Who this applies to
This obligation applies to providers (including developers) and deployers of high-risk AI systems as defined under Article 6(1), as well as importers and distributors per Article 2(2). Relevant sectors include AI systems used in critical infrastructure, education, employment, essential private/public services, law enforcement, migration, and justice (Annex III).What is required
- Risk management system: Establish, implement, and document a continuous risk management process per Article 9(1).
- Data governance: Ensure training, validation, and testing datasets meet quality criteria (relevance, representativeness, bias mitigation) under Article 10(1-5).
- Technical documentation: Compile and maintain documentation demonstrating compliance with Article 11(1), including design, development, and performance metrics.
- Record-keeping: Maintain logs automatically generated by the high-risk AI system per Article 12(1), covering at minimum the period defined in Article 12(2).
- Transparency obligations: Provide clear, accessible information to users per Article 13(1-3), including system capabilities/limitations and human oversight requirements.
- Human oversight: Design systems to enable effective human monitoring per Article 14(1-4), including technical measures for intervention.
- Accuracy, robustness, and cybersecurity: Ensure resilience against attacks and malfunctions per Article 15(1-3), including adversarial testing where applicable.
- Conformity assessment: Undergo third-party assessment (for most high-risk systems) or self-assessment (limited exceptions) per Article 43(1-3).
Key deadlines
Under Article 113 as written, the primary deadline for this obligation is August 2, 2026. The Digital Omnibus provisional agreement of 7 May 2026 moves Annex III high-risk obligations to 2 December 2027, pending formal adoption; until Official Journal publication, the original date remains law.Enforcement patterns
AI Act Article 50 transparency obligations take effect 2 August 2026. Annex III high-risk obligations are expected 2 December 2027, pending formal adoption of the Digital Omnibus (political agreement of 7 May 2026). No AI Act enforcement precedent currently exists. This page will be updated as enforcement cases emerge.(Cross-border considerations section intentionally omitted due to lack of jurisdiction-specific implementation data in the provided context.)
Annex III high-risk categories
Annex III lists the use cases that make a standalone AI system high-risk. There are eight areas:- Biometrics, including remote biometric identification and emotion recognition.
- Critical infrastructure, such as the safety components of road traffic, water, gas, heating, and electricity.
- Education and vocational training, including admission, scoring, and proctoring.
- Employment and worker management, including recruitment, screening, and promotion decisions.
- Access to essential private and public services, including credit scoring and eligibility for benefits.
- Law enforcement uses such as individual risk assessments and evidence reliability.
- Migration, asylum, and border control management.
- Administration of justice and democratic processes.
The Article 6 classification test
Article 6 sets the test. A system is high-risk if it falls under Annex III, unless it does not pose a significant risk of harm to health, safety, or fundamental rights and meets one of the Article 6(3) exemptions. A system that profiles natural persons is always high-risk. The provider documents any exemption claim before placing the system on the market.What to do before the deadline
- Map each AI system you provide or deploy against the eight Annex III areas above.
- Run the Article 6(3) test for any borderline system and write down the reasoning.
- For confirmed high-risk systems, start the conformity assessment under Article 43 and the risk management system under Article 9.
- Register high-risk systems in the EU database under Article 49 before placing them on the market.
Annex III high-risk obligations are proposed to apply from 2 December 2027 under the Digital Omnibus provisional deal of 7 May 2026, pending publication in the Official Journal. Article 50 transparency obligations still apply from 2 August 2026.
Fontvera also analyses closely related obligations, including [AI Act Annex VI conformity assessment](/intelligence/ai-act-conformity-assessment-annex-vi), [AI Act penalties FAQ](/intelligence/ai-act-faq-penalties), and [AI Act transparency FAQ](/intelligence/ai-act-faq-transparency).
Related: [Article 50 chatbot transparency](/intelligence/ai-act-transparency-chatbots) · [the Article 6 classification rule](/intelligence/ai-act-article-6) · [high-risk system examples](/intelligence/ai-act-high-risk-systems-examples) · [the fundamental rights impact assessment](/intelligence/ai-act-fundamental-rights-impact-assessment) · [the 2 August 2026 AI Act deadline](/intelligence/eu-ai-act-august-2026-deadline-requirements)