GeraCompliance/Guides/High-Risk AI Definition EU AI ActWhat Is High-Risk AI Under the EU AI Act?
Last updated April 2026 · 5 min read
Quick Answer
Under the EU AI Act, a high-risk AI system is one that either forms a safety component of a regulated product (Annex I — e.g., medical devices, machinery) or falls within one of eight use-case categories in Annex III (infrastructure, education, employment, essential services, law enforcement, migration, justice) that poses a significant risk to health, safety, or fundamental rights. High-risk obligations — including CE marking, conformity assessment, and Annex IV technical documentation — apply from August 2026.
Two Routes to High-Risk Classification
The EU AI Act creates two distinct high-risk pathways. Annex I captures AI systems that are safety components of products already regulated under EU harmonised legislation — think AI features in medical devices (MDR), in vitro diagnostics (IVDR), machinery, aviation equipment, motor vehicles, and rail systems. If your AI is a safety component of such a product, it is high-risk.
Annex III captures stand-alone AI systems in eight sensitive use-case areas regardless of product category. This is where most enterprise AI deployments land.
Annex III High-Risk Categories
The eight Annex III categories, with examples:
| Use-Case Area | Examples |
|---|
| Critical infrastructure | AI managing electricity grids, water systems, traffic networks |
| Education and vocational training | Automated student assessment, admissions scoring, learning analytics identifying at-risk students |
| Employment and worker management | CV screening, promotion decisions, task allocation, performance monitoring |
| Essential private and public services | Credit scoring, life insurance risk assessment, public benefit eligibility |
| Law enforcement | Predictive policing tools (not pure profiling), crime hotspot mapping, evidence evaluation |
| Migration and border management | Asylum application assessment, travel document verification, risk classification at borders |
| Justice and democratic processes | Court decision support tools, AI influencing electoral outcomes |
The “Safe Harbour” Exclusion
Not every AI that falls into an Annex III category is automatically high-risk. The Act includes an important exclusion: if the AI system does not pose a significant risk of harm to health, safety, or fundamental rights of persons — for example because it performs a narrow or preparatory task that does not directly affect material decisions — the provider can document that it is not high-risk. This exclusion must be explicitly justified and kept in the technical file.
What High-Risk AI Providers Must Do
For any system correctly classified as high-risk, providers must complete a full compliance journey before EU market placement: establish a quality management system (Article 17); prepare comprehensive Annex IV technical documentation; implement a risk management process with lifecycle monitoring; comply with Article 10 data governance requirements for training datasets; build in Article 14 human oversight capabilities; register the system in the EU AI Act database; complete conformity assessment (self-assessment for most Annex III, notified body for some Annex I); draw up an EU Declaration of Conformity; and affix the CE marking.
Timeline
High-risk Annex III obligations become enforceable on 2 August 2026. For AI embedded in Annex I regulated products, the date is 2 August 2027. Given that building a conformity-ready documentation package typically takes 9–18 months, organisations should begin now.
Frequently Asked Questions
What makes an AI system "high-risk" under the EU AI Act?
An AI system is high-risk if it either: (a) is a safety component of a product covered by existing EU harmonised legislation listed in Annex I (e.g., medical devices, machinery, vehicles); or (b) falls within one of the eight use-case categories in Annex III, provided it poses a significant risk of harm to health, safety, or fundamental rights.
Are all AI tools used in HR high-risk?
Not automatically. An AI tool used in HR is high-risk under Annex III if it is used for recruitment (including CV filtering), promotion decisions, task allocation or monitoring, or performance evaluation with significant effects on working conditions. General productivity tools (calendar management, document drafting) are not high-risk solely because they are used in an HR context.
Can an AI system fall out of the high-risk category?
Yes. Annex III includes a "safe harbour" exclusion: an AI system that would otherwise fall into a high-risk Annex III category is not high-risk if it does not pose a significant risk of harm — for example, if it is a narrow AI tool for detecting patterns in internal data with no significant effect on individuals. Providers must document their exclusion rationale.
What happens if a high-risk AI system is also subject to another EU regulation?
The AI Act obligations stack on top of existing product safety laws. For example, an AI used in a Class IIb medical device must comply with both the Medical Device Regulation (MDR) and the AI Act. Where conformity assessment under the MDR involves a notified body, the AI Act notified body requirement may apply too.
When do high-risk AI obligations become enforceable?
For Annex III high-risk AI systems: 2 August 2026. For high-risk AI embedded in Annex I regulated products (medical devices, machinery, etc.): 2 August 2027. Organisations should begin compliance work now — realistic timelines from start to CE marking are 9–18 months for complex systems.
What are the key obligations for high-risk AI providers?
Providers must: establish a quality management system; prepare Annex IV technical documentation; implement a risk management system; ensure data governance for training/validation datasets; provide human oversight capabilities; register in the EU AI Act database; conduct conformity assessment; draw up an EU Declaration of Conformity; and affix CE marking.
Is your AI system high-risk?
Use our free classification template to assess your systems, or book a sprint to get a formal written risk classification memo from our compliance specialists.