AI Systems That Influence Elections and Democratic Processes: High-Risk Classification Under EU AI Act Annex III

Annex III, point 8(b) of the EU AI Act (Regulation (EU) 2024/1689) makes AI systems intended to influence the outcome of an election or referendum, or the voting behaviour of natural persons in the exercise of their vote, high-risk. That scope is deliberately narrow. Administrative tools used to organise campaign logistics, schedule canvassing, or manage donor databases fall outside it — the regulation targets systems whose output natural persons are directly exposed to and which are designed to sway how someone actually votes.

The practical consequence is stark: a microtargeting engine that pushes personalised political messaging directly to individual voters sits in the high-risk category. A back-office spreadsheet optimising campaign route planning does not. Whether your system lands on one side of that line or the other determines whether you face the full high-risk compliance stack — risk management under Article 9, technical documentation under Article 11, human oversight under Article 14, conformity assessment under Article 43, and deployer obligations under Article 26 — or effectively nothing mandatory at all.

The deadline for stand-alone high-risk AI systems in Annex III is 2 December 2027, under the Digital Omnibus agreed in May 2026, which deferred the original 2 August 2026 date. That is useful breathing room. It is not an invitation to defer classification work, because the documentation and conformity assessment cycle for a genuinely high-risk electoral system will consume most of that time.

---

What Annex III Point 8(b) Actually Covers

The statutory text is precise: "AI systems intended to be used to influence the outcome of an election or referendum, or the voting behaviour of natural persons in the exercise of their vote in elections or referenda."

Two elements matter. First, intent: the system must be designed (or specifically configured) to influence electoral outcomes or individual voting behaviour. A general-purpose content recommendation algorithm used across a news site is not captured solely because it happens to serve political content. It is captured if it is deployed with the purpose of steering readers toward or away from particular candidates or ballot positions.

Second, direct exposure: Annex III point 8(b) explicitly excludes "AI systems whose output natural persons are not directly exposed to." A tool that helps a campaign team analyse polling data internally, identify priority constituencies, or draft a communication schedule — without that output ever reaching voters directly — is not caught by 8(b). The moment the system generates personalised content, targeted ads, or voter-facing messaging, it crosses the line.

Examples within scope

• Political microtargeting tools that segment voters by predicted political inclination and serve personalised persuasion content directly to those individuals.
• AI-generated campaign messaging delivered at scale to voters via email, SMS, or social media — where the system determines both the message and the audience, and natural persons receive that output directly.
• Deepfake political video generators producing synthetic media of candidates or public figures for voter-facing distribution (these overlap with Article 50 transparency obligations on synthetic media, which apply from 2 August 2026, independently of the high-risk classification).
• Voter sentiment manipulation tools that identify psychographic profiles and adjust messaging in real time to exploit identified vulnerabilities, moving into Article 5(1)(a) prohibited territory if the distortion of behaviour is achieved through means that bypass rational agency and causes harm.
• Personalised chatbots designed for voter contact — where the chatbot's purpose is to present political positions, rebut objections to a candidate, or encourage turnout for one party.

Examples outside scope

• Campaign scheduling software that allocates canvassing time across neighbourhoods based on historical turnout data. The output is an operational timetable; voters are not exposed to it.
• Internal polling dashboards that aggregate survey results and display them to campaign managers. The system output does not reach natural persons in an electoral context.
• CRM systems used to manage volunteer coordination or fundraising — even if they use automated prioritisation — where the output is an internal priority list, not voter-facing content.
• Generic social media analytics tools that report engagement statistics. These describe what happened; they do not send output to voters to shape their behaviour.

The line is not always obvious in practice. A system that starts as an internal campaign planning tool but is then configured to auto-generate and publish social posts directly targeting voters has shifted into 8(b) territory. Under Article 25, if the deployer substantially modifies a system or changes its intended purpose in that way, they take on provider obligations.

---

The Boundary with Article 5: Prohibited Manipulation

Not every electoral AI system is merely high-risk. Article 5(1)(a) prohibits AI systems that use subliminal techniques beyond a person's consciousness, or other deceptive or manipulative techniques, to materially distort a person's behaviour in a way that causes or is reasonably likely to cause significant harm. This prohibition has applied since 2 February 2025.

The distinction between a high-risk electoral system under 8(b) and a prohibited manipulative system under Article 5(1)(a) turns on whether the influence operates transparently and through rational persuasion, or whether it bypasses conscious reasoning and causes harm. Targeted political advertising — showing a voter a policy argument relevant to their stated interests — is likely influence that falls in the high-risk tier and is permissible subject to compliance. A system that identifies psychological vulnerabilities (anxiety, identity threat, cognitive biases under stress) and exploits them covertly to distort the voter's choice is a candidate for the prohibition.

In practice, the boundary is contested and will depend on supervisory interpretation. The safer position for any system that reaches voters directly with political content is to map it against both Article 5(1)(a) and Annex III point 8(b), treat the more demanding obligation as the floor, and build the documentation to show it does not cross into prohibited manipulation.

---

Article 50 Transparency: The Earlier, Parallel Obligation

Separately from the high-risk classification, Article 50 imposes transparency obligations on certain systems that apply from 2 August 2026 — a year before the high-risk deadline.

Article 50(3) requires that synthetic audio, video, image, or text content generated by AI and intended for distribution to the public must be labelled as artificially generated or manipulated. This includes AI-generated political videos, audio deepfakes of candidates, and synthetically produced campaign materials. The obligation falls on the operator deploying the system, and it applies regardless of whether the underlying system is high-risk.

Article 50(4) covers AI systems that generate or manipulate content constituting a "deep fake" — the labelling requirement is explicit and the exemption for artistic or clearly satirical works is narrow. Political operators using AI-generated content at scale need an Article 50 compliance answer by August 2026, even before the broader high-risk obligations kick in.

---

Provider Obligations for High-Risk Electoral AI

If your system is within scope of Annex III point 8(b), and you develop it or place it on the market or put it into service under your own name, you are a provider under Article 16 with the following obligations.

Risk management system (Article 9)

Article 9 requires a risk management system that runs throughout the system's lifecycle. For electoral AI, the risks to document and address are specific: the system producing outputs that systematically skew against a protected group of voters; the system being manipulated through adversarial data inputs; failure modes that cause content to be served to the wrong audience; and the aggregated effect of the system at scale on the integrity of the vote.

Risk management under Article 9 is not a one-time pre-deployment document. It requires ongoing monitoring and updating. For a political microtargeting system, this means tracking how message content and targeting logic evolve across an election cycle and reassessing risks as conditions change.

Technical documentation (Article 11 and Annex IV)

Before placing the system on the market, providers must compile technical documentation per Article 11 and Annex IV. This covers: a general description of the system and its intended purpose; the data used for training, validation and testing with data governance documentation under Article 10; the design and architecture of the system; performance metrics and the results of accuracy and bias testing; the risk management plan; and post-market monitoring procedures.

For an electoral AI system, the data governance element under Article 10 is particularly exposed. Voter profile data used to train or operate the system carries GDPR dimensions alongside the EU AI Act requirements. Document where the training data came from, how it was validated for accuracy, and what bias testing was run across demographic groups.

Technical documentation must be kept for a minimum of 10 years after the system is placed on the market (Article 18).

Conformity assessment (Article 43)

Article 43 is the conformity assessment obligation — not Article 27, which is the Fundamental Rights Impact Assessment. For Annex III systems other than those in point 1 (biometrics), the standard route is the internal control procedure under Annex VI: the provider conducts self-assessment against the Chapter III requirements, documents the outcome, and signs the EU Declaration of Conformity under Article 47. The system must then be registered in the EU database under Article 49 before deployment.

Annex III point 8(b) systems do not generally require a notified-body assessment (that is reserved primarily for biometric systems under point 1 and for Annex I product-embedded systems). Internal self-assessment is the applicable route.

Registration (Article 49)

Before placing a high-risk system on the market or putting it into service, providers must register it in the EU database established under Article 71. The registration is a pre-deployment requirement, not a post-deployment formality.

---

Deployer Obligations

Most political organisations, campaign operators, and public election bodies that deploy third-party AI tools for electoral purposes are deployers under Article 26, not providers. The distinction matters because the obligations differ — and because deployer status can shift to provider status if the organisation substantially modifies the system or changes its intended purpose (Article 25).

Core deployer duties (Article 26)

Article 26 requires deployers to:

• Use the system in accordance with the provider's instructions for use.
• Assign human oversight to individuals with the competence, training, and authority to understand the system's outputs and intervene when needed (this is the Article 26 deployer obligation that mirrors the provider's Article 14 design obligation).
• Monitor the system in operation and report serious incidents or risks to the provider and, where required, to the competent authority.
• Keep logs of system operation for a minimum of six months (Article 26).
• Inform workers' representatives before deployment if the system is used in a workplace context (Article 26 — less directly relevant for electoral contexts but worth noting for campaigns with in-house technology teams).

For an election commission deploying a third-party voter-eligibility verification system, compliance with Article 26 means having trained staff who can override the system's outputs, a documented process for doing so, and retention of the operational logs for six months after each election cycle.

Fundamental Rights Impact Assessment (Article 27)

Article 27 requires a Fundamental Rights Impact Assessment before deployment. The duty applies to deployers that are public bodies, and also to deployers of high-risk systems in the creditworthiness (Annex III 5(b)) and life/health insurance (Annex III 5(c)) categories. Public election commissions and government bodies deploying high-risk electoral AI systems owe a FRIA under Article 27. Private campaign organisations and political parties do not face the Article 27 FRIA obligation — though they remain subject to all other deployer duties under Article 26.

The FRIA assesses impacts on the right to vote (EU Charter Article 39), freedom of expression (EU Charter Article 11), non-discrimination (EU Charter Article 21), and data protection rights. It must propose mitigation measures and document monitoring procedures. Complete it before deployment and update it if the system's use changes materially.

---

The Role-Shift Risk Under Article 25

Article 25 is the mechanism that can convert a deployer into a provider. If a political campaign takes a general-purpose language model, fine-tunes it on party messaging, and deploys it to voters under its own brand as a personalised voter contact bot, the campaign has substantially modified the system and changed its intended purpose. At that point, the campaign takes on provider obligations under Article 16 — including risk management, technical documentation, conformity assessment under Article 43, and registration under Article 49.

This is a live risk in the electoral context. Many campaigns will build on top of general-purpose AI tools. Whether that constitutes substantial modification triggering Article 25 depends on the degree of customisation and the change in intended purpose. A campaign that adds a custom prompt instructing a chatbot to support one party's positions, and deploys it at scale to individual voters, has likely crossed the Article 25 threshold.

---

How Confir Helps

Classifying an electoral AI system under Annex III point 8(b) — and distinguishing it from an internal campaign tool outside scope — is the kind of judgment that benefits from a structured intake process rather than an ad hoc legal opinion. Confir's rule-based classification engine walks you through plain-English questions about your system's purpose, output recipients, and deployment context, then applies Annex III logic to derive the risk tier and the role (provider under Article 16, or deployer under Article 26).

For confirmed high-risk systems, Confir drives a structured assessment across the obligation areas — risk classification and compliance (AIRC), data and technical robustness (AITR), transparency and human oversight (AITO), and governance and post-market monitoring (AIGM) — and generates the Article 11/Annex IV technical documentation pack and the Article 47 Declaration of Conformity. For public-body deployers, the Article 27 FRIA workflow is integrated. The classification and scoping logic is deterministic and rule-based: same intake answers, same result, with the rule that fired traceable in plain language. Pricing starts at €600 per year.

---

Frequently Asked Questions

Does Annex III point 8(b) apply to all AI used during an election campaign?

No. The scope is confined to systems whose output natural persons are directly exposed to, where the system is intended to influence how people vote or the outcome of an election or referendum. Internal campaign planning tools, logistics optimisation, scheduling software, and analytics dashboards used exclusively by campaign staff are outside scope because voters are not directly exposed to the output. The moment the system generates voter-facing content designed to sway electoral behaviour, it falls within point 8(b).

When is the compliance deadline for Annex III point 8(b) systems?

The deadline for stand-alone high-risk AI systems in Annex III — including point 8(b) electoral systems — is 2 December 2027, under the Digital Omnibus agreed in May 2026. That pushed the original 2 August 2026 date back by over a year. Separately, Article 50 transparency obligations for synthetic media and AI-generated content apply from 2 August 2026 and are not deferred — these run on a different clock.

What is the difference between a prohibited system under Article 5 and a high-risk system under point 8(b)?

Article 5(1)(a) prohibits AI that exploits subliminal or deceptive techniques to materially distort behaviour and cause significant harm — this has been in force since 2 February 2025. Annex III point 8(b) captures influence-on-elections systems that operate within the bounds of lawful persuasion but still pose significant risks. A system that uses transparent political messaging is high-risk; a system that covertly exploits psychological vulnerabilities to override rational agency and causes harm is prohibited. The line is not always clear in advance, which is why building documentation that maps your system against both Article 5(1)(a) and Article 6/Annex III from the outset is the defensible approach.

Which conformity assessment route applies to point 8(b) systems?

For most Annex III categories other than point 1 (biometrics), the conformity assessment route is internal self-assessment under Annex VI (Article 43). This means the provider documents compliance with the Chapter III requirements, conducts the self-assessment, signs the EU Declaration of Conformity under Article 47, and registers the system in the EU database under Article 49 before deployment. A notified body is not required for point 8(b) systems. This is meaningfully different from biometric systems (point 1), which generally require the Annex VII notified-body route.

Do political parties and campaign organisations need to conduct a Fundamental Rights Impact Assessment?

The Article 27 FRIA obligation applies to public bodies and a defined set of deployers in sensitive categories (creditworthiness, health/life insurance). Private political parties and campaign organisations are not within that scope. They still face all Article 26 deployer obligations — monitoring, logging for six months, human oversight, instructions-for-use compliance — but the FRIA is not mandatory for them. Public election commissions and government bodies deploying high-risk electoral AI systems do owe a FRIA.

What are the penalties for non-compliance with Annex III obligations?

Non-compliance with the high-risk obligations — failure to maintain a risk management system, omit technical documentation, skip conformity assessment, or fail deployer duties — carries a maximum fine under Article 99(4) of €15,000,000 or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For companies under a certain size, Article 99(6) caps the fine at the lower of the percentage or the fixed amount. If the non-compliance constitutes a breach of the Article 5 prohibitions — operating a manipulative system that should never have been deployed — the ceiling rises to €35,000,000 or 7% under Article 99(3).

Does an AI system used in multiple countries need to comply separately in each EU member state?

No. The EU AI Act is a directly applicable EU regulation — one compliance framework across all 27 member states. However, national competent authorities will conduct market surveillance in their jurisdictions, and enforcement may occur in any member state where the system is deployed or its effects felt. Registering the system in the EU database under Article 49 is a single act that covers EU-wide deployment. National electoral laws may impose additional requirements specific to their context, but the AI Act obligations themselves are uniform across the EU.

---

Related guides

• judicial decision support systems
• Article 6 high-risk classification
• student admission selection tools
• Article 9 risk management implementation
• Article 8 compliance requirements
• social scoring systems compliance
• social benefits eligibility assessment