infrastructure management (energy grids, water, transport); AI in education (determining access, evaluating students); AI in employment and workers management (recruitment, promotion, performance evaluation, termination, task allocation and monitoring); AI in access to and enjoyment of essential private services and public services (creditworthiness assessment, risk assessment for insurance, social benefit eligibility); AI in law enforcement (risk assessment, polygraph, profiling); AI in migration and asylum; and AI in administration of justice and democratic processes.

The coverage is broader than most organisations initially appreciate. An HR platform that uses AI to rank job candidates is high-risk AI in employment. A credit decisioning system that uses ML is high-risk AI in access to essential services. A learning management system that uses AI to assess student performance is high-risk AI in education. The question for compliance teams is not whether you use AI — it is which of the AI systems you already use fall within these categories.

The six obligations and what they require in practice

Risk management system: a documented process for identifying, analysing, and mitigating risks associated with the AI system throughout its lifecycle. Not a one-time assessment but an ongoing system with defined roles, responsibilities, and update procedures.

Data and data governance: documentation of training, validation, and test datasets, including data collection processes, data quality criteria, and measures taken to address bias. This obligation reaches backwards to the training data used in systems already deployed.

Technical documentation: a technical file demonstrating compliance with Annex III requirements. For a self-assessed system, this is the primary evidence of compliance and must be comprehensive enough to satisfy a regulatory examination.

Logging and record-keeping: automatic logging of system operation to the extent technically feasible, enabling post-hoc review of system functioning. The log must capture sufficient information to identify the inputs, processing, and outputs for significant decisions.

Transparency and information provision: deployers of high-risk AI must ensure that operators and users are informed they are interacting with or subject to a high-risk AI system. The information must be clear, accessible, and provided before the interaction.

Human oversight: deployers must implement human oversight measures appropriate to the risk and context. Nominal human oversight — where a human notionally reviews decisions but lacks the information or capacity to meaningfully assess them — does not satisfy this obligation.