What is a high-risk AI system under the EU AI Act?

What is a high-risk AI system under the EU AI Act?

The phrase "high-risk AI" is the most consequential classification in the EU AI Act. If your product falls into this category, you face a comprehensive set of obligations covering risk management, data quality, technical documentation, human oversight, and more. For CTOs building AI-powered products in Europe, understanding this definition is not optional, it is the starting point for your entire compliance strategy.

What the EU AI Act requires

Article 6 defines high-risk AI systems across two tracks. The first track covers AI systems that are a safety component of products already regulated under Union product safety legislation listed in Annex II (such as medical devices, machinery, and aviation equipment). The second and broader track covers AI systems listed directly in Annex III, regardless of whether they are embedded in a regulated product. Annex III currently covers eight domains: biometric identification and categorisation of persons (Point 1), critical infrastructure management such as water, gas, electricity (Point 2), education and vocational training including admissions and assessment tools (Point 3), employment and worker management including CV screening and performance monitoring (Point 4), access to essential private and public services including credit scoring and insurance risk assessment (Point 5), law enforcement (Point 6), migration and border management (Point 7), and administration of justice and democratic processes (Point 8). Compliance obligations for Annex III systems are set out in Articles 9 through 17 and apply from December 2, 2027, following the extension granted by the Digital Omnibus Act in May 2026.

What this means for your business

The most common high-risk categories for EU startups are Point 4 (employment) and Point 5 (access to services). A platform that automatically ranks, filters, or scores job candidates is high-risk under Point 4. A fintech that uses a model to assess creditworthiness or insurance eligibility is high-risk under Point 5. An edtech tool that evaluates student performance or determines access to educational pathways falls under Point 3. Importantly, Article 6(3) provides a self-assessment path: if your Annex III system does not pose a significant risk of harm to health, safety, or fundamental rights, you can document that determination and treat the system as limited-risk, provided you follow the procedure set out in Annex VIII. This nuance matters for startups whose AI features are genuinely low-stakes within a nominally high-risk category.

Steps to get compliant

1. Review every AI feature against each of the eight Annex III domains, being conservative in ambiguous cases: regulators will not credit narrow interpretations made without documented reasoning. 2. For any feature that touches Point 4 or Point 5, conduct an Article 9 risk management assessment and begin building the Article 11 technical documentation package. 3. Assess whether the Article 6(3) self-assessment exemption applies and, if so, document that assessment formally in writing. 4. Implement the human oversight measures required by Article 14 for high-risk systems, including the ability for human operators to override or halt system outputs.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener