Annex III High-Risk AI Systems, Explained: All Eight Categories, Point by Point
All 8 Annex III high-risk AI categories explained, with the draft guidelines' in/out examples and the deadline caveat: the statute still says 2 August 2026.
Annex III of Regulation (EU) 2024/1689 lists the eight use-case areas that make an AI system high-risk under Article 6(2): biometrics, critical infrastructure, education, employment, essential private and public services, law enforcement, migration and border control, and the administration of justice and democratic processes. Classification turns on what your system is intended to do and in what context, not on how advanced the model behind it is.
This chapter walks through every lettered point in all eight areas, using the concrete in-scope and out-of-scope examples from the draft Commission guidelines published on 19 May 2026, and flags the misreads that trip up compliance teams. One caveat runs through the whole page: the statute still says 2 August 2026 for Annex III high-risk obligations, while the agreed but not yet enacted Digital Omnibus would move that date to 2 December 2027.
Annex III Is a List of Uses, Not a List of Technologies
How Article 6(2) Points to Annex III
Under Article 6(2), an AI system is high-risk when its intended purpose matches one of the use cases listed in Annex III. The Annex contains eight areas, each broken into lettered points, and the points are what matter. 'Point 4(a)' is a classification finding; 'employment-ish' is not. The test looks at purpose, context and impact on health, safety and fundamental rights, not at the technical architecture. A logistic regression and a frontier model are classified the same way if they serve the same Annex III purpose.
This chapter goes category by category. For the statutory text itself, see the Annex III overview; for the full Article 6(1)/6(2)/6(3) mechanics, see Article 6 classification rules.
What the Draft Commission Guidelines Add Under Article 6(5)
On 19 May 2026 the Commission published draft guidelines on high-risk classification under its Article 6(5) mandate, in three documents: general principles, Article 6(1) and Annex I, and Article 6(2) and Annex III with practical in-scope and out-of-scope examples. A targeted consultation is open until 23 June 2026, and the final version is expected later in 2026.
Two caveats apply before you rely on them. The guidelines are not legally binding; authoritative interpretation of the AI Act rests with the Court of Justice of the EU. And the Commission itself flags the examples as non-exhaustive and subject to updates over time. Every example in this chapter is attributed to the draft guidelines, and the final text may change.
The Timing Caveat: 2 August 2026 in the Statute, 2 December 2027 Agreed
As of June 2026, Article 113 still reads 2 August 2026 as the application date for Annex III high-risk obligations. The Digital Omnibus political agreement (6–7 May 2026, with the COREPER-confirmed text around 13 May 2026) would defer Article 6(2)/Annex III systems to 2 December 2027 and Article 6(1)/Annex I product-embedded systems to 2 August 2028, but the deferral is agreed, not enacted. The European Parliament plenary vote, formal Council adoption and Official Journal publication are still pending. The new dates are fixed calendar dates; the standards-contingent 'stop the clock' approach was rejected.
There is one more reason not to memorise the list. Article 7 lets the Commission amend Annex III by delegated act, so use cases can be added, modified or removed. Document your classification reasoning instead, because reasoning survives list changes.
Areas 1–2: Biometrics and Critical Infrastructure
Point 1 — Biometric Identification, Categorisation and Emotion Recognition
Annex III point 1(a) makes remote biometric identification systems high-risk. It carries an express exclusion for biometric verification whose sole purpose is confirming that a person is who they claim to be, meaning the 1:1 unlock or access-control check. The draft guidelines' in-scope example is gait recognition that compares stored movement profiles against CCTV footage to find or track individuals.
Point 1(b) covers biometric categorisation according to sensitive or protected attributes, based on inference of those attributes. The draft guidelines cite inferring health conditions from gait data and classifying people into disease stages.
Point 1(c) covers emotion recognition wherever it is not already prohibited. Here the draft guidelines cite voice analysis of tone, pitch and volume to measure customer satisfaction.
Two misreads to avoid. 'Biometric data' here is broader than the GDPR notion: per the draft guidelines, these points capture systems drawing inferences from biometric data beyond unique identification. And the verification carve-out applies only to point 1(a). It does not rescue categorisation or emotion recognition systems. For the deep dive, see biometric identification systems.
Where High-Risk Biometrics Ends and Article 5 Prohibitions Begin
Some biometric practices skip 'high-risk' entirely and land in the prohibitions, in force since 2 February 2025. Biometric categorisation that infers race, political opinions, trade union membership, religious beliefs, sex life or sexual orientation is prohibited under Article 5(1)(g). Emotion inference in workplaces and education institutions is prohibited under Article 5(1)(f), except for medical or safety reasons. Real-time remote biometric identification in publicly accessible spaces for law enforcement is prohibited under Article 5(1)(h), subject to narrow exceptions. If your system sits on one of these lines, the question is not which obligations apply but whether the use is lawful at all.
Point 2 — Safety Components in Critical Infrastructure
Annex III point 2 is narrower than most first reads assume. It covers AI used as a safety component in the management and operation of critical digital infrastructure, road traffic, or the supply of water, gas, heating or electricity. Per the draft guidelines, the system must directly protect physical integrity, whether of the infrastructure or of the people depending on it. Supportive, informational and optimisation tools such as demand forecasting, energy trading and maintenance planning fall outside, as do cybersecurity-only components that do not protect physical operation.
The draft guidelines also link point 2 to deployment by entities covered by the EU critical-entities framework. That narrowing reading is worth tracking through the consultation, since the final text may change. The common misread runs 'we sell to a utility, so we are high-risk.' The question is whether your AI is a safety component in operating the infrastructure, not who signs the contract.
Areas 3–4: Education and Employment
Point 3 — Education and Vocational Training
Annex III point 3 lists four uses, at all levels of education and vocational training: (a) determining admission or access, (b) evaluating learning outcomes, including where the evaluation steers the learning process, (c) assessing the appropriate level of education a person can receive, and (d) monitoring and detecting prohibited behaviour during tests (proctoring).
The draft guidelines draw the line at consequence. Summative evaluation is in scope: grading and qualification decisions that shape an educational trajectory. Formative tools that give ongoing feedback are out, as are voluntary training-progress quizzes analysed for learning feedback only, content recommendation inside a course, and administrative scheduling. The misread runs 'all edtech is high-risk.' It is not. Only the four lettered uses are.
Point 4 — Recruitment, Worker Management and Self-Employment
Annex III point 4(a) covers recruitment and selection, and the statute itself names targeted job advertisements, analysing and filtering applications, and evaluating candidates. The draft guidelines treat as in scope CV scoring, ranking and shortlisting where the scores drive hiring decisions; targeted job ads using profiling to decide who sees a vacancy; AI-scored interview answers; and candidate sourcing and matching. The full breakdown is in recruitment and CV screening AI.
Point 4(b) covers decisions affecting work relationships: promotion, termination, task allocation based on individual behaviour or personal traits, and monitoring or evaluating performance and behaviour. The draft guidelines treat as in scope shift schedulers using behavioural signals such as punctuality, acceptance rates and customer ratings that affect pay and progression; workload-allocation scoring; and dynamic pay-setting. See employee monitoring AI for that line of cases.
The Draft Guidelines' Employment In/Out List
The draft guidelines place several things out of scope for point 4: employer-brand advertising not linked to specific vacancies, candidate-side CV-tailoring tools, onboarding chatbots answering policy questions, interview-scheduling logistics, CV databases organised for search without scoring, retrospective bias audits run on anonymised historical data, and writing assistants polishing already-completed evaluations.
Two misreads are worth killing. The first runs 'a human makes the final call, so it is not high-risk.' The draft guidelines are explicit that human involvement does not change classification; human oversight is an Article 14 obligation that follows from being high-risk, not an escape from it. The second runs 'point 4 means employees only.' The draft guidelines extend it to work-related contractual relationships broadly, including platform workers, freelancers and access to self-employment.
Area 5: Essential Services — Benefits, Credit, Insurance, Emergency Response
Point 5(a) — Public Assistance and Benefits Eligibility
AI used by or on behalf of public authorities to evaluate eligibility for essential public assistance benefits and services, including healthcare, and to grant, reduce, revoke or reclaim them, is high-risk under Annex III point 5(a). The lifecycle wording matters: the point covers reductions, revocations and clawbacks, not just initial award decisions.
Point 5(b) — Creditworthiness and Credit Scoring
Evaluating the creditworthiness of natural persons or establishing their credit score is high-risk under point 5(b), with one carve-out for AI used to detect financial fraud. Per the draft guidelines the carve-out is narrow. A scoring component embedded in a larger lending workflow cannot be carved out to escape classification, because components contributing to a high-risk purpose are assessed as one system. See credit scoring AI.
Point 5(c) — Life and Health Insurance Risk Assessment and Pricing
Risk assessment and pricing for life and health insurance is high-risk under point 5(c). Two misreads recur here. The point covers only life and health lines; motor, property and liability pricing are not in point 5(c). And there is no fraud-detection carve-out in 5(c). That exception exists only in point 5(b), a distinction the law-firm first-reads of the draft guidelines consistently highlight.
Point 5(d) — Emergency Calls, Dispatch and Triage
Point 5(d) covers evaluating and classifying emergency calls, dispatching or prioritising the dispatch of emergency first response services such as police, firefighters and medical aid, and emergency healthcare patient triage systems.
The misread for the whole area runs 'point 5 is public-sector only.' Points 5(b) and 5(c) bind private lenders and insurers directly. Only 5(a) is conditioned on use by or on behalf of public authorities.
Areas 6–8: Law Enforcement, Migration, Justice and Elections
Point 6 — Law Enforcement
Annex III point 6 has five limbs, applying to systems used by or on behalf of law enforcement authorities, or by EU bodies supporting them: (a) assessing the risk of a person becoming a victim of crime, (b) polygraphs and similar tools, (c) assessing the reliability of evidence, (d) assessing the risk of offending or re-offending not solely on the basis of profiling, or assessing personality traits or past criminal behaviour, and (e) profiling within the meaning of Directive (EU) 2016/680 in the course of detection, investigation or prosecution.
Per the draft guidelines, 'law enforcement' is task-based, not authority-based, so private actors entrusted with law-enforcement tasks are caught. Pure search and indexing tools that do not assess evidence reliability sit out of scope. One boundary note: predicting an individual's criminal risk based solely on profiling or personality traits is prohibited under Article 5(1)(d). That practice is banned, not merely high-risk.
Point 7 — Migration, Asylum and Border Control
Annex III point 7 applies to systems used by or on behalf of competent public authorities or EU bodies in migration, asylum and border control management: (a) polygraphs and similar tools, (b) risk assessments of persons seeking entry, covering security, irregular-migration or health risk, (c) assisting in the examination of asylum, visa and residence-permit applications, including assessing the reliability of evidence, and (d) detecting, recognising or identifying persons, except verification of travel documents.
The misread runs 'only authorities are affected.' Deployment is conditioned on public authorities, but the vendor supplying the system is its provider and carries the provider obligations. Selling to a border agency does not outsource your classification.
Point 8 — Administration of Justice and Democratic Processes
Annex III point 8(a) covers AI assisting a judicial authority in researching and interpreting facts and the law and in applying the law to a concrete set of facts, or used the same way in alternative dispute resolution where the outcomes produce legal effects. Per the draft guidelines, purely administrative court tools such as case management, anonymisation and transcription logistics sit outside.
Point 8(b) covers AI intended to influence the outcome of an election or referendum, or the voting behaviour of natural persons. It carries an express exception for tools whose output people are not directly exposed to: systems organising, optimising and structuring political campaigns from an administrative or logistical standpoint. The misread runs 'campaign analytics are banned.' Back-office campaign tooling is neither prohibited nor high-risk under 8(b).
Master Table: In-Scope vs Out-of-Scope per the Draft Guidelines
How to Read the Table
Every example below comes from the draft guidelines of 19 May 2026. The targeted consultation runs until 23 June 2026, the Commission flags the examples as non-exhaustive and subject to updates, and the final text may change. Use the table as a mapping aid, not a legal determination.
| Annex III area | Typically in scope (draft guidelines) | Typically out of scope (draft guidelines) |
|---|---|---|
| 1. Biometrics | CCTV gait identification; customer-satisfaction voice analysis | 1:1 biometric verification (unlock, access) |
| 2. Critical infrastructure | Safety components operating water, gas, heating, electricity supply, road traffic, critical digital infrastructure | Demand forecasting, energy trading, maintenance planning; cybersecurity-only tools |
| 3. Education | Admission scoring; summative grading; proctoring | Formative feedback tools; course content recommendation; scheduling |
| 4. Employment | CV ranking and shortlisting; targeted job ads; behavioural shift scheduling; dynamic pay-setting | Interview scheduling; employer-brand ads; onboarding chatbots; searchable CV databases without scoring |
| 5. Essential services | Benefits eligibility; credit scoring; life and health insurance pricing; emergency triage | Financial fraud detection (point 5(b) carve-out only) |
| 6. Law enforcement | Victim risk assessment; evidence-reliability scoring; re-offending risk; 2016/680 profiling | Pure search and indexing tools |
| 7. Migration and borders | Visa and asylum application assistance; entry risk assessments | Travel-document verification |
| 8. Justice and democracy | Judicial fact-and-law analysis; election-influencing systems | Court administration; campaign logistics |
Not sure where your system lands? Run the 90-second high-risk check.
The Article 6(3) Filter and the Three Misreads That Do Not Work
The Four Exemption Conditions Under Article 6(3)
An Annex III match is not the end of the analysis. Under Article 6(3), a system listed in Annex III is not high-risk if it does not pose a significant risk of harm to health, safety or fundamental rights and meets at least one of four conditions. (a) It performs a narrow procedural task; the draft guidelines cite converting unstructured data into structured data, classifying documents and detecting duplicates. (b) It improves the result of a previously completed human activity, such as flagging errors in finalised work. (c) It detects decision-making patterns or deviations from prior patterns, without replacing or influencing a previously completed human assessment without proper review. (d) It performs a preparatory task such as indexing, searching or linking data for an assessment relevant to the Annex III use case. The draft guidelines state the conditions are to be interpreted strictly.
Profiling Closes the Filter
The second subparagraph of Article 6(3) is a hard stop. A system that performs profiling of natural persons is always high-risk, and no filter condition can rescue it. Per the draft guidelines, this excludes most HR scoring, credit evaluation and similar individual-evaluation tools from the filter before the four conditions are even reached.
Disclaimers, Human-in-the-Loop and Component-Splitting Do Not Work
Three escape routes fail. Terms-of-service disclaimers: per the draft guidelines, stating 'not for high-risk use' does not change classification when your marketing, instructions or capability presentation point at an Annex III use, because intended purpose is read across all of your documentation. Human-in-the-loop: a human reviewer does not move a system outside Annex III, because human oversight is an Article 14 compliance requirement, not a classification device. Component-splitting: where multiple AI components form one workflow whose joint outputs materially influence an Annex III decision, the draft guidelines treat them as one system that cannot be carved up. Note also Article 25: a third party that changes the intended purpose of a system already on the market can become its provider.
Using the filter also carries paperwork. Article 6(4) requires the provider to document the assessment before placing the system on the market or putting it into service, and Article 49(2) requires registration in the EU database. National competent authorities can demand that documentation.
Map Every System to a Point, or Rule It Out in Writing
A Four-Step Mapping Exercise
A defensible classification position takes four steps:
- Inventory your AI systems with their intended purpose as actually documented and marketed, not as you would describe it in a pitch.
- Test each system against the lettered points, not the area headings. The output of this step is 'point 4(a)' or 'no match', never 'employment-ish'.
- If a point matches, run the Article 6(3) filter honestly, starting with the profiling bar, which ends the analysis for most scoring and evaluation tools.
- Write the outcome down. A matched point starts the high-risk workstream. A ruled-out system needs the Article 6(4) written assessment and Article 49(2) registration if the filter was used.
What the Penalty Exposure Looks Like — Article 99
The penalty exposure makes the documentation worth it. Non-compliance with the high-risk obligations sits in the Article 99(4) tier: fines up to EUR 15 million or 3% of total worldwide annual turnover, whichever is higher. Supplying incorrect, incomplete or misleading information to notified bodies or authorities sits at Article 99(5): up to EUR 7.5 million or 1% of turnover. SMEs and start-ups benefit from the Article 99(6) proportionality cap, under which the lower of the two figures applies.
Deadlines to Plan Against Under Article 113 and the Omnibus Caveat
Here are the dates one more time, because they are the most common source of confusion in mid-2026. Prohibitions have applied since 2 February 2025 and GPAI rules since 2 August 2025, and the Omnibus did not move those. The statute still says 2 August 2026 for Annex III high-risk obligations. The agreed but not yet enacted Omnibus deferral moves that to 2 December 2027, with Annex I product-embedded systems following on 2 August 2028, both as fixed calendar dates. A separate 2 December 2026 deadline covers content-marking transparency and the new CSAM-related prohibition. Deployers should also pre-read Article 27: public bodies and certain private deployers, including users of point 5(b) credit scoring and point 5(c) insurance pricing systems, owe a fundamental rights impact assessment before first use.
Chapter 1 of this guide covered the two routes into Article 6 classification in full; the chapters that follow cover the obligations that attach once a system maps to a point.
The decision you need to make: assign every AI system in your inventory either a specific Annex III point or a documented, Article 6(4)-grade rule-out. Both outcomes are workable. An undocumented 'probably fine' is not, because the burden of explaining your classification lands on you the moment a national authority or an enterprise customer asks for it.
How Confir helps
Confir's classification workspace encodes Article 6(2), all eight Annex III areas and the Article 6(3) filter as a structured plain-English questionnaire. The engine is deterministic and rule-based: the same logic every time, no model inference, no hallucination. You describe each system's intended purpose; Confir maps it to the specific lettered Annex III point or rules it out, applies the profiling bar automatically, and generates the Article 6(4) assessment record you must hold before market placement, plus the registration trail under Article 49(2) where the filter is used. The rule set is versioned, so when the draft guidelines are finalised later in 2026 you can see exactly which interpretation each classification relied on.
Frequently Asked Questions
What are the eight categories of high-risk AI systems in Annex III? Annex III of Regulation (EU) 2024/1689 lists eight areas: biometrics; critical infrastructure; education and vocational training; employment and worker management; essential private and public services (including credit scoring and life and health insurance); law enforcement; migration, asylum and border control; and administration of justice and democratic processes. A system is high-risk under Article 6(2) when its intended purpose matches a specific lettered point within one of these areas.
Is credit scoring AI high-risk under the EU AI Act? Yes. Annex III point 5(b) classifies AI that evaluates the creditworthiness of natural persons or establishes their credit score as high-risk. The only carve-out is AI used to detect financial fraud. The draft Commission guidelines read that carve-out narrowly, and a scoring component embedded in a larger lending workflow cannot be carved out to escape classification.
Is emotion recognition prohibited or high-risk under the EU AI Act? Both, depending on context. Inferring emotions in workplaces and education institutions is prohibited under Article 5(1)(f), in force since 2 February 2025, except for medical or safety reasons. Elsewhere — the draft guidelines cite voice analysis measuring customer satisfaction — emotion recognition is high-risk under Annex III point 1(c) and carries the full set of high-risk obligations.
Are recruitment and CV screening tools high-risk under the EU AI Act? Yes. Annex III point 4(a) covers AI used for recruitment or selection, expressly including targeted job advertisements, analysing and filtering applications, and evaluating candidates. The draft guidelines treat CV scoring, ranking and shortlisting as high-risk, while interview scheduling, CV databases organised for search without scoring, and employer-brand advertising not linked to specific vacancies fall outside.
Can an AI system listed in Annex III avoid high-risk classification? Yes, via the Article 6(3) filter — if it only performs a narrow procedural task, improves a completed human activity, detects decision patterns without replacing human review, or performs a preparatory task. But a system that profiles natural persons is always high-risk, and the provider must document the assessment under Article 6(4) and register the system under Article 49(2).
When do the Annex III high-risk obligations start to apply? The statute currently says 2 August 2026. The Digital Omnibus political agreement of May 2026 would defer Annex III high-risk obligations to 2 December 2027 as a fixed calendar date, but as of June 2026 it has not completed the legislative process — the Parliament plenary vote, Council adoption and Official Journal publication are still pending. Plan against the agreed date, and track adoption.
Are the draft Commission guidelines on high-risk classification legally binding? No. The draft guidelines, published on 19 May 2026 under Article 6(5), are interpretive guidance only — authoritative interpretation of the AI Act rests with the Court of Justice of the EU. A targeted consultation is open until 23 June 2026, and the final version is expected later in 2026, so the in-scope and out-of-scope examples may still change.