EU AI Act Compliance for Edtech
Education and vocational training is one of the eight high-risk categories listed in Annex III of the EU AI Act. AI used to determine who gets access to educational institutions, how students are assessed, and how student behaviour is monitored carries the full weight of the Act's compliance requirements. If you build AI for admissions, grading, proctoring, or learning analytics, this applies directly to your product.
Which Annex III Category Applies
Annex III, Category 3 covers AI systems intended to be used for determining access to or assigning persons to educational and vocational training institutions, evaluating learning outcomes, assessing the appropriate level of education for a person and materially influencing the level of education and training that persons will receive or be able to access, and for monitoring and detecting prohibited behaviour of students during tests.
The category captures the full educational pathway: from initial access (admissions AI) through progression (assessment AI) to monitoring (proctoring AI). It does not require that the AI makes a final, unappealable decision — systems that contribute materially to decisions at any of these stages are within scope.
Edtech Products Covered by Category 3
- University and school admissions AI
- Automated essay scoring and grading tools
- AI-powered exam proctoring and integrity systems
- Student dropout and at-risk prediction tools
- Adaptive learning systems that determine content access
- AI-generated assessments used for progression decisions
- Performance analytics that inform academic standing decisions
- Language assessment AI used for certification or placement
Core Obligations for Edtech AI Providers
Identify and document risks throughout the system's lifecycle. For edtech, key risks include: biased assessment across demographic groups; proctoring false positives that unfairly flag students; dropout prediction used in ways that create self-fulfilling outcomes; and misuse by institutional deployers outside the intended scope.
Training data must be examined for representativeness and bias. Grading AI trained on historical grades from a specific educational context may not generalise equitably. Document the student demographics represented in training data and the steps taken to ensure equitable performance across groups.
Full Annex IV documentation required before EU market placement. For assessment AI, this includes detailed description of scoring algorithms, performance metrics disaggregated by relevant student subgroups, and the risk management system documentation.
Teachers, admissions officers, and academic administrators using AI tools must be able to meaningfully review and override AI-generated assessments and recommendations. Systems must be designed to surface the information needed for independent judgment, not just the AI conclusion.
Student-facing conversational AI (tutoring chatbots, writing assistants) must disclose their AI nature to students. Proctoring tools using emotion recognition or biometric monitoring must inform students the system is operating (deployer obligation under Article 50(3)).
Common Compliance Gaps in Edtech
Proctoring AI that processes biometric data without the correct classification
Many AI proctoring tools use facial recognition, eye-tracking, or keystroke dynamics. These involve biometric data and may bring the system within Annex III Category 1 (biometrics) as well as Category 3 (education). The higher of the two sets of obligations applies. Article 50(3) also requires that students be explicitly informed the system is monitoring their biometric data — a notice in the terms of service does not satisfy this obligation.
Training assessments on historically biased grade distributions
Automated grading AI trained on historical grades inherits the grading patterns of human markers, including any systematic biases related to student demographics, writing style norms, or educational background. Article 10 requires examination of training data for these patterns. Many edtech teams test model accuracy on held-out datasets but do not examine whether accuracy is consistent across student demographic groups.
No instructions of use provided to institutional deployers
University IT and admissions teams deploying AI tools often receive a product with no documentation of its limitations, required oversight workflows, or known failure modes. Article 13 requires providers to supply this documentation. Without it, deployer institutions cannot satisfy their own obligations under the Act — and enterprise procurement teams at universities are beginning to require this documentation as a condition of contracts.
Student-facing AI without Article 50 disclosure
Chatbot tutoring tools, AI writing assistants, and conversational learning platforms that interact directly with students are subject to Article 50(1) chatbot disclosure requirements. Many edtech products present AI interfaces without explicitly informing students they are interacting with AI. Where the AI nature is not obvious from context — and in educational settings it often is not — this disclosure is mandatory.
Start your edtech compliance documentation
Nytivo generates the full Annex IV technical documentation pack for your edtech AI system — including the Article 9 risk management file, training data documentation, and performance metrics section — starting at €79/month.
Start free trialEU AI Act for Edtech — FAQs
Does the EU AI Act apply to AI tutoring tools that don't make grading decisions?
Personalised learning tools that adapt content without making assessments or access decisions are likely outside Annex III Category 3. The category is specifically targeted at AI that determines access to educational institutions, evaluates learner performance, or monitors behaviour in educational settings. A tutoring assistant that recommends resources is unlikely to be high-risk — though Article 50 transparency obligations (chatbot disclosure) may still apply if the tool is conversational.
Our AI proctoring tool detects suspicious behaviour but a human makes the final decision. Are we still high-risk?
Yes. Annex III Category 3 covers AI used to monitor students in educational settings. The fact that a human makes the final decision does not remove the AI system from scope — what matters is whether the AI contributes materially to decisions about students. A proctoring system that flags students for review is within scope. Additionally, if the proctoring system processes facial expressions or eye-tracking data to infer behaviour, it may also engage biometric categorisation obligations under Annex III Category 1.
We provide a platform to universities who use it for admissions. Are we a provider or a deployer?
As the company that develops and supplies the AI-powered admissions platform under your own name or trademark, you are the provider. The university using your platform is the deployer. Provider obligations (Articles 9–15, technical documentation, conformity assessment) fall on you. The university has deployer obligations: using the system according to your instructions of use, ensuring human oversight, and reporting serious incidents.
What counts as a 'significant effect' on a student's educational pathway?
Annex III Category 3 does not require a final, irreversible decision — it covers AI that 'determines access' to education or 'evaluates' learners. An AI system that ranks university applicants, predicts student dropout risk used in retention decisions, or produces assessments used in grading all qualify. The relevant test is whether the AI output materially influences decisions about a student's progression, access, or standing in an educational institution.
How does the EU AI Act interact with FERPA (US) and GDPR for student data?
For EU-based students, GDPR governs data collection and processing rights. The AI Act adds system design and documentation obligations. FERPA applies to US student data and is a separate US federal law. For edtech companies operating across jurisdictions, the practical implication is that Article 10 training data documentation must address GDPR lawful basis for processing student data used in training, and the AI Act's human oversight requirements must be compatible with GDPR's Article 22 rights. These frameworks can be addressed in integrated compliance documentation.