Skip to content
Confir.
Free trial
Risk Classification

AI in Education: Annex III Point 3 High-Risk Classification Under the EU AI Act

High-Risk Use Case23 May 2026· 14 min read· 2,804 words

Annex III point 3 makes admission, grading, and proctoring AI high-risk. Deadline 2 December 2027. Emotion recognition in education is prohibited.

Annex III of the EU AI Act lists eight categories of AI systems that are automatically classified as high-risk. Point 3 covers education and vocational training. If your system determines who gets into a programme, evaluates how well a student is learning, or monitors behaviour during an exam, you are in this category — and the full high-risk compliance stack applies.

There is one boundary you need to understand before anything else: emotion recognition in educational institutions is not high-risk. It is prohibited. Article 5(1)(f) bans AI systems that infer the emotional states of natural persons in educational and workplace settings, with narrow exceptions for medical or safety purposes. An exam proctoring tool that flags "stress indicators" or "emotional disengagement" crosses that line. The fine ceiling for an Article 5 breach is €35,000,000 or 7% of total worldwide annual turnover under Article 99(3) — not the lower tier that applies to ordinary high-risk failures. That distinction matters.

This page covers the Annex III point 3 classification framework and the obligations it triggers. If you want sector context — how schools, universities, and EdTech companies fit into the Act more broadly — see the companion guide EU AI Act compliance for education: schools, universities, EdTech.

What Annex III Point 3 Actually Covers

The Act identifies four functions under point 3. Each is independently sufficient to trigger high-risk classification.

Point 3(a): determining access or admission to educational or vocational institutions. This captures systems that rank, score, or filter applicants. A tool that produces a ranked shortlist for a master's programme is in scope. So is an algorithm that assigns apprenticeship candidates to employers. The word "determine" is broad — if the system's output substantially shapes who advances, the classification follows.

Point 3(b): evaluating learning outcomes, including when used to steer the learning process. Automated essay scoring, competency assessments, and grade-prediction engines all qualify. So do adaptive learning platforms that decide which students advance to harder material: "steering the learning process" is explicit in the regulation. A plagiarism detector that flags text for human review without assigning a grade sits in a different position — but the moment a system produces a performance score that enters a student's record, it is squarely in 3(b).

Point 3(c): assessing the appropriate level of education a person will receive or can access. This point covers systems that sort students into tracks or tiers — for example, a system that recommends whether an incoming student should follow a vocational or academic pathway, or one that determines eligibility for remedial support. It is distinct from 3(b) (which is about measuring outcomes) and from 3(a) (which is about institutional entry). The target here is the decisions that shape a student's educational trajectory once they are already in the system.

Point 3(d): monitoring and detecting prohibited behaviour during tests. Exam proctoring tools that use computer vision to flag head movements, eye gaze, or unusual keyboard patterns are the clearest example. A system that records an exam session for later human review without AI-based analysis of the footage is not in scope. The classification applies to AI-driven behavioural detection, not video recording as such.

The Article 6(3) filter

A system that falls within an Annex III category is not automatically high-risk if it satisfies the Article 6(3) exemption — meaning it does not pose a significant risk of harm to health, safety, or fundamental rights. Grounds for exemption include: it performs a narrow procedural task; it improves the result of a previously completed human activity without influencing a new decision; it detects decision patterns without replacing human assessment; or it carries out preparatory work. One of these four conditions is enough — not all four.

The exemption is narrow in the education context. Systems that score applicants, grade work, or infer behaviour during exams directly affect access to education and the formal record of a person's academic performance — both of which are fundamental rights concerns. A provider claiming 3(a), 3(b), 3(c), or 3(d) scope with an Article 6(3) carve-out must document that assessment and register it under Article 49. Any system that profiles natural persons is always high-risk regardless of the exemption analysis.

The Prohibited Boundary: Emotion Recognition

Article 5(1)(f) has been in force since 2 February 2025. It prohibits AI systems that infer emotions of natural persons in:

  • educational institutions
  • workplaces

Exceptions apply only for medical reasons or safety purposes, where those purposes are enumerated by the system's intended use.

For exam proctoring, this creates a hard boundary. A proctoring system may detect that a candidate is looking away from the screen, has a second person in frame, or is using an unauthorised device. Those are behavioural observations tied to defined prohibited conduct. A proctoring system that infers anxiety, confidence, stress, or any emotional state — and uses that inference as a signal of potential cheating or disengagement — is different. That is emotion recognition in an educational institution, and it is banned.

Providers of proctoring tools, and deployers (schools and examination bodies) that configure or procure them, should audit the inference layer carefully. The fine for breaching Article 5 is €35,000,000 or 7% of worldwide annual turnover (Article 99(3)), considerably higher than the €15,000,000 or 3% that applies to ordinary high-risk compliance failures under Article 99(4).

Provider Obligations

If you develop or place an education AI system on the market under your name, you are a provider under Article 16. The high-risk stack under Articles 9 through 15 applies in full. The conformity assessment route for Annex III point 3 systems is Annex VI internal self-assessment — no notified body is required. (Annex III point 1 biometric systems follow the Annex VII notified-body route; education systems under point 3 do not.)

Risk management system (Article 9)

Article 9 requires a continuous, documented risk management process — not a one-off report. For education systems, the core risks to identify and assess include:

  • Algorithmic bias that systematically disadvantages students on protected grounds (language background, disability, socioeconomic status, ethnicity)
  • Training data that does not represent the population the system will assess — a common problem when a grading model trained on one national curriculum is sold to schools in another country
  • Performance degradation over time as student populations or curricula change
  • Inappropriate reliance on system outputs by educators who lack the expertise to challenge them
  • Data quality failures: incomplete records, stale baselines, erroneous input data

The risk management system must document identified risks, evaluate their likelihood and severity, specify mitigation measures, and confirm that residual risks are acceptable. It runs throughout the product lifecycle, not just pre-launch.

Technical documentation (Article 11, Annex IV)

Before placing the system on the EU market, providers must compile the Article 11 / Annex IV documentation pack. For education systems, this means:

  • System architecture and data-flow descriptions, including all third-party components
  • Training dataset specifications: size, composition, the student populations it represents, and the steps taken to address gaps
  • Performance metrics disaggregated by student subgroup — accuracy is not enough if it conceals disparate impact
  • Fairness analysis: quantified disparate impact across gender, ethnicity, language background, disability status, and any other characteristic relevant to the deployment context
  • Human oversight specifications: how educators can access, interpret, and override outputs; what happens when the system produces a low-confidence result

Providers are required to retain technical documentation for 10 years from placement on the market (Article 18). That is not a recommended retention period — it is a statutory minimum.

Transparency to deployers (Article 13)

Providers must supply deployers with instructions that are clear enough for the deploying institution to operate the system in compliance with the Act. For an essay-scoring tool sold to secondary schools, this includes: the system's accuracy and fairness characteristics, the student subgroups for which performance may differ, the conditions under which human review should be triggered, and the procedures for students to request an explanation or challenge an output.

Human oversight (Article 14)

Article 14 requires providers to design systems so that deployers can effectively oversee them. In practice, this means the system must communicate uncertainty or low-confidence results, must support meaningful human review rather than merely presenting an output that educators feel pressure to accept, and must allow qualified personnel to override outputs without the system treating the override as an error.

Data governance (Article 10)

Training, validation, and testing data must meet specific quality criteria: relevance to the intended purpose, sufficient representativeness, freedom from errors, and appropriate management of known gaps and shortcomings. For grading and admissions systems, this means providers must demonstrate that the datasets used to build and validate the model reflect the range of students the system will assess — not just the students of the schools or jurisdictions where the model was originally developed.

Deployer Obligations

Schools, universities, vocational training bodies, examination boards, and any other organisation that uses a point 3 system under its own authority are deployers under Article 26.

Deployers are often public bodies. That matters for two distinct obligations.

Fundamental Rights Impact Assessment (Article 27)

Article 27 requires certain deployers to conduct a Fundamental Rights Impact Assessment before deploying a high-risk AI system. The FRIA obligation applies to deployers that are public bodies, or that are private entities providing public services — which covers most schools, universities, and examination bodies in the EU. It also applies to any deployer of a creditworthiness system (Annex III 5(b)) or life/health insurance pricing system (Annex III 5(c)), but those are different categories.

For education deployers, the FRIA is a structured analysis of how the system may affect fundamental rights: the right to education, non-discrimination, data protection, and the rights of the child where minors are involved. Article 27(4) permits the FRIA to build on an existing GDPR Data Protection Impact Assessment (DPIA under GDPR Article 35) where one has already been conducted — they address overlapping ground, and there is no obligation to duplicate work, but they remain distinct documents with distinct purposes.

Informing affected persons (Article 26)

Deployers of high-risk AI systems in education must inform students (and, where relevant, parents or guardians) that they are subject to AI-assisted or AI-driven assessment. The information must be given before the assessment takes place. For minor students, GDPR considerations around parental consent and data minimisation apply in parallel.

Operational obligations (Article 26)

Under Article 26, deployers must:

  • Verify that the system is being used in accordance with the provider's instructions
  • Assign oversight responsibility to qualified staff — not just formally designate a role, but ensure the person has the competence to intervene
  • Log system outputs and decisions for at least six months (Article 26 — do not cite a sub-paragraph; the specific paragraph number is not settled in secondary sources)
  • Report serious incidents to the provider, who carries the Article 73 duty to report to authorities
  • Suspend use if the system produces results that appear systematically incorrect or discriminatory

A secondary school with 300 students that deploys an AI essay-scoring tool is a deployer under Article 26 just as much as a national examination board. Size does not change the classification.

GDPR and data protection (minors)

Where students are minors, the intersection with GDPR is acute. Processing special-category data (disability, ethnicity, language background) to train or run a high-risk education system requires a lawful basis under GDPR Article 9. Schools operating as deployers that share student data with a provider are likely controllers or joint controllers, and the data processing arrangement must be governed by a written contract meeting GDPR Article 28 requirements. Data minimisation, purpose limitation, and storage limitation apply in full.

Compliance Timeline

Under the Digital Omnibus, agreed by Parliament and Council in May 2026, the application of high-risk obligations for stand-alone Annex III systems is 2 December 2027 — pushed back from the original 2 August 2026 date. The Annex III point 3 systems covered on this page follow that timeline.

The Article 5 prohibitions — including the emotion-recognition ban — have applied since 2 February 2025. That deadline has passed. Proctoring systems that breach Article 5(1)(f) are already in violation.

The 2 December 2027 high-risk deadline gives providers and deployers time to prepare, but the documentation work — risk management, technical file, FRIA, staff training under Article 4 — takes months. Starting in late 2027 is not realistic. The FRIA alone, where Article 27 applies, requires scoping, consultation with affected groups, and board or governance approval before deployment.

How Confir Helps

Confir's classification module walks you through Annex III point 3 scenarios in plain language: does the system determine access to an institution, evaluate learning outcomes, assess educational level, or detect prohibited exam behaviour? The same intake flags Article 5(1)(f) risk where proctoring features suggest emotion inference. The output is a documented classification finding — deterministic, rule-based, reproducible — that you can include in your technical file.

For deployers who are public bodies, Confir runs the Article 27 FRIA workflow: scoping, the structured rights analysis, and a print-ready assessment report. Providers get the Annex IV technical documentation template and the Article 47 / Annex V Declaration of Conformity generator.

Frequently Asked Questions

Is our learning management system high-risk under Annex III point 3?

It depends on what the LMS does. An LMS that hosts content, tracks completion rates, and records attendance is unlikely to trigger point 3 on its own — it is not evaluating learning outcomes in the sense the Act means. An LMS that uses AI to assign performance scores, predict student success, or recommend advancement to the next level crosses into point 3(b) or 3(c). Audit the AI-driven decision functions specifically, not the broader system.

Does a recommendation that educators can override still count as high-risk?

Yes. The Act does not exempt advisory systems. If the system evaluates a student's learning outcomes or recommends their educational level, it is within scope regardless of whether the institution can override it. The question is whether the output influences a decision affecting the student, not who has the final say.

Do we need a notified body to certify our education AI system?

No. Annex III point 3 systems use the Annex VI internal self-assessment route under Article 43. Providers conduct and document their own conformity assessment. No third-party notified body is required. (Annex III point 1 biometric systems are different — they generally require the Annex VII notified-body route.)

Our proctoring tool detects "stress" as a proxy for potential cheating. Is that allowed?

Inferring emotional states — including stress — of students during exams is prohibited under Article 5(1)(f), which has applied since 2 February 2025. The fact that stress is being used as a proxy for cheating rather than as an end in itself does not change the analysis: the system is still inferring an emotional state of a person in an educational institution. Remove that inference layer or the system is in breach.

Which students must we tell about the AI system?

Under Article 26, deployers must inform all persons who will be subject to the high-risk system before it operates. For minors, information should be provided to parents or guardians as well, and GDPR requirements around consent and data protection for children apply. There is no threshold based on stakes or age — the duty applies across the board.

What is the penalty for a deployer that ignores these obligations?

Deployer violations of Article 26 obligations fall under Article 99(4): up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For deployers that are SMEs or start-ups, the fine is capped at the lower of the percentage or the fixed amount under Article 99(6). A breach of Article 5(1)(f) — deploying a prohibited emotion-recognition system — is Article 99(3): up to €35,000,000 or 7%.

Can we reuse a GDPR DPIA as our Article 27 FRIA?

Partially. Article 27(4) explicitly allows the FRIA to build on an existing DPIA. The two assessments address overlapping ground — data protection risks and fundamental rights risks often coincide. But a DPIA is scoped to data processing and GDPR rights; a FRIA is broader, covering all fundamental rights including the right to education, non-discrimination, and fair treatment. You can incorporate and cross-reference the DPIA, but the FRIA needs to address the additional scope explicitly.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Complete Guide

EU AI Act Risk Classification: The 4 Tiers Explained (2026)

EU AI Act risk tiers explained: Art 5 bans, Annex III high-risk (deadline 2 Dec 2027), Art 50 transparency, minimal-risk. Art 6(3) exemption filter covered.

Guide

AI Chatbot Risk Classification Under the EU AI Act

Classify your chatbot under the EU AI Act: limited-risk (Article 50, Aug 2026), high-risk (Annex III), or prohibited (Article 5). Penalties included.

Template

EU AI Act Risk Classification: Step-by-Step Decision Tree

Six-node decision tree to classify any AI system under EU AI Act Article 6. Prohibited, high-risk, limited, or minimal — with deadlines and penalties.