Quick answer

Annex III of the EU AI Act lists eight areas in which AI systems are classified as high-risk: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and border control, and justice and democratic processes. Providers and deployers of these systems must meet the full set of high-risk obligations from August 2, 2026.

Updated June 2026 · MmowW AI Compliance

EU AI Act Annex III: The Eight High-Risk AI Categories Explained

What Annex III Is and Why It Matters

The EU AI Act (Regulation (EU) 2024/1689) takes a risk-based approach to regulating artificial intelligence, and Annex III is the operational heart of that approach. While Article 6 sets out the legal mechanism for classifying an AI system as high-risk, Annex III contains the actual list of use cases that trigger the classification. If your AI system falls under one of the eight areas in Annex III, you are presumptively operating a high-risk AI system and the full compliance machinery of Chapter III applies: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness and cybersecurity.

Annex III matters because it is use-case driven, not technology driven. The same machine learning model can be outside the regulation entirely in one deployment and high-risk in another. A language model that drafts marketing copy is largely untouched; the same model embedded in a tool that screens job applications falls squarely under Annex III point 4. Understanding the eight categories is therefore the first practical step in any EU AI Act compliance programme.

How Annex III Fits Into the Risk Architecture

Article 6 creates two separate routes into the high-risk category. Under Article 6(1), an AI system is high-risk when it is a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in Annex I (such as machinery, medical devices, toys or aviation) and that product requires third-party conformity assessment. Under Article 6(2), an AI system is high-risk when it falls within one of the use cases listed in Annex III.

The two routes also have different timelines. Annex III high-risk systems must comply from August 2, 2026. High-risk systems under Article 6(1), embedded in Annex I regulated products, have until August 2, 2027. Article 6(3) provides a narrow derogation: an Annex III system is not high-risk if it does not pose a significant risk of harm to health, safety or fundamental rights, including by not materially influencing the outcome of decision making. That filter is subject to strict conditions and a documentation duty, and it never applies where the system performs profiling of natural persons.

The Eight Categories at a Glance

Categories 1 to 4: People-Facing Identification and Opportunity

Point 1 covers biometrics where permitted under Union or national law: remote biometric identification systems (excluding simple identity verification that confirms a person is who they claim to be), biometric categorisation according to sensitive or protected attributes, and emotion recognition systems. These sit directly above the outright prohibitions in Article 5, so a careful boundary analysis between banned and high-risk uses is essential.

Point 2 addresses safety components in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating and electricity. The trigger is the safety function: an AI system whose failure could endanger life or physical integrity in these networks.

Point 3 covers education and vocational training: systems that determine access or admission, evaluate learning outcomes, assess the appropriate level of education a person receives, or monitor and detect prohibited behaviour during tests. Point 4 covers the employment lifecycle: recruitment and selection tools, targeted job advertising, application filtering and candidate evaluation, plus systems that make or support decisions on promotion, termination, task allocation based on behaviour or personal traits, and performance monitoring.

Categories 5 to 8: Essential Services and Public Power

Point 5 concerns access to essential private and public services: AI used by public authorities to evaluate eligibility for benefits and assistance, creditworthiness evaluation and credit scoring (with an exception for financial fraud detection), risk assessment and pricing in life and health insurance, and the classification and dispatch of emergency calls, including triage of patients in emergency healthcare.

Points 6 through 8 deal with state power over individuals. Law enforcement uses include victim risk assessment, polygraph-type tools, evidence reliability evaluation, offending risk assessment and profiling during investigations. Migration and border control uses include polygraph-type tools, security and health risk assessments, examination of asylum, visa and residence applications, and identification of persons in the migration context. Justice and democratic processes covers AI assisting judicial authorities in researching and interpreting facts and law, AI used in alternative dispute resolution where outcomes produce legal effects, and systems intended to influence the outcome of an election or referendum or voting behaviour, with an exception for purely logistical campaign tools.

Who Must Comply

Obligations attach to roles across the value chain. Providers — those who develop a system or have it developed and place it on the market under their own name — carry the heaviest load: the Chapter III Section 2 requirements, conformity assessment, CE marking, registration in the EU database under Article 49 and post-market monitoring. Deployers — organisations using a high-risk system under their authority — must use the system according to instructions, assign human oversight, monitor operation, keep logs and, for public bodies and certain private operators, complete a fundamental rights impact assessment under Article 27. Importers and distributors have verification duties, and under Article 25 a deployer or distributor that substantially modifies a high-risk system, or rebrands it, can become a provider.

The regulation applies extraterritorially. A provider in Tokyo or a deployer in New York is covered when the system is placed on the EU market or its output is used in the Union.

Practical Steps and a Concrete Example

Start with an inventory. Map every AI system you build, buy or embed against the eight Annex III points and the Article 5 prohibitions. For each match, decide the role you hold (provider, deployer, importer, distributor), check whether the Article 6(3) derogation is realistically available and document that assessment, then gap-assess against Articles 9 to 15.

Example: a European bank uses a machine learning model to score consumer loan applications. That is Annex III point 5(b) — creditworthiness evaluation. The bank is a deployer if it licensed the model, and a provider if it built the model in-house and uses it under its own name. Either way, by August 2, 2026 the system needs documented risk management, representative and bias-tested data governance, human oversight that can actually override the score, logging, and registration where the bank acts as provider.

Annex III Can Change: Article 7

The list is not frozen. Article 7 empowers the European Commission to adopt delegated acts adding or modifying use cases within the eight areas where systems pose an equivalent or greater risk, and Article 7(3) allows removal of use cases that no longer pose significant risks. Compliance teams should treat Annex III as a living document and re-run their classification inventory whenever a delegated act is adopted.

Action Plan Before August 2, 2026

  1. Complete an organisation-wide AI inventory mapped to Annex III and Article 5
  2. Assign provider or deployer roles for each in-scope system and confirm contractual responsibilities
  3. Document any Article 6(3) derogation assessments before placing systems on the market
  4. Close gaps against Articles 9 to 15 and prepare technical documentation under Annex IV
  5. Plan conformity assessment and EU database registration for provider-role systems
  6. Stand up post-market monitoring and serious incident reporting processes

Organisations that treat the Annex III analysis as a one-off legal memo tend to misclassify systems. Treat it as a recurring governance control, owned jointly by legal, engineering and product teams, and revisited at every significant system change.

Common Misconceptions About Annex III

Three misunderstandings appear constantly in practice. First, that Annex III regulates technologies: it does not — it regulates intended purposes, so the provider's stated intended purpose in the instructions for use is legally decisive, and a deployer who uses a system outside that purpose takes on provider-level exposure. Second, that general-purpose AI escapes the list: a general-purpose model integrated into an Annex III use case makes the resulting system high-risk, and the integrator becomes the responsible provider of that system. Third, that high-risk means discouraged: classification is not a penalty but a quality regime. The European market will continue to run on credit scoring, recruitment tools and infrastructure AI — the regulation determines how they must be built and operated, not whether they may exist. Organisations that internalise this early can turn documented conformity into a procurement advantage while competitors are still debating classification memos.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.