What Is High-Risk AI Under the EU AI Act? A Complete Guide

The short answer

Under the EU AI Act, "high-risk AI" is a specific legal classification that triggers mandatory compliance requirements. It applies to AI systems listed in Annex III of the Regulation, covering eight areas where AI decisions or recommendations can significantly affect people's safety, health, fundamental rights, or access to essential services.

Crucially, "high-risk" does not mean the AI is necessarily dangerous or should not be used. It means the AI system must meet a defined set of mandatory requirements before it can be placed on the EU market or put into service.

The eight high-risk categories (Annex III)

1. Biometric Identification: AI systems used for remote biometric identification, emotion recognition, and biometric categorisation in publicly accessible spaces. Real-time remote biometric identification in public spaces is prohibited with narrow law enforcement exceptions.

2. Critical Infrastructure: AI systems used as safety components in the management of road traffic, water, gas, electricity, heating, and critical digital infrastructure. The key test is whether the AI is used as a safety component whose failure could cause significant consequences.

3. Education and Vocational Training: AI systems that determine access to educational institutions, evaluate students, detect prohibited behaviour, or assess educational outcomes. Administrative AI (scheduling, facility management) is not in scope.

4. Employment and Workers Management: AI systems used for recruitment, selection, promotion, termination, task allocation, performance monitoring, and evaluation. This is one of the most broadly applicable categories, most HR technology incorporating AI scoring will be in scope.

5. Access to Essential Services: AI used in credit scoring, insurance risk assessment, emergency services dispatch, and social benefit eligibility. This has significant implications for financial services organisations.

6. Law Enforcement: AI systems used for crime prediction and prevention, evidence assessment, risk profiling, and polygraph-like detection. Primarily affects public sector law enforcement and their technology suppliers.

7. Migration, Asylum, and Border Control: AI used in risk assessment, document authentication, asylum application analysis, and predicting flight risk. Primarily affects government organisations.

8. Administration of Justice and Democratic Processes: AI that assists judicial authorities in researching and interpreting facts and applying law to specific facts. Targets judicial authorities, not private legal practice.

What obligations apply to high-risk AI systems?

Providers of high-risk AI systems must ensure compliance with these mandatory requirements before placing systems on the EU market:

Risk management system: A continuous, iterative process identifying and managing risks throughout the AI system's lifecycle. Must be documented, updated regularly, and include testing under real-world conditions.

Data and data governance: Training, validation, and testing datasets must meet quality criteria for relevance, representativeness, and freedom from errors and bias. Data governance practices must be documented.

Technical documentation: Comprehensive documentation demonstrating compliance, maintained from design through market placement. Required before conformity assessment.

Record-keeping and logging: Automatic logging of events enabling post-market monitoring, incident investigation, and audit.

Transparency to deployers: Providers must give deployers sufficient information to implement the system correctly: including intended purpose, performance metrics, and limitations.

Human oversight: Technical and organisational measures enabling deployers to monitor, understand, correct, and if necessary stop the AI system.

Accuracy, robustness, and cybersecurity: Defined levels of accuracy, resilience to errors, and protection against adversarial attacks.

Conformity assessment: For most Annex III categories, providers conduct self-assessment. For biometric identification systems, third-party assessment by a notified body is required.

Provider vs. deployer obligations

The EU AI Act distinguishes between providers (those who develop and sell AI systems) and deployers (those who use them). Both have direct legal obligations.

Provider obligations include: conducting conformity assessment, preparing technical documentation, registering in the EU AI database, affixing CE marking, and reporting serious incidents to market surveillance authorities.

Deployer obligations include: implementing human oversight measures, conducting fundamental rights impact assessments (certain deployers), monitoring AI system operation, informing employees of AI use, and suspending use where a serious risk is detected.

The August 2026 deadline

For most Annex III high-risk AI systems, the EU AI Act's compliance obligations apply from August 2026. For organisations currently using high-risk AI without a compliance program, no risk management system, no technical documentation, no conformity assessment, time is short.

Penalties reach €15 million or 3% of global annual turnover for non-compliance with high-risk requirements.