Quick answer

Annex III lists eight areas where AI use is automatically considered high-risk: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, immigration, and justice administration.

Updated June 2026 · MmowW AI Compliance

Annex III: The Complete List of High-Risk AI Use Cases

The Eight High-Risk Areas

Annex III is essentially a checklist. If your AI system is used in any of these areas, it's high-risk and subject to the full range of requirements. The eight areas are: biometric identification and categorization of people; management and operation of critical infrastructure; education and vocational training; employment, workers management, and access to self-employment; access to and enjoyment of essential private and public services and benefits; law enforcement; migration, asylum, and border control management; and administration of justice and democratic processes.

Each area has specific use cases listed within it. Not every AI use related to these topics is high-risk — only the specific applications mentioned.

Areas Most Relevant to Small Businesses

For most small businesses, the employment and essential services categories are the most relevant. Under employment, high-risk uses include AI for job advertising targeting, application screening, interview evaluation, performance monitoring, and decisions about promotions or terminations. Under essential services, high-risk uses include AI for credit scoring, insurance risk assessment, and prioritization of emergency services.

If you use AI to help screen job applications, evaluate employee performance, or assess customers' creditworthiness, you're likely in high-risk territory.

Areas Less Likely to Affect Small Businesses

Categories like law enforcement, immigration, and justice administration mainly affect government agencies. Biometric identification applies primarily to companies that develop or deploy facial recognition or similar systems. Critical infrastructure management applies to utilities, transportation operators, and similar entities. Most small businesses won't operate in these areas.

However, it's worth checking the full list to make sure. Some categories are broader than they initially appear — for example, the education category covers AI used in student admissions, assessment, and monitoring, which could affect private training providers.

What If You're on the List

If your AI use falls into Annex III, you need to implement a risk management system, ensure data quality, create technical documentation, enable logging, provide transparency information, implement human oversight, and ensure appropriate accuracy and cybersecurity. These requirements are substantial but manageable for small businesses, especially with guidance from your AI vendor and relevant codes of practice.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.