One of the most important questions any AI product team needs to answer about the EU AI Act is deceptively simple: is our system high-risk? Get it wrong in either direction and you either face serious compliance exposure or spend months over-engineering documentation for a system that didn't need it.

The EU AI Act does not define high-risk by technical capability. It defines it by intended purpose and deployment context. A highly capable LLM used for internal knowledge search is probably not high-risk. A rule-based scoring system used to shortlist job applicants almost certainly is. Here is how the classification actually works.

The Annex III Category List

Annex III of the EU AI Act lists eight categories of AI systems that are presumptively high-risk. Being in one of these categories is a necessary but not always sufficient condition for high-risk classification—Article 6 adds a second test for most categories (explained below).

  1. Biometric identification and categorisation of natural persons
    Remote biometric identification systems (real-time and post-remote), AI used to make inferences about persons' attributes from biometric data. Includes face recognition, gait analysis, voice identification.
  2. Critical infrastructure
    AI systems used as safety components in the management and operation of road traffic, water, gas, electricity supply, or digital infrastructure. The key word is "safety component"—not all AI in critical infrastructure is caught, only those that function as safety controls.
  3. Education and vocational training
    AI systems that determine access to educational institutions, assess students for the purpose of educational progression, monitor and detect prohibited behaviour during tests. HR and aptitude scoring tools used in educational hiring are included.
  4. Employment, workers management, and access to self-employment
    AI used to make or substantially influence recruitment, selection, promotion, task allocation, performance monitoring, evaluation, termination, or credit/social scoring in employment contexts.
  5. Access to and enjoyment of essential private services and public services and benefits
    AI used by public authorities or private service providers to evaluate eligibility for essential services: creditworthiness assessment (with an exception for small-volume lending), risk assessment for health/life insurance pricing, emergency services dispatch, public benefit eligibility.
  6. Law enforcement
    Risk assessment of persons for criminal offences, polygraphs and lie detection tools, crime analytics on personal data, predictive policing, evidence reliability assessment, profiling, emotion recognition in law enforcement contexts.
  7. Migration, asylum, and border control management
    Polygraphs, risk assessment for irregular border crossing, examination of applications for asylum or visas, migration document authenticity checks, border control detection systems.
  8. Administration of justice and democratic processes
    AI assisting judicial authorities in researching and interpreting facts and law, applying the law, influencing electoral outcomes.

The Article 6 Dual Test

For categories 3 through 8 in Annex III, classification as high-risk requires passing a second test under Article 6(2). A system is high-risk only if it both falls within an Annex III category AND poses a significant risk of harm to persons' health, safety, or fundamental rights, taking into account the intended purpose and the extent to which the system's output influences decisions.

Article 6(2) provides a non-exhaustive list of factors that indicate significant risk: the degree to which the AI system is used to make decisions or to substantially influence them; whether persons can practically override the system's output; whether the system interacts with vulnerable populations; and the breadth of persons affected.

Practically, the Article 6(2) test means that a very low-stakes use of a system in an Annex III sector may escape high-risk classification. However, the European Commission has indicated in its guidance that providers should err on the side of caution and that the threshold for "substantial influence" is not high. If a human decision-maker routinely acts on the system's output without significant independent judgement, the system is almost certainly substantially influencing the decision.

Article 6(1): The Safety Component Test

Article 6(1) creates a separate, parallel route to high-risk classification. A system is automatically high-risk if it is a safety component of a product covered by EU harmonisation legislation listed in Annex I of the AI Act, AND that product is required to undergo a third-party conformity assessment under that sectoral legislation.

Annex I products include: machinery, toys, recreational craft, lifts, pressure equipment, radio equipment, medical devices, in vitro diagnostic medical devices, civil aviation, automotive vehicles, agricultural and forestry vehicles, marine equipment, rail interoperability, and others. If your AI is embedded in any of these product types as a safety-critical component, it is high-risk under Article 6(1) regardless of the Article 6(2) analysis.

The Three-Step Classification Decision Tree

Work through these steps in order for each AI system you are assessing.

Step 1 — Check Article 5 (Prohibited): Does the system do anything on the Article 5 prohibited list? If yes, stop—you cannot deploy it in the EU at all. Classification is moot.

Step 2 — Check Article 6(1) (Safety component in regulated product): Is the system a safety component of a product that requires third-party conformity assessment under Annex I legislation (medical devices, machinery, etc.)? If yes: high-risk. Go directly to Chapter III obligations.

Step 3 — Check Annex III + Article 6(2) (High-risk by purpose): Does the system's intended purpose fall within one of the eight Annex III categories? If yes, apply the Article 6(2) substantial risk analysis. If the system substantially influences decisions affecting persons in the relevant area, it is high-risk. If it has only marginal influence (for example, it is one of many inputs into a decision made primarily by human judgement on other grounds), it may escape high-risk classification—but document that reasoning carefully.

Self-Assessment vs Notified Body

Most high-risk AI systems can demonstrate conformity through an internal self-assessment procedure (Article 43(2)). The provider reviews its own technical documentation, testing results, and risk management against the Chapter III requirements and signs a declaration of conformity.

However, two categories require third-party assessment by a notified body:

  • Remote biometric identification systems (Annex III, category 1) in all cases.
  • Any high-risk system where the conformity assessment procedure under the applicable sectoral Annex I legislation requires a notified body (for example, high-risk medical device AI).

Notified bodies for the EU AI Act are designated by member states and accredited under Article 33. As of mid-2025, only a small number of notified bodies had been formally designated, and capacity was constrained. If your system requires notified body assessment, factor in significant lead time.

Common Misclassifications

These are the AI system types most frequently misclassified in either direction, based on the regulatory guidance and sector-specific guidance published by the EU AI Office.

System Type Common Mistake Likely Classification
CV/resume screening tools Assumed not high-risk because "humans make final decision" Usually high-risk (Annex III cat. 4)
Customer service chatbots Assumed high-risk due to scale of user interaction Usually not high-risk
Content moderation AI Assumed high-risk due to free speech implications Usually not high-risk (no Annex III category applies)
Fraud detection (banking) Assumed not high-risk because it blocks fraud not people Context-dependent: if used in creditworthiness decisions, likely high-risk (cat. 5)
Employee performance monitoring Assumed not high-risk because it's "just analytics" Usually high-risk if output influences HR decisions (cat. 4)
Medical triage chatbots Assumed not high-risk because clinician reviews output Often high-risk (safety component / cat. 5 depending on context)
Loan origination AI Assumed only applies to consumer credit High-risk for retail credit; exception for small providers and business lending may apply

Technical Documentation Requirements Once Classified High-Risk

Once you have determined your system is high-risk, Article 11 and Annex IV specify what your technical documentation must contain. This is not a summary sheet—it is a substantive technical file that a market surveillance authority must be able to audit. The required sections are:

  • General description of the AI system including its intended purpose, version, and the names of providers and deployers.
  • Description of the components, algorithms, and data inputs including data sources, characteristics, and processing pipeline.
  • Development process documentation: design choices, validation and testing methodologies, data governance practices.
  • Detailed description of the risk management system established under Article 9.
  • Description of any changes made to the system through its lifecycle.
  • List of harmonised standards applied, or description of solutions adopted to meet requirements where no harmonised standard exists.
  • Copy of the EU declaration of conformity.
  • Post-market monitoring plan.

The technical file must be kept up to date and held for 10 years after the system is placed on the market. It must be made available to competent authorities on request.