Chapter 1 of 8

What counts as high-risk AI? The two routes into the EU AI Act's most regulated tier

15 min read

What counts as high-risk AI? Both Article 6 routes — Annex I safety components and the eight Annex III use cases — plus the agreed move to 2 December 2027.

Under Regulation (EU) 2024/1689, the EU AI Act, an AI system counts as high-risk when it passes one of the two legal tests set out in Article 6. Either it is a product, or a safety component of a product, covered by the Union harmonisation legislation listed in Annex I and subject to third-party conformity assessment (Article 6(1)); or it falls within one of the eight use-case areas listed in Annex III (Article 6(2)). Those are the only two routes into the tier. How sophisticated, novel or 'intelligent' the underlying model is plays no part in the test.

The classification matters because everything else in the Act hangs off it: the Articles 8–15 requirements, conformity assessment, CE marking, registration, deployer duties. As of June 2026 the statute still applies those obligations from 2 August 2026 for Annex III systems. The Digital Omnibus has agreed a deferral to 2 December 2027, but has not yet enacted it. Both routes, the exemption that filters them, and the exact status of those dates are unpacked below.

High-risk is a legal test, not a judgment about your model

High-risk does not describe the technology. It is a defined legal classification, and Article 6 sets the test. A plain logistic-regression model that scores loan applicants is high-risk, because creditworthiness assessment is listed in Annex III. A frontier chatbot used to draft marketing copy is not, because drafting marketing copy is not listed anywhere. What matters is what the system does to people. See high-risk AI system defined for the formal definition.

Classification attaches to the AI system in its context of use, not to the technology in the abstract. The same model can be high-risk in one deployment and out of scope in another. That is why classification is a per-system exercise, never a per-vendor or per-model one.

Article 6 creates exactly two routes into the tier. Route 1 (Article 6(1)) catches AI embedded in products regulated under Annex I. Route 2 (Article 6(2)) catches stand-alone systems used in the eight Annex III areas. A system is high-risk if it enters through either. The reliable method is therefore mechanical: run every system in your AI register through both routes, every time. That is the discipline behind this guide and behind the full risk classification guide.

Where high-risk sits in the EU AI Act's risk pyramid

The Act is risk-tiered: prohibited practices, high-risk systems, limited-risk transparency duties, minimal risk. High-risk is the most heavily regulated tier that remains legal to operate.

Above it: prohibited practices, Article 5

The Article 5 prohibitions sit above the high-risk tier and are banned outright: harmful manipulation, exploitation of vulnerabilities, social scoring, untargeted scraping of facial images and the other listed practices. They have applied since 2 February 2025 and carry the Act's top penalty tier, up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher (Article 99(3)).

Below it: limited-risk transparency (Article 50) and minimal risk

Below the tier, Article 50 transparency duties cover chatbots, emotion recognition, deepfakes and synthetic content. These are disclosure duties, not conformity assessment: tell people they are interacting with AI, label the synthetic output. The Digital Omnibus left most Article 50 duties unchanged; the content-marking and watermarking provisions apply from 2 December 2026.

Minimal-risk systems such as spam filters, inventory forecasting and most internal tooling carry no AI Act product obligations, though voluntary codes of conduct under Article 95 are encouraged.

One orientation point before the routes. 'Not high-risk' does not mean 'out of scope'. A customer-service chatbot can fall outside both Article 6 routes and still owe Article 50 disclosure. Escaping the high-risk tier answers one question, not all of them.

Route 1: Article 6(1), AI in products covered by Annex I

The two cumulative conditions

Under Article 6 classification rules, Route 1 applies when both of the following hold:

The AI system is itself a product, or is a safety component of a product, covered by the Union harmonisation legislation listed in Annex I; and
That product, or the AI system as a product, is required to undergo a third-party conformity assessment under that Annex I legislation.

The conditions are cumulative, and the second is decisive. If the relevant Annex I regime lets the manufacturer self-assess that product category without a notified body, Route 1 is not triggered, even where the AI clearly has safety implications.

What Annex I covers

Annex I lists the sectoral product laws: machinery, toys, lifts, radio equipment, pressure equipment, medical devices, in vitro diagnostics, motor vehicles, civil aviation, marine equipment, rail systems, agricultural and forestry vehicles, and equipment for explosive atmospheres, among others.

Who tends to be caught

The typical Route 1 system is an AI-based collision-avoidance function in machinery, a diagnostic algorithm inside a medical device, or a vision system steering a vehicle. In these configurations the product manufacturer usually takes the provider role for the embedded AI.

Deadline note: under the agreed Digital Omnibus, Annex I product-embedded high-risk obligations would apply from 2 August 2028, deferred from 2 August 2027. That change was agreed in May 2026 but is not yet law.

Route 2: Article 6(2), the eight Annex III use-case areas

Route 2 needs no physical product. Under Article 6(2), an AI system is high-risk if it falls within a use case listed in Annex III. Pure software, a SaaS platform, an internal tool or a procured system all qualify. Annex III explained walks through the full annex text.

The eight areas at a glance

Biometrics — remote biometric identification, biometric categorisation and emotion recognition.
Critical infrastructure — safety components in the management of road traffic and the supply of water, gas, heating, electricity and critical digital infrastructure.
Education and vocational training — admission and assignment, evaluating learning outcomes, exam proctoring.
Employment, workers management and access to self-employment — recruitment and selection, promotion and termination, task allocation, monitoring.
Access to essential private and public services — including creditworthiness evaluation and credit scoring (Annex III point 5(b)) and risk assessment and pricing for life and health insurance (point 5(c)).
Law enforcement — offending-risk assessment, evidence-reliability evaluation, profiling in investigations.
Migration, asylum and border control management — risk assessments, examination of applications, document verification.
Administration of justice and democratic processes — assisting judicial authorities in researching and applying the law; influencing elections or voting behaviour.

Annex III names use cases, not industries

Annex III is written around what the system does to people, not what sector the operating company is in. A logistics company running a CV-screening tool sits in Annex III point 4 just as squarely as an HR-tech vendor selling one. Systems get missed when teams screen by industry, so screen by use case instead.

The list is not frozen either. Article 7 lets the Commission amend the Annex III use cases by delegated act, so classification is something you revisit, not something you do once.

Deadline note: the statute still reads 2 August 2026 for Annex III high-risk systems; the agreed Omnibus deferral to 2 December 2027 is not yet law. The full status is treated in the comparison below.

The Article 6(3) filter, and the profiling rule that overrides it

The four exemption grounds

An Annex III-listed system escapes the tier under Article 6(3) if it does not pose a significant risk of harm to health, safety or fundamental rights, including by not materially influencing the outcome of decision-making. Four grounds qualify: the system performs a narrow procedural task; it improves the result of a previously completed human activity; it detects decision-making patterns or deviations without replacing or influencing the human assessment without proper review; or it performs a preparatory task to an Annex III assessment.

Profiling of natural persons is never exempt

The final subparagraph of Article 6(3) decides most borderline cases: an Annex III system that performs profiling of natural persons is always considered high-risk. The exemption is structurally unavailable. Scoring and ranking people in recruitment, credit, insurance or law-enforcement contexts is profiling, however 'narrow' or 'preparatory' the task is labelled. Apply this override first, because it shortcuts most exemption arguments before they start.

Document the call, Article 6(4)

A provider that concludes its Annex III system is exempt must document that assessment before placing the system on the market or putting it into service, and remains subject to the registration obligation in Article 49(2). National competent authorities can demand the documentation. In enforcement terms, an undocumented exemption is no exemption.

The draft Article 6(5) guidelines (May 2026)

The Commission's draft guidelines on high-risk classification, mandated by Article 6(5), were published on 19 May 2026. The targeted consultation runs until 23 June 2026, still open as of this writing, and the final version is expected later in 2026. The draft covers general classification principles, the Article 6(1)/Annex I route, and the Article 6(2)/Annex III route with practical in-and-out examples. One caveat belongs next to every citation: the draft guidelines are not legally binding, the final text may change, and authoritative interpretation of the Act rests with the Court of Justice of the EU.

The two routes side by side

Route	Legal basis	Trigger	Conformity path	Deadline
Route 1	Article 6(1)	AI is a product, or a safety component of a product, under Annex I — and that product requires third-party conformity assessment	AI Act assessment folded into the existing sectoral notified-body procedure (Article 43(3))	2 August 2028 agreed (deferred from 2 August 2027) — not yet law
Route 2	Article 6(2)	The system falls in one of the eight Annex III areas — unless Article 6(3) applies, which it never does for profiling	Internal control under Annex VI for most areas; notified-body assessment under Annex VII for biometrics	2 December 2027 agreed — statute still reads 2 August 2026

Digital Omnibus status: agreed, not yet law

The Digital Omnibus reached provisional political agreement on 6–7 May 2026, with the COREPER-confirmed text following around 13 May 2026. It still requires the European Parliament plenary vote, formal Council adoption and publication in the Official Journal. Until those steps complete, 2 August 2026 remains the law on the books for Annex III high-risk systems; Article 113 sets those application dates.

Two further points matter for planning. First, the new dates are fixed calendar dates: the 'stop the clock' proposal that would have tied commencement to the availability of harmonised standards was rejected, so the delay is not standards-contingent. Second, not everything moved. The Article 5 prohibitions have applied since 2 February 2025, the GPAI obligations in Articles 51–55 since 2 August 2025, and the Omnibus added a new fixed 2 December 2026 date for content marking together with the CSAM/'nudifier' ban.

So the deadlines differ by route. A company with an embedded Annex I system and a stand-alone Annex III system runs two different compliance clocks at once.

What a high-risk classification triggers, a preview

Classification is the gate, not the workload. The full obligations walkthrough is Chapter 5 of this guide. What follows is the shape of what a high-risk finding sets in motion.

Articles 8–15: the seven requirement clusters

A high-risk system must meet the Chapter III, Section 2 requirements: a risk management system (Article 9), data and data governance (Article 10), technical documentation per Annex IV (Article 11), record-keeping and logging (Article 12), transparency and instructions to deployers (Article 13), human oversight (Article 14), and accuracy, robustness and cybersecurity (Article 15).

Conformity assessment, CE marking, registration: Articles 43–49

Before placing the system on the market or putting it into service, the provider must pass conformity assessment (Article 43), draw up the EU declaration of conformity (Article 47), affix CE marking (Article 48) and register the system in the EU database (Article 49, the database established under Article 71).

Deployers are not off the hook: Articles 26 and 27

Deployers carry their own duties under Article 26, and certain deployers, including public bodies and some private operators of Annex III systems, must complete a fundamental rights impact assessment under Article 27.

Getting it wrong is priced into the Act. Non-compliance with most high-risk obligations is fined up to EUR 15 million or 3% of total worldwide annual turnover (Article 99(4)). Supplying incorrect, incomplete or misleading information to notified bodies or authorities, in a contested classification for example, is fined up to EUR 7.5 million or 1% (Article 99(5)).

Run every system in your register through both routes

Classification is a per-system, register-driven exercise. For each entry in your AI register, run the same screen, in the same order.

A repeatable five-step screen

Route 1 check. Is the system a product, or a safety component of a product, under Annex I legislation that requires third-party conformity assessment? If yes: high-risk via Article 6(1).
Route 2 check. Does the use case sit in any of the eight Annex III areas? Check the use case, not the industry.
Exemption test. If Annex III applies, test the four Article 6(3) grounds, applying the profiling override first. Profiling of natural persons ends the analysis: high-risk.
Document and register. Record the conclusion under Article 6(4) before market placement, and register where Article 49(2) requires.
Set a re-screen trigger. Annex III amendments under Article 7, the final Article 6(5) guidelines and the Omnibus becoming law should each re-open the file.

A system can enter through both routes at once, for example a biometric safety component inside a regulated product. Record both legal bases; they carry different conformity paths and different deadlines.

Deeper route-by-route walkthroughs sit in the full risk classification guide and in the chapters that follow: the Annex III deep dive, the exemption analysis and the obligations stack.

The decision you need to make: for every system in your AI register, determine and document which route, if any, puts it in the high-risk tier: Article 6(1), Article 6(2), both, or neither, with the Article 6(3) assessment recorded wherever you rely on it. Everything else in this guide assumes that call has been made per system, not per company.

How Confir helps

Confir's classification module runs each system in your AI register through both Article 6 routes as a structured intake: the Annex I two-condition test, the mapping against all eight Annex III areas, then the Article 6(3) exemption screen with the profiling override applied first. The engine is deterministic and rule-based, the same logic every time, with no model inference and no hallucination, and every conclusion is stored as an audit-ready Article 6(4) record alongside the Article 49(2) registration checklist. When Annex III changes under Article 7 or the final Article 6(5) guidelines land, the register flags which classifications need a re-screen.

Frequently Asked Questions

What is considered high-risk AI under the EU AI Act? An AI system is high-risk under Regulation (EU) 2024/1689 if it meets one of two tests in Article 6: it is a product, or a safety component of a product, covered by Annex I harmonisation legislation requiring third-party conformity assessment; or it falls within one of the eight use-case areas listed in Annex III, such as employment, credit scoring or biometrics.

What are the 8 high-risk categories in the EU AI Act? Annex III lists eight areas: biometrics; critical infrastructure; education and vocational training; employment and workers management; access to essential private and public services, including credit scoring and life and health insurance pricing; law enforcement; migration, asylum and border control; and administration of justice and democratic processes. A system in these areas is high-risk under Article 6(2) unless a narrow Article 6(3) exemption applies.

Is ChatGPT a high-risk AI system under the EU AI Act? Not by default. Classification attaches to the use, not the underlying model. ChatGPT used for drafting marketing copy is not high-risk; the same technology embedded in a CV-screening or credit-scoring workflow can make that system high-risk under Annex III. The general-purpose model itself carries separate GPAI obligations under Articles 51–55, in force since 2 August 2025.

What is the difference between prohibited AI and high-risk AI? Prohibited practices under Article 5 — such as social scoring and manipulative techniques causing significant harm — are banned outright, with fines up to EUR 35 million or 7% of worldwide turnover. High-risk systems under Article 6 remain legal but must satisfy the Articles 8–15 requirements, pass conformity assessment and be registered before being placed on the EU market.

When do the high-risk AI requirements start to apply? The statute currently says 2 August 2026 for Annex III high-risk systems. The Digital Omnibus, politically agreed in May 2026, would defer this to 2 December 2027, and Annex I product-embedded systems to 2 August 2028 — but as of June 2026 that deferral is not yet law, pending the European Parliament vote, Council adoption and Official Journal publication.

Is profiling always high-risk under the EU AI Act? Within Annex III, yes. Article 6(3) lets some systems escape the high-risk tier when they only perform narrow procedural or preparatory tasks — but its final subparagraph states the exemption never applies where an Annex III system performs profiling of natural persons. Profiling in recruitment, credit, insurance or law-enforcement contexts therefore stays high-risk regardless of how limited the task appears.

What happens if my AI system is classified as high-risk? The provider must meet the requirements of Articles 8–15 — risk management, data governance, technical documentation, logging, transparency, human oversight and accuracy — then pass a conformity assessment, draw up an EU declaration of conformity, affix CE marking and register the system in the EU database before market placement. Non-compliance carries fines up to EUR 15 million or 3% of worldwide turnover under Article 99(4).