Quick answer

Annex III point 6 of the EU AI Act classifies law enforcement AI as high-risk where it assesses crime or victimisation risk, works like a polygraph, evaluates evidence reliability, or profiles people during investigations. Predictive policing based solely on profiling is prohibited outright under Article 5(1)(d), and the remaining systems face strict obligations from August 2, 2026.

Updated June 2026 · MmowW AI Compliance

EU AI Act: High-Risk AI in Law Enforcement (Annex III Point 6)

Overview: Police AI Under the Strictest Permitted Tier

The EU AI Act treats law enforcement as one of the most sensitive domains for artificial intelligence. The reasoning in the recitals is explicit: AI used by police and prosecution authorities operates in a context of significant power imbalance, where errors or bias can lead to arrest, deprivation of liberty and other serious interferences with fundamental rights, and where affected persons often cannot see or contest how the system works. Annex III point 6 therefore places a broad set of law enforcement AI uses in the high-risk category, while Article 5 bans the most dangerous practices entirely. Understanding which side of that line a system falls on is the core compliance question.

What Annex III Point 6 Covers

Point 6 lists five use cases, each conditioned on use by or on behalf of law enforcement authorities, or by Union institutions supporting them, insofar as use is permitted under applicable Union or national law:

Profiling here takes its meaning from EU data protection law: automated processing of personal data to evaluate personal aspects of a natural person, such as behaviour, location or movements.

The Boundary With Prohibited Practices

Article 5(1)(d) prohibits AI systems that make risk assessments of natural persons in order to assess or predict the risk of committing a criminal offence, based solely on profiling or on assessing personality traits and characteristics. The prohibition does not apply to AI supporting a human assessment already based on objective and verifiable facts directly linked to a criminal activity. This is why point 6(d) is drafted with the phrase not solely on the basis of profiling: recidivism tools that combine profiling with objective case facts and human assessment are high-risk rather than banned, while pure profile-driven prediction of future offending is illegal since February 2, 2025.

Two adjacent boundaries also matter. Real-time remote biometric identification in publicly accessible spaces for law enforcement is prohibited except in three narrowly defined situations under Article 5(1)(h). And untargeted scraping of facial images to build recognition databases, a technique associated with some investigative tools, is banned under Article 5(1)(e).

Who Must Comply

Providers include both commercial vendors of investigative analytics, forensic AI and risk assessment software, and public bodies that develop systems in-house and put them into service under their own name. Deployers are the police forces, prosecution services, customs and financial investigation units using the systems. Non-EU vendors selling into European police markets are fully in scope and need an EU authorised representative.

Deployers in this category face reinforced duties. Article 27 requires a fundamental rights impact assessment before first use, since law enforcement bodies are public authorities. Article 26 requires human oversight by competent, trained staff, and decisions with legal effects cannot be based solely on the output of certain systems. Article 49(4) provides that registration of law enforcement high-risk systems occurs in a secure, non-public section of the EU database — recognition of operational confidentiality — but registration is still mandatory. Under Article 74(8), the market surveillance authority for law enforcement AI is, in principle, the data protection authority or another authority meeting independence conditions.

Practical Compliance Steps

  1. Inventory all analytic and decision-support tools across investigation, custody, prosecution support and victim protection workflows
  2. Screen each tool first against Article 5: pure profile-based crime prediction, emotion inference in interrogations beyond the permitted scope, and scraping-based face databases must be retired, not documented
  3. Classify remaining tools against points 6(a) to 6(e) and document the analysis
  4. Demand Annex IV technical documentation, bias testing evidence and instructions for use from vendors
  5. Complete fundamental rights impact assessments and design real human review: officers must understand outputs, their limits and the documented error rates
  6. Set up logging and retention so that individual decisions can be reconstructed in court — defence challenges to AI-supported evidence are foreseeable

Concrete Examples

Example one: a national police force uses software that scores domestic violence cases for the risk that the victim suffers repeat violence, to prioritise protective measures. That is point 6(a) — high-risk, permitted with full compliance.

Example two: an investigative unit pilots a tool claiming to detect deception from voice stress in interviews. As a polygraph-like system it is point 6(b) high-risk; if it works by inferring emotions from biometric data it must also be checked against the emotion recognition rules, and its evidential value will face scrutiny under national procedural law.

Example three: a vendor offers area-based crime forecasting that maps likely burglary hotspots without targeting individuals. Place-based forecasting is not the individual risk assessment caught by Article 5(1)(d), and whether it falls under point 6 depends on whether it profiles natural persons; the classification memo should address both questions explicitly.

Action Before August 2, 2026

High-risk obligations apply from August 2, 2026, but two earlier dates already bind this sector: the Article 5 prohibitions since February 2, 2025, and the duty of AI literacy for staff under Article 4 since the same date. Law enforcement bodies should sequence work now — prohibition screening first, then classification, then procurement clauses requiring conformity-assessed systems, then impact assessments and training. There is also a legacy rule worth noting: under Article 111, high-risk systems already placed on the market before August 2, 2026 are caught when significantly modified, and public-sector deployers must in any event bring legacy high-risk systems into compliance within the longer transition period set for them. Agencies that wait for the deadline will find that procurement, testing and training cycles in policing take longer than the time remaining.

How the High-Risk Requirements Translate Into Policing Practice

The abstract requirements of Articles 9 to 15 take on a distinct character in law enforcement. Risk management under Article 9 must address not only technical failure but wrongful suspicion: what happens operationally when a risk score is wrong, and how quickly can an erroneous flag be corrected across connected systems. Data governance under Article 10 confronts the known problem that historical policing data reflects historical enforcement patterns; training a recidivism or profiling tool on such data without documented bias examination is precisely what the article prohibits. The regulation contains a specific legal basis allowing processing of special categories of personal data strictly for bias detection and correction, with safeguards — a provision providers in this field should use rather than avoid.

Human oversight under Article 14 requires more than a sign-off box. The recitals warn against automation bias, and in policing the pressure to accept a machine recommendation under time constraints is acute. Effective designs include displaying confidence bands and known error rates alongside outputs, requiring recorded reasons when officers accept high-stakes recommendations, and auditing override patterns. Accuracy and robustness under Article 15 must be evidenced on data resembling operational reality, including poor-quality inputs typical of field conditions.

Finally, courtroom durability is the hidden requirement. Logs kept under Article 12 and deployer records under Article 26 will be discoverable in criminal proceedings. A force that cannot reconstruct why a system flagged a suspect risks exclusion of evidence and civil liability. Treating AI Act documentation as future litigation evidence, not regulatory paperwork, is the most reliable mindset for this sector.

Budget and capability planning complete the picture. Most police forces do not employ machine learning evaluation specialists, yet the deployer duties assume the ability to read accuracy claims critically, monitor drift and recognise serious incidents. Member States have begun building shared competence centres so that smaller forces can draw on central expertise rather than each hiring their own. Forces planning procurement in 2026 and beyond should ask vendors for evidence packages aligned to harmonised standards as these become available, require contractual access to the information needed for fundamental rights impact assessments, and reserve testing rights on local data before acceptance. The agencies that handle this transition well will be those that treat the AI Act not as an external constraint but as the quality assurance framework that policing technology has historically lacked.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.