AI Act

AI Act High-Risk Classification: Annex III Categories

Check whether your AI system is high-risk under the EU AI Act: the 8 Annex III categories and the Article 6 test. Free corpus search.

Export PDF (Pro)
At a glance
Who this applies to
Any organization providing or deploying an AI system in the EU market that may fall under Annex III high-risk categories.
Deadline
2 August 2026 as written. The Digital Omnibus provisional agreement of 7 May 2026 moves Annex III high-risk obligations to 2 December 2027, pending formal adoption. Article 50 transparency applies from 2 August 2026 (unchanged).
What you must have
  • Determine if system falls under Article 6(1) or Annex III categories
  • Document classification rationale
  • If high-risk: full conformity assessment (Article 43)
  • If not high-risk: assess transparency obligations (Article 50)
18
days until Annex III high-risk obligations: 2 December 2027 under the Digital Omnibus deal of 7 May 2026, pending Official Journal. Article 50 transparency: 2 August 2026.
2026-08-02
Not sure if your AI system is high-risk? Take the 5-minute diagnostic
Preparing for 2 August 2026? Read the EU AI Act August 2026 deadline requirements checklist — who is affected, what must be in place, and the Article 50 obligations.
Intelligence briefing

Who this applies to

This obligation applies to providers (including developers) and deployers of high-risk AI systems as defined under Article 6(1), as well as importers and distributors per Article 2(2). Relevant sectors include AI systems used in critical infrastructure, education, employment, essential private/public services, law enforcement, migration, and justice (Annex III).


What is required

  • Risk management system: Establish, implement, and document a continuous risk management process per Article 9(1).
  • Data governance: Ensure training, validation, and testing datasets meet quality criteria (relevance, representativeness, bias mitigation) under Article 10(1-5).
  • Technical documentation: Compile and maintain documentation demonstrating compliance with Article 11(1), including design, development, and performance metrics.
  • Record-keeping: Maintain logs automatically generated by the high-risk AI system per Article 12(1), covering at minimum the period defined in Article 12(2).
  • Transparency obligations: Provide clear, accessible information to users per Article 13(1-3), including system capabilities/limitations and human oversight requirements.
  • Human oversight: Design systems to enable effective human monitoring per Article 14(1-4), including technical measures for intervention.
  • Accuracy, robustness, and cybersecurity: Ensure resilience against attacks and malfunctions per Article 15(1-3), including adversarial testing where applicable.
  • Conformity assessment: Undergo third-party assessment (for most high-risk systems) or self-assessment (limited exceptions) per Article 43(1-3).

Key deadlines

Under Article 113 as written, the primary deadline for this obligation is August 2, 2026. The Digital Omnibus provisional agreement of 7 May 2026 moves Annex III high-risk obligations to 2 December 2027, pending formal adoption; until Official Journal publication, the original date remains law.


Enforcement patterns

AI Act Article 50 transparency obligations take effect 2 August 2026. Annex III high-risk obligations are expected 2 December 2027, pending formal adoption of the Digital Omnibus (political agreement of 7 May 2026). No AI Act enforcement precedent currently exists. This page will be updated as enforcement cases emerge.


(Cross-border considerations section intentionally omitted due to lack of jurisdiction-specific implementation data in the provided context.)


Annex III high-risk categories

Annex III lists the use cases that make a standalone AI system high-risk. There are eight areas:

  • Biometrics, including remote biometric identification and emotion recognition.
  • Critical infrastructure, such as the safety components of road traffic, water, gas, heating, and electricity.
  • Education and vocational training, including admission, scoring, and proctoring.
  • Employment and worker management, including recruitment, screening, and promotion decisions.
  • Access to essential private and public services, including credit scoring and eligibility for benefits.
  • Law enforcement uses such as individual risk assessments and evidence reliability.
  • Migration, asylum, and border control management.
  • Administration of justice and democratic processes.

The Article 6 classification test

Article 6 sets the test. A system is high-risk if it falls under Annex III, unless it does not pose a significant risk of harm to health, safety, or fundamental rights and meets one of the Article 6(3) exemptions. A system that profiles natural persons is always high-risk. The provider documents any exemption claim before placing the system on the market.

What to do before the deadline

  • Map each AI system you provide or deploy against the eight Annex III areas above.
  • Run the Article 6(3) test for any borderline system and write down the reasoning.
  • For confirmed high-risk systems, start the conformity assessment under Article 43 and the risk management system under Article 9.
  • Register high-risk systems in the EU database under Article 49 before placing them on the market.
Related Fontvera pages: [conformity assessment](/intelligence/ai-act-conformity-assessment), [risk management under Article 9](/intelligence/ai-act-risk-management-system-article-9), and [provider vs deployer obligations](/intelligence/ai-act-provider-vs-deployer-obligations).

Annex III high-risk obligations are proposed to apply from 2 December 2027 under the Digital Omnibus provisional deal of 7 May 2026, pending publication in the Official Journal. Article 50 transparency obligations still apply from 2 August 2026.

Fontvera also analyses closely related obligations, including [AI Act Annex VI conformity assessment](/intelligence/ai-act-conformity-assessment-annex-vi), [AI Act penalties FAQ](/intelligence/ai-act-faq-penalties), and [AI Act transparency FAQ](/intelligence/ai-act-faq-transparency).

Related: [Article 50 chatbot transparency](/intelligence/ai-act-transparency-chatbots) · [the Article 6 classification rule](/intelligence/ai-act-article-6) · [high-risk system examples](/intelligence/ai-act-high-risk-systems-examples) · [the fundamental rights impact assessment](/intelligence/ai-act-fundamental-rights-impact-assessment) · [the 2 August 2026 AI Act deadline](/intelligence/eu-ai-act-august-2026-deadline-requirements)

Cross-reference intelligence

No AI Act article citations in corpus yet. AI Act entered into force August 2024. Article 50 transparency obligations take effect 2 August 2026; Annex III high-risk obligations are expected 2 December 2027 (pending Digital Omnibus formal adoption). This section will populate as citations accumulate.

Analogous GDPR articles

GDPR article citations that relate to this AI Act topic and may inform enforcement patterns.

ArticleCitationsTop CountriesMost Co-Cited
GDPR Art. 6 2417 ES (623), IT (422), BE (181) GDPR Art. 5(1)(a), GDPR Art. 13, GDPR Art. 5
GDPR Art. 7 336 IT (96), ES (40), AT (39) GDPR Art. 13, GDPR Art. 6, GDPR Art. 12
Regulatory framework
Cross-regulatory overlap
ESMA: DORA — Digital Operational Resilience Act for the Financial Sector
EU · esma · 2026-03-23 · esma-dora-digital-resilience
ESMA: DORA — Digital Operational Resilience Act for the Financial Sector ESMA: DORA — Digital Operational Resilience Act for the Financial Sector Cate
ENISA: Multilayer Framework for Good Cybersecurity Practices for AI
EU · enisa · 2026-03-24 · enisa-multilayer-framework-for-good-cybersecurity-practices-for-ai
ENISA: Multilayer Framework for Good Cybersecurity Practices for AI ENISA: Multilayer Framework for Good Cybersecurity Practices for AI
EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data i
EU · edpb · 2026-03-18 · Opinion 28/2024
EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models EDPB Opinion 28/2024 on
ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems
EU · enisa · 2026-03-23 · enisa-ai-cybersecurity
ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems Category
ENISA: AI an opportunity for the EU cyber crisis blueprint - Report
EU · enisa · 2026-03-24 · enisa-ai-an-opportunity-for-the-blueprin-report
ENISA: AI an opportunity for the EU cyber crisis blueprint - Report ENISA: AI an opportunity for the EU cyber crisis blueprint - Report
ENISA: Cybersecurity of AI and Standardisation
EU · enisa · 2026-03-24 · enisa-cybersecurity-of-ai-and-standardisation
ENISA: Cybersecurity of AI and Standardisation ENISA: Cybersecurity of AI and Standardisation
Sources (13)

Get the complete AI Act compliance checklist as a PDF

Mapped to enforcement precedents and cross-referenced against 1.2 million regulatory citations. Free.

Download the PDF ↓

Instant download. No email required.

Get unlimited briefings on Fontvera Pro — or browse all intelligence briefings