EU AI Act Article 6: high-risk AI classification rules
EU AI Act Article 6: high-risk AI classification rules
If you are building or deploying an AI system in Europe, Article 6 of the EU AI Act is where your compliance journey begins. It establishes the two-track classification framework that determines whether your system is subject to the full weight of high-risk obligations under Title III. For CTOs and product leaders at EU startups, getting this classification right is not a formality; it determines your entire compliance roadmap, your documentation burden, and your liability exposure before your product reaches a single user.
What the EU AI Act requires
Article 6 creates two pathways to a high-risk designation. Under Article 6(1), a system is automatically high-risk if it is a safety component of a product already covered by Union harmonisation legislation listed in Annex I (such as machinery, medical devices, or aviation equipment), and that product requires a third-party conformity assessment. Under Article 6(2), a system is high-risk if it falls into one of the use-case categories listed in Annex III, which covers areas including biometric identification, critical infrastructure management, education, employment, access to essential services, law enforcement, migration, and administration of justice. The Commission can update Annex III via delegated acts, meaning the list can expand. Article 6(3) provides a limited self-assessment exemption where providers can determine their Annex III system does not pose a significant risk, but this requires documented justification and notification to the relevant market surveillance authority.
What this means for your business
A startup building an AI-powered CV screening tool, an automated loan scoring engine, or a patient triage assistant almost certainly falls under Article 6(2) via Annex III categories covering employment, credit, and health respectively. The classification is not about how sophisticated your model is; it is about the domain and the decisions it influences. Misclassifying a system as non-high-risk when regulators determine otherwise exposes you to fines of up to EUR 15 million or 3% of global annual turnover under Article 99. The compliance deadline for Annex III high-risk systems is December 2, 2027, extended from the original date via the Digital Omnibus Act in May 2026, giving teams more time to prepare but no reason to delay classification work.
Steps to get compliant
1. Map every AI feature in your product to the Annex III categories and Annex I product list to determine which systems require a classification decision under Article 6.
2. For any system that plausibly fits an Annex III category, document your reasoning using the Article 6(3) criteria if you intend to claim a significant-risk exemption, and retain that documentation for market surveillance authorities.
3. If your system is high-risk, initiate the full compliance workstream covering Articles 9 through 17, including risk management, data governance, technical documentation, and human oversight.
4. Assign a named compliance owner internally and set a project milestone tied to the December 2, 2027 deadline, working backwards to allow time for conformity assessments if third-party review is required.
Free EU AI Act risk assessment
Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.