What is high-risk AI under the EU AI Act? Examples and criteria

What is high-risk AI under the EU AI Act? Examples and criteria

The EU AI Act's definition of "high-risk AI" is the classification that triggers the regulation's most demanding obligations. For product teams, it is also the most misunderstood. High-risk does not necessarily mean dangerous or powerful; it means the system is used in a context where errors could significantly harm people's rights, safety, or livelihoods. Many ordinary-seeming SaaS features fall into this category, and many powerful AI systems do not. Getting the definition right is the starting point for everything else.

What the EU AI Act requires

Article 6 defines the high-risk classification through two pathways. First, AI systems that are safety components of products regulated under existing EU safety legislation (Annex II) are automatically high-risk. Second, AI systems listed in Annex III are high-risk by category, regardless of technical complexity or company size. The eight Annex III categories are: biometric identification systems (Point 1); AI used in critical infrastructure like electricity, water, and transport (Point 2); AI in education including admissions, assessment, and monitoring of learners (Point 3); AI in employment including CV screening, interview evaluation, and performance monitoring (Point 4); AI in access to essential services including credit scoring, health benefit eligibility, and insurance risk assessment (Point 5); AI used in law enforcement (Point 6); AI in migration and border control (Point 7); and AI in judicial and democratic processes (Point 8). Compliance with Articles 9 to 17 is mandatory for these systems, with a December 2, 2027 deadline. Article 6(3) provides a self-assessment exemption for systems in these categories that demonstrably pose no significant risk.

What this means for your business

To make the definition concrete: a recruitment SaaS that uses AI to shortlist candidates is high-risk (Point 4). A fintech app that uses a model to approve or decline loan applications is high-risk (Point 5). An LMS platform that uses AI to assess whether a student passes or fails a module is high-risk (Point 3). A chatbot that helps customers find products in an online store is not high-risk. An AI writing assistant that helps engineers draft documentation is not high-risk. The sector examples that appear in Annex III reflect the EU legislature's view of where AI errors cause the most harm: employment, money, education, and essential services. If your product touches those domains through an automated decision or ranking, you should assume high-risk and document your reasoning if you believe an exemption applies.

Steps to get compliant

1. List every feature in your product that produces an output (score, ranking, decision, recommendation) that affects a user's employment, financial standing, education, or access to services, and treat each as potentially Annex III high-risk. 2. For each feature, assess whether the Article 6(3) self-assessment exemption is available by checking whether the system poses a genuine risk of harm to health, safety, or fundamental rights in its specific deployment context. 3. For confirmed high-risk systems, assign a DRI to own the Article 9 risk management plan and the Article 11 technical documentation, targeting drafts by end of Q3 2026 to leave time for review and gap-filling before December 2027. 4. For any high-risk system your company deploys rather than builds, ensure you have received Article 13 documentation from the provider and have implemented the required human oversight measures under Article 14.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener