EU AI Act Annex III: high-risk AI system categories explained

EU AI Act Annex III: high-risk AI system categories explained

Annex III is the list that determines whether your AI product carries the EU AI Act's most demanding compliance obligations. It defines the use-case categories where AI systems are presumed to present a high risk to health, safety, or fundamental rights. Unlike Annex I, which covers AI embedded in safety-critical physical products, Annex III covers software AI systems operating in sensitive societal domains. For CTOs and product leaders at EU startups, Annex III is the first document to read when assessing your compliance exposure, because the answer shapes every other decision: documentation burden, conformity assessment route, human oversight requirements, and timeline.

What the EU AI Act requires

Annex III currently lists eight categories of high-risk AI use cases. Category 1 covers biometric identification and categorisation systems, including remote biometric identification in public spaces and real-time systems used by law enforcement. Category 2 covers AI used in the management and operation of critical infrastructure, including road traffic, water, gas, and electricity systems. Category 3 covers AI used in education and vocational training, including systems that determine access to educational institutions or evaluate learners. Category 4 covers employment, worker management, and access to self-employment, including CV screening, candidate shortlisting, performance monitoring, and task allocation systems. Category 5 covers AI used in access to essential private services and public benefits, including credit scoring, insurance risk assessment, and social benefit eligibility. Category 6 covers AI used by law enforcement. Category 7 covers AI used in migration, asylum, and border control management. Category 8 covers AI used in the administration of justice and democratic processes. The Commission may add categories via delegated acts under Article 7. The compliance deadline for Annex III systems is December 2, 2027, extended from the original date via the Digital Omnibus Act in May 2026.

What this means for your business

Startups in recruitment technology (Category 4), fintech and insurtech (Category 5), healthtech (potentially Category 5 for insurance-adjacent products), and edtech (Category 3) are almost all operating in Annex III territory if their AI systems influence consequential decisions. The Category 4 scope is particularly broad: any AI system that filters, ranks, or recommends candidates in hiring, or that monitors employee performance or allocates tasks, is presumed high-risk. For startups selling AI tools to enterprise customers in these sectors, the compliance obligations sit with the system provider under Article 6, even if the deploying customer configures and operates the system. Article 6(3) provides a limited exemption where a provider can self-certify that an Annex III system does not pose a significant risk, but this requires documented justification and notification to authorities, and it carries its own legal risk if challenged.

Steps to get compliant

1. Map every AI feature in your product to the eight Annex III categories and document your classification rationale in writing, noting the specific category and sub-use-case where applicable.
2. For any system that falls within an Annex III category, initiate the full high-risk compliance workstream covering Articles 9 through 17, including risk management, data governance, technical documentation, transparency, human oversight, and quality management.
3. If you intend to claim the Article 6(3) significant-risk exemption for an Annex III system, prepare a written assessment demonstrating that the system does not pose a significant risk, and identify the relevant market surveillance authority for notification in your primary market.
4. Set a project milestone for December 2, 2027, working backwards from that date to allow adequate time for technical documentation, conformity assessment (including any third-party review required), and CE marking where applicable.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener