Annex III: High-Risk AI Categories
Annex III of the EU AI Act lists the 8 categories of AI systems classified as high-risk. If your AI system falls into any of these categories, the full compliance obligations under Articles 9–15 apply — including a risk management system, technical documentation, data governance controls, human oversight mechanisms, and post-market monitoring.
How the Classification Works
Article 6(2) states that AI systems listed in Annex III are classified as high-risk. The classification is based on the intended purpose of the system — the use for which the system is designed by the provider. A general-purpose text classifier is not automatically high-risk; a recruitment screening tool built on that same classifier is.
The regulation explicitly covers systems that “materially influence” decisions in the listed categories, not only systems that make decisions autonomously. A tool that ranks job candidates for human review is within scope even if a human makes the final hiring decision.
Article 6(3) provides a narrow exception: a system within an Annex III category may be re-classified as not high-risk if it performs only a narrow procedural task, cannot materially influence outcomes, and is designed only to detect patterns without replacing human review. This exception requires documented assessment and notification — it is not a self-declaration.
The 8 High-Risk Categories
Biometric identification and categorisation
Annex III(1)Remote biometric identification systems; AI that categorises natural persons based on biometric data to deduce or infer race, political opinion, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation; emotion recognition systems used in the workplace or education.
Examples: Facial recognition in access control, emotion-detection interview tools, voice stress analysis.
Critical infrastructure management
Annex III(2)AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or the supply of water, gas, heating, and electricity — where failures or malfunctions could endanger the life, health, or safety of persons at large.
Examples: Grid load-balancing AI, traffic management systems, water treatment process control.
Education and vocational training
Annex III(3)AI that determines access to or admission to educational institutions; evaluates learning outcomes and determines grading; assesses the appropriate level of education for a person; monitors and detects prohibited behaviour of students during tests.
Examples: Admissions screening tools, automated grading systems, plagiarism or cheating detection during exams.
Employment, workers management, and self-employment
Annex III(4)AI used for recruitment or selection — particularly for advertising vacancies, screening applications, filtering or evaluating candidates during interviews, and making or materially influencing decisions on promotion, termination, task allocation, or monitoring and evaluating performance and behaviour of persons in work relationships.
Examples: CV screening tools, automated interview assessors, employee productivity monitoring, workforce allocation AI.
Access to essential private and public services
Annex III(5)AI used by public authorities or private entities to evaluate the creditworthiness of individuals or establish their credit score; used in life and health insurance risk assessment and pricing; used in emergency services for dispatch prioritisation; used to evaluate eligibility for public benefits and assistance or social services.
Examples: Credit scoring algorithms, insurance underwriting models, emergency call triage, benefits eligibility assessment.
Law enforcement
Annex III(6)AI used by law enforcement to assess the risk of an individual becoming the victim or perpetrator of a criminal offence; as polygraphs or similar tools; to evaluate the reliability of evidence; to predict criminal offences or recidivism; to profile individuals in the course of detection, investigation, or prosecution.
Examples: Recidivism risk scoring, predictive policing models, AI-assisted evidence analysis. Rarely applicable to commercial startups.
Migration, asylum, and border control management
Annex III(7)AI used to assess the risk posed by individuals entering EU territory; to assist in examination of applications for asylum, visa, or residence permit; in border surveillance AI used to detect, recognise, or identify natural persons.
Examples: Asylum application processing tools, border surveillance systems. Generally applicable to government contractors only.
Administration of justice and democratic processes
Annex III(8)AI intended to assist a judicial authority in researching and interpreting facts and the law and in applying the law to a concrete set of facts; AI used to influence the outcome of an election or referendum, or the voting behaviour of natural persons.
Examples: Legal research AI used in court proceedings, electoral targeting tools. Distinguished from general legal research assistants used by lawyers outside judicial proceedings.
What High-Risk Classification Means in Practice
Once your system is classified as high-risk under Annex III, the full set of obligations in Articles 9–15 applies. These must be satisfied before you place the system on the EU market or put it into service. The obligations are not optional or a matter of degree — either the system complies or it cannot legally be deployed in the EU.
- Establish and document a continuous risk management system (Article 9)
- Implement data governance controls over training, validation, and test datasets (Article 10)
- Prepare the full Annex IV technical documentation before market placement (Article 11)
- Implement automatic logging of system operation throughout deployment (Article 12)
- Provide instructions of use sufficient for deployers to operate the system safely (Article 13)
- Design in human oversight mechanisms — override capability, anomaly detection, interpretability (Article 14)
- Meet documented accuracy and robustness thresholds; implement cybersecurity measures (Article 15)
- Establish a post-market monitoring system before deployment, not after (Article 72)
- Register the system in the EU database before placing it on the market
Common Mistakes
Assuming 'human in the loop' removes the high-risk classification
Annex III covers systems that materially influence decisions, not just those that make decisions autonomously. A recruitment tool that ranks candidates for a recruiter to review remains high-risk even though the recruiter makes the final call.
Classifying based on the model rather than the application
The classification depends on the intended purpose of your application, not the foundation model underneath. Building on a general-purpose LLM does not inherit the model provider's classification — your application layer is assessed independently.
Treating the Article 6(3) exception as a general opt-out
The exception for systems that do not pose a significant risk within an Annex III category requires documented assessment and notification to national authorities. It is not available for systems that materially influence decisions, and claiming it without proper documentation exposes providers to enforcement action.
Planning to build compliance in after the August 2026 deadline
The Annex IV technical documentation is designed to be developed alongside the system. Retrofitting it after deployment is significantly more expensive and often reveals gaps that require engineering changes. Start the documentation process when development starts, not when the deadline approaches.
Classify your AI system and start your documentation
Nytivo walks you through the Annex III classification, generates the full Annex IV technical documentation pack, and keeps it current as the regulation evolves — from Article 9 risk management through to Article 72 post-market monitoring.
Start free trialAnnex III — Frequently Asked Questions
How do I know if my AI system falls under Annex III?
The classification depends on the intended purpose of the system, not its technical architecture. If your system is designed to be used in one of the 8 Annex III contexts — recruitment, credit scoring, education assessment, biometric identification, and so on — it is likely high-risk. The key word is 'intended': even if your system is capable of being used in other ways, if the intended purpose falls within an Annex III category, the full compliance obligations apply. Where there is doubt, providers should document their classification reasoning and seek legal advice.
Can a system be in scope for Annex III even if it only 'assists' a human decision?
Yes. Annex III explicitly covers AI that 'materially influences' decisions in the listed categories, not just AI that makes decisions autonomously. An AI tool that ranks job candidates for a recruiter to review, or that scores creditworthiness for a loan officer's consideration, is within scope even though a human makes the final call. The 'human in the loop' is not an automatic exemption — the system must still meet the Article 9–15 obligations.
Is there any exception for low-risk use cases within an Annex III category?
Article 6(3) provides a limited exception: providers can conclude that a high-risk system does not pose a significant risk if it is intended to perform a narrow procedural task, cannot materially influence decisions, and is designed only to detect patterns without human review. This exception must be documented before market placement and notified to the relevant national competent authority. It is not a self-declaration that avoids scrutiny — providers should treat it as a structured assessment, not a default opt-out.
Does Annex III apply to AI systems built on third-party foundation models?
Yes. The classification is based on the intended purpose of your application layer, not the underlying model. If you build a recruitment screening tool on top of GPT-4 or a similar foundation model, your application is a high-risk AI system under Annex III category 4, and you carry the full provider obligations under Articles 9–15. The foundation model provider's compliance with GPAI obligations (Articles 51–55) does not substitute for your compliance as the application provider.
When do the Annex III obligations become mandatory?
The main compliance deadline for Annex III systems is 2 August 2026. However, providers who deploy high-risk systems before that date must have their post-market monitoring system in place from the moment of deployment, not the compliance deadline. Building compliance documentation in parallel with development is strongly advisable — the Annex IV documentation is designed around the development process, and retrofitting it after deployment is significantly more expensive.
Related articles
Compliance by industry
See which Annex III categories affect your specific sector and what the compliance obligations mean for your product.