High-Risk AI Systems Under the EU AI Act: Complete Examples List

Intelligence Briefing

# Intelligence Briefing: High-Risk AI Systems Under the EU AI Act – Complete Examples List

1. What the Regulation Requires and Who It Applies To

The EU AI Act (Regulation (EU) 2024/1689) classifies AI systems into risk categories, with high-risk systems subject to stringent obligations under Articles 8–15. These requirements apply to providers, deployers, importers, and distributors of AI systems within the EU, as well as those placed on the EU market or used in the EU, regardless of where the provider is based.

Key Obligations for High-Risk AI Systems (Articles 8–15)

Risk Management System (Article 9): Continuous assessment of risks throughout the AI system’s lifecycle.
Data Governance (Article 10): High-quality training, validation, and testing datasets, ensuring relevance, representativeness, and absence of biases.
Technical Documentation (Article 11): Comprehensive records demonstrating compliance, including design, development, and testing phases.
Transparency & User Information (Article 13): Clear instructions, disclosures, and human oversight mechanisms.
Accuracy, Robustness, and Cybersecurity (Article 15): Measures to ensure resilience against vulnerabilities and attacks.

Who Must Comply?

Providers (developers of AI systems) must ensure compliance before market placement.
Deployers (users of AI systems) must follow operational requirements, including human oversight.
Importers & Distributors must verify compliance before making systems available.

Risk Classification: High-risk AI systems fall under Annex III of the AI Act, covering:

Biometric identification and categorization (e.g., remote biometric identification in law enforcement).
Critical infrastructure management (e.g., AI in energy, transport).
Education and vocational training (e.g., AI for student assessment).
Employment, worker management, and access to self-employment (e.g., AI in hiring, performance evaluation).
Access to essential private and public services (e.g., credit scoring, social benefits allocation).
Law enforcement (e.g., predictive policing, crime forecasting).
Migration, asylum, and border control management (e.g., AI in visa processing).
Administration of justice and democratic processes (e.g., AI in judicial decision-support).

Prohibited AI Practices (Article 5, effective February 2025):

Social scoring systems.
Exploitative AI (e.g., manipulative techniques).
Real-time remote biometric identification in public spaces (with limited exceptions).

2. Enforcement Precedents

As of the compliance deadline (August 2025 for high-risk systems), no EU AI Act enforcement cases have been recorded in the provided sources. However, GDPR enforcement actions offer indirect precedents for AI-related penalties, particularly in biometric data processing:

Netherlands (AP – Boete vingerafdrukken personeel, 2019): A €900,000 fine for unlawful fingerprint-based employee attendance systems, citing GDPR violations (biometric data as special category data).
Belgium (APD/GBA – 114/2024): A €45,000 fine for unlawful processing of biometric data in a workplace context, upheld under GDPR.
Lithuania (VDAI – ETid-732, 2023): A €20,000 fine for improper biometric data handling in a fitness company.

While these cases predate the AI Act, they signal strict enforcement trends for AI systems processing biometric or sensitive data. The UK’s ICO fine against Clearview AI (€9M, 2022)—though outside the EU—demonstrates global regulatory scrutiny of biometric AI systems.

Expected EU AI Act Enforcement Timeline:

February 2025: Prohibited AI practices take effect.
August 2025: High-risk AI compliance deadlines begin.
2026–2027: National authorities (e.g., national DPAs, AI boards) will likely issue first penalties, with fines up to €35M or 7% of global turnover (whichever is higher).

3. Practical Compliance Steps for High-Risk AI Systems

Providers and deployers should implement the following measures to ensure compliance:

Conduct a Risk Assessment (Article 9):

- Map AI system risks across the lifecycle (training, deployment, monitoring). - Document mitigation strategies for biases, inaccuracies, and cyber threats.

Ensure Data Governance (Article 10):

- Use high-quality, representative datasets free from discriminatory biases. - Maintain records of data sources, preprocessing, and labeling.

Develop Technical Documentation (Article 11):

- Prepare EU AI Act conformity assessments, including design choices, testing results, and risk management logs. - Align with harmonized standards (e.g., ISO/IEC 42001 for AI management systems).

Implement Transparency & Human Oversight (Article 13):

- Provide clear user instructions on AI system limitations. - Ensure human-in-the-loop decision-making where required (e.g., employment screening).

**Strengthen Cybersecurity & Robustness (Article

Cross-Reference Intelligence

Article	Citations	Top Countries	Most Co-Cited
Article 6	2417	ES (623), IT (422), BE (181)	GDPR Art. 5(1)(a), GDPR Art. 13, GDPR Art. 5
Article 7	336	IT (96), ES (40), AT (39)	GDPR Art. 13, GDPR Art. 6, GDPR Art. 12

Regulatory Framework

AI Act: Implementation timeline — key dates for compliance

EU · ai_office · 2026-03-24 · aio-implementation-timeline

AI Act: Implementation timeline — key dates for compliance Category: Implementation Type: guidance Source: https://digital-strategy.ec.europa.eu/en/po

AI Act: Prohibited AI practices (Article 5) — effective from February 2025

EU · ai_office · 2026-03-24 · aio-prohibited-practices

AI Act: Prohibited AI practices (Article 5) — effective from February 2025 Category: Prohibited Practices Type: guidance Source: https://digital-strat

AI Act: Requirements for high-risk AI systems (Articles 8-15)

EU · ai_office · 2026-03-24 · aio-high-risk-requirements

AI Act: Requirements for high-risk AI systems (Articles 8-15) Category: High-Risk Requirements Type: guidance Source: https://digital-strategy.ec.euro

AI Act: Risk Classification — How to determine if your AI system is high-risk

EU · ai_office · 2026-03-24 · aio-risk-classification

AI Act: Risk Classification — How to determine if your AI system is high-risk Category: Risk Classification Type: guidance Source: https://digital-str

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence

EU · ai_office · 2026-03-24 · aio-ai-act-overview

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence Category: AI Act Type: legislation Source: https://eur-lex.europa.eu/eli/reg/2024/168

Enforcement & Case Law

ETid-1190: Clearview Al Inc. — UNITED KINGDOM (€9,000,000)

GB cms_enforcement 2026-04-09

ETid-274: Unknown Organisation — THE NETHERLANDS (€725,000)

NL cms_enforcement 2026-04-09

ETid-732: UAB VS FITNESS — LITHUANIA (€20,000)

LT cms_enforcement 2026-04-09

AP (The Netherlands) - Boete vingerafdrukken personeel

NL gdprhub 2026-04-09

APD/GBA (Belgium) - 114/2024

BE gdprhub 2026-04-09

AEPD (Spain) - EXP202313347

ES gdprhub 2026-04-09

AEPD (Spain) - PS/00052/2021

ES gdprhub 2026-04-09

Garante per la protezione dei dati personali (Italy) - 9995680

IT gdprhub 2026-04-09

Cross-Regulatory Overlap

No relevant sources found for this query.

Sources (13)

AI Act: Implementation timeline — key dates for compliance (ai_office, EU)
AI Act: Prohibited AI practices (Article 5) — effective from February 2025 (ai_office, EU)
AI Act: Requirements for high-risk AI systems (Articles 8-15) (ai_office, EU)
AI Act: Risk Classification — How to determine if your AI system is high-risk (ai_office, EU)
EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence (ai_office, EU)
AP (The Netherlands) - Boete vingerafdrukken personeel (gdprhub, NL)
APD/GBA (Belgium) - 114/2024 (gdprhub, BE)
ETid-1190: Clearview Al Inc. — UNITED KINGDOM (€9,000,000) (cms_enforcement, GB)
ETid-732: UAB VS FITNESS — LITHUANIA (€20,000) (cms_enforcement, LT)
AEPD (Spain) - EXP202313347 (gdprhub, ES)
AEPD (Spain) - PS/00052/2021 (gdprhub, ES)
Garante per la protezione dei dati personali (Italy) - 9995680 (gdprhub, IT)
ETid-274: Unknown Organisation — THE NETHERLANDS (€725,000) (cms_enforcement, NL)